Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Checking the Integrity Of Event and Flow Logs

When log hashing is enabled, any system that writes event and flow data creates hash files. Use these hash files to verify that the event and flow logs were not modified since they were originally written to disk.

The hash files are generated in memory before the files are written to disk, so the event and flow logs cannot be tampered with before the hash files are generated.

Ensure that log hashing is enabled for your JSA system. For more information about enabling log hashing, see Enabling Log Hashing.

You must log in to the system that has the data storage for events and flows, and run a utility to check the logs. You cannot check the log integrity in the event and flow viewer interface.

  1. Use SSH to log in to JSA as the root user.
  2. To run the utility, type the following command:

    This table describes the parameters that are used with the check_ariel_integrity.sh utility.

    Table 1: Parameters for the check_ariel_integrity.sh Utility

    Parameter

    -d

    Duration of time, in minutes, of the log file data to scan. The time period immediately precedes the end time that is specified using the -t parameter. For example, if -d 5 is entered, all log data that was collected five minutes before the -t end time is scanned.

    -n

    The JSA database to scan. Valid options are events and flows.

    -t

    The end time for the scan. The format for the end time is "yyyy/mm/dd hh:mm" where hh is specified in 24-hour format. If no end time is entered, the current time is used.

    -a

    Hashing algorithm to use. This algorithm must be the same one that was used to create the hash keys. If no algorithm is entered, SHA-1 is used.

    -r

    The location of the log hashing. This argument is required only when the log hashing is not in the location that is specified in the configuration file, /opt/qradar/conf/arielConfig.xml.

    -k

    The key that is used for Hash-based Message Authentication Code (HMAC) encryption. If you do not specify an HMAC key and your system is enabled for HMAC encryption, the check_ariel_integrity.sh script defaults to the key specified in the system settings.

    -h

    Shows the help message for the check_ariel_integrity.sh utility.

    For example, to validate the last 10 minutes of event data, type the following command:

    /opt/qradar/bin/check_ariel_integrity.sh -n events -d 10

If an ERROR or FAILED message is returned, the hash key that is generated from the current data on the disk does not match the hash key that was created when the data was written to the disk. Either the key or the data was modified.

Enabling Log Hashing

Enable log hashing to have any system that writes event and flow data creates hash files. Use these hash files to verify that the event and flow logs were not modified since they were originally written to disk. The hash files are generated in memory before the files are written to disk, so the event and flow logs cannot be tampered with before the hash files are generated.

The system uses the following hashing algorithm types:

Message-Digest Hash Algorithm

Transforms digital signatures into shorter values called Message-Digests (MD).

Secure Hash Algorithm (SHA) Hash Algorithm

Standard algorithm that creates a larger (60 bit) MD.

  1. On the Admin tab, click System Settings.
  2. In the Ariel Database Settings section, select Yes in the Flow Log Hashing field and the Event Log Hashing field.
  3. Select a hashing algorithm for database integrity.

    • If the HMAC Encryption parameter is disabled, the following hashing algorithm options are available:

      MD2

      Algorithm that is defined by RFC 1319.

      MD5

      Algorithm that is defined by RFC 1321.

      SHA-1

      Algorithm that is defined by Secure Hash Standard (SHS), NIST FIPS 180-1. This setting is the default.

      SHA-256

      Algorithm that is defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-256 is a 255-bit hash algorithm that is intended for 128 bits of security against security attacks.

      SHA-384

      Algorithm that is defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-384 is a bit hash algorithm, which is created by truncating the SHA-512 output.

      SHA-512

      Algorithm that is defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-512 is a bit hash algorithm that is intended to provide 256 bits of security.

    • If the HMAC Encryption parameter is enabled, the following hashing algorithm options are available:

      HMAC-MD5

      An encryption method that is based on the MD5 hashing algorithm.

      HMAC-SHA-1

      An encryption method that is based on the SHA-1 hashing algorithm.

      HMAC-SHA-256

      An encryption method that is based on the SHA-256 hashing algorithm.

      HMAC-SHA-384

      An encryption method that is based on the SHA-384 hashing algorithm.

      HMAC-SHA-512

      An encryption method that is based on the SHA-512 hashing algorithm.

      If the HMAC Encryption parameter is enabled, you must specify an HMAC key in the HMAC Key and Verify HMAC Key fields.

  4. Click Save.