idslogmgmt_architecture

IBM Security Directory Server (SDS) has been the go-to LDAP solution for lot of customers around the world, some of them are using it to achieve simple business needs, others are using it for complex and advanced use cases, it also comes bundled with the majority of IBM products including the IAM solutions, Domino and others, for audit purposes, you may find yourself in need to feed you SIEM solution with SDS logs, specially when SDS is used as a critical component such as a user repository or an authenticator…In this article, I’ll show you how you can achieve this integration using the built-in tool called idslogmgmt.

idslogmgmt a powerful tool that comes out-of-the box with your SDS, its primary use it to rotate and archive log files without the need to third party tools, but it is also used among many administrators to send log files to the QRadar, since idslogmgt uses syslogs protocol to send the events, you can basically integrate it with any other SIEM solution as long as it supports LEEF parsing, otherwise, you may need to create your own parser make the received events readable, see appendix A for more information. Idslogmgmt uses a combination of Java and JS scripts called Assembly Lines (ALs) to do all the magic, which means that IBM Security Directory Integrator (SDI) must be installed on the same machine where LDAP server is running in order to execute these ALs.

PS: We will only focus on sending audit.log events to QRadar, you can send more events such as ibmslapd, audit, tools, bulkload, admin, admin audit, db2cli, replication, and ddsetup as per the documentation here.

Architecture:

The following high level architecture describes how idslogmgmt is integrated with QRdar/SIEM.

idslogmgmt High Level Architecture

Components Description

  • LDAP Client: Akbank’s applications using with SDS
  • SDS Server: The main LDAP instance server
  • Audit.log: The audit log file used by SDS to log all activated operations
  • Idslogmgmt: The built-in log management tool
  • Security Directory Integrator ALs: Pre-installed Assembly Lines used by idslogmgmt
  • SIEM: Security Information and Event Management System

Components Interaction

  1. The LDAP client connects to the LDAP server to perform an operation, e.g search, modify, compare…
  2. The LDAP server performs the requested operation and writes a new entry on audit.log file.
  3. By default, idslogmgmt is triggered each 15 minutes to run the Assembly Lines using IBM Directory Integrator.
  4. The Assembly Lines check for new audit.log entries and convert them to LEEF format.
  5. The syslog message is built and sent to the SIEM using either UDP or TCP protocol.

Components Installation

The goal of this article is not to describe the installation steps of SDS or SDI, but here are a few things to take in consideration before and after the installation:

  • If you are using Linux, make sure that libstdc++ package is installed before performing SDI installation, otherwise, SDI will not be able to startup.
  • idslogmgmt supports both TDI (Tivoli Directory Integrator) 7.1.1 and SDI (Security Directory Integrator) 7.2, both products are supported by IBM and achieve the same results, although, after the installation of the base product, make sure to install the latest Fix Pack available, I’ve seen some weird issues while using the base version, so always update the product to the latest version.
  • On Redhat, you may get some Java errors while installing SDI/TDI, if you do, make sure to disable SELinux and try again.
  • Make sure to open firewall ports if needed between the LDAP Server machine and the SIEM, the ports include 514 if you’re sending logs through UDP or 601 if using TCP.
READ ALSO  Exploiting PHPMailer Vulnerability

Enable Logs Integration

To enable the log integration, you basically have 2 options: using the CLI or the GUI (Web Admin Tool), the first option gives you more control and understanding of the involved parameters and properties, the only down side is that it requires a full restart of the LDAP instance which is not always possible, that’s why I will explain the second option which is restartless, you can always check the public documentation here for using the CLI.

Now, follow carefully the below steps:

1- If you did not do so already, click Server administration in the Web Administration navigation area.
2- Click Logs in the expanded list.
3- Click Modify log settings.
4- In the Log Name column, click Server audit log.

SDS_WebAdmin

Make sure audit logs are enabled and operations to log are checked correctly

SDS_idslogmgmt

SDS_audit

5- Under Server audit log settings, click Log Management Integration.
6- Select Enable QRadar Integration.
7- In the Host field, specify the host name or IP address of the QRadar server.
8- When you specify the host name or IP address, the value is stored and read from the configuration file.
If you do not specify a value in this field, local host is used by default.
The attribute ibm-slapdLogEventQRadarHostName is associated with this field.
9- In the Syslog Port field, specify the syslog port number on which the QRadar server listens.
When you specify the syslog port number, the value is stored and read from the configuration file
If you do not specify a value in this field, 514 is assigned as the default syslog port number. For more information, see Ports used by QRadar.
The attribute ibm-slapdLogEventQRadarPort is associated with this field.
10- In the Map file location field, specify the path and file name of the map file that sets up the various QRadar attributes for the event.
The default location is /opt/IBM/ldap/V6.4/idstools/idslogmgmt/.
The attribute ibm-slapdLogEventQRadarMapFilesLocation is associated with this control

SDS_QRadar_Integration

Make sure the ldap instance owner has permissions to execute idslogmgmt command and has ownership over TDI installation path.

You can start idslogmgmt tool using the below command

start_idslogmgmt

if you get the above results, it means that idslogmgmt is running as expected, now you can check your SIEM to see the received syslog packets, you can also monitor your network interface to see the outbound traffic using tcpdump:

where eth0 is the concerned interface.

Monitor idslogmgmt process

You may want to make sure that idslogmgmt is running all the time to make sure you’re not missing any event, you can either do that through third party tools, but I like ti this locally, that’s why I wrote a simple shell script to check if idslogmgmt is running, if not, it will try to start it, the script then is registered as Cron job and executed each 5 minutes, if you’re curious, this is how the script looks like:

READ ALSO  [AppScan] Session Fixation attack

now, while logging in as the ldap instance owner, set a Cron job to run the shell script:

Once done, you can monitor /var/log/checkProcess.log for the script’s output, make sure the instance owner has write access to mentioned path.

Appendix

If your SIEM doesn’t support LEEF parsing out-of-the box, you will need to develop your own, to help you with that, I have attached a file containing LDAP Audit entry for each supported operation and its respective syslog message, I also created a small list containing internal syslog message attributes and their respective descriptions:

READ ALSO  WannaCry..The Fast-growing Ransomware In History

Download: Logs+Syslogs

The following two tabs change content below.
Ayoub Bahar, 25 years old, founder of this blog, I am passionate about coding, hacking, cracking and everything related to the new technologies. Follow me to get my latest articles.
Written by AYOUB BAHAR
Ayoub Bahar, 25 years old, founder of this blog, I am passionate about coding, hacking, cracking and everything related to the new technologies. Follow me to get my latest articles.