pythonqradar

If a log is sent to Qradar such as syslog, the log can be forwarded to a python script?


I'm trying to make an IBM Qradar app framework.

I want to know it is possible to pass the event log as a python script variable.

The way the app works is as follows.

  1. Firewall log send to Qradar using syslog.
  2. When an event log occurs, the app transfers the event log to the python script.
  3. Python script analyzes the log and the result is saved to DB.

Solution

  • Yes, it is possible to pass the log events to a Python script.

    In the QRadar App Framework, you can set up a Flask based web application that listens to certain RESTful API requests. When a log event occurs QRadar will hit these API endpoints with the relevantt data. From there, the data can be saved in a file, databases, or processed immediately by the script before storing.

    Here's an example of how you could implement:

    from flask import Flask, request
    app = Flask(__name__)
    
    @app.route('/handle_log', methods=['POST'])
    def handle_log():
        log = request.json  # assuming QRadar sends a json payload
        # Process log here or just save it
        # save_log(log) # function you could define to save the log to DB.
        return "Log Received", 200
    
    if __name__ == '__main__':
        app.run(host='0.0.0.0', port=8080)  # replace with your appropriate IP and PORT
    

    In this example, QRadar is expected to send a POST request to http://your_ip:8080/handle_log with the log details as JSON format as the payload.

    The app can then retrieve this data using log = request.json and process it like required by the logic of your application.

    IP and port are important too. When you run Flask App, it’s running on your localhost by default. However, as QRadar will need to access it, you’ll need to specify an IP that's visible on the network where QRadar is deployed.

    if __name__ == '__main__':
        app.run(host='0.0.0.0', port=8080)  # replace with your appropriate IP and PORT
    

    This line of code makes your Flask app visible on your network at the port 8080.