Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Decompressing log files in push mode for Qradar

    Posted 02-02-2021 11:11
    Hello,

    Does anyone use Qradar SIEM in push mode (not the pull mode with the Python script) from the Cloud WAF?

    Our issue is that the logs are compressed by the Cloud WAF with "ZLIB", while Qradar is not able to decompress ZLIB. 

    Imperva's documentation suggest to decompress with the following script -

    csplit -sz 123_345.log -f 123_345.log. /\|\=\=\|/ 
    sed -i '/|==|/d' 123_345.log.01 
    cat 123_345.log.00 > 123_345.log.decompressed 
    zlib-flate -uncompress < 123_345.log.01 >> 123_345.log.decompressed 
    rm 123_345.log.0*
    However we were wondering if anyone has a more native way to do this decompression by the QRADAR itself
    (Not having to go through an additional script/server).

    Thanks,
    Roee
    #CloudWAF(formerlyIncapsula)

    ------------------------------
    Roee Sharon
    RSECURE
    ------------------------------


  • 2.  RE: Decompressing log files in push mode for Qradar

    Posted 02-02-2021 12:57
    Edited by Abhishek Gupta 02-02-2021 12:57

    Hi Rose,

     

    Compression can be disabled from the PUSH connector from the Imperva side so you don't have to uncompress it using that code.

     

    Thanks and Regards,

    Abhishek Gupta

    Sr. Professional Services Consultant

    Register with code "AmplifyCS"

     

     

    -------------------------------------------
    NOTICE:
    This email and all attachments are confidential, may be proprietary, and may be privileged or otherwise protected from disclosure. They are intended solely for the individual or entity to whom the email is addressed. However, mistakes sometimes happen in addressing emails. If you believe that you are not an intended recipient, please stop reading immediately. Do not copy, forward, or rely on the contents in any way. Notify the sender and/or Imperva, Inc. by telephone at +1 (650) 832-6006 and then delete or destroy any copy of this email and its attachments. The sender reserves and asserts all rights to confidentiality, as well as any privileges that may apply. Any disclosure, copying, distribution or action taken or omitted to be taken by an unintended recipient in reliance on this message is prohibited and may be unlawful.
    Please consider the environment before printing this email.





  • 3.  RE: Decompressing log files in push mode for Qradar

    Posted 02-03-2021 08:35
    Thanks Abhishek ,
    We've tried that but the amount of data was so large, it had to be compressed.


    Regards,

    Roee Sharon
    Security Consultant, CEO.