OpenVPN DSM for QRadar
This DSM config will support parsing and alerting for the following OpenVPN event types "Connection reset", "WARNING: Bad encapsulated packet", "TCP connection established", "peer info", "authenticated", "Peer Connection Initiated", "could not authenticate", "requires the local group VPN", "TLS Auth Error", and "WARNING: Failed running command". If you have any questions you can create an issue for the GitHub project or open a question/reply on the IBM QRadar CE forms located at: https://ibm.biz/qradarceforums
- Enable VPN logging by selecting System - Settings - Logging and selecting the check box next to VPN (PPTP, IPsec, OpenVPN) events.
- Select VPN - OpenVPN - Servers - (Your VPN Server) - Verbosity Level and ensure it is set to 1 (default). NOTE: Without this setting some events might not be mapped or parsed correctly. You can adjust this but additional events will need to be parsed/mapped or they will come into QRadar as unknown.
- Create a new custom DSM called (OpenVPN) using the DSM editor option under the admin settings window.
- Once the custom DSM has been created close the window and click the Log Source Extensions option in the admin settings.
- Click Add near the top right corner
- Enter a name of "OpenVPNCustom_ext"
- Select your newly created log source (OpenVPN) that you created earlier.
- Click the upload button and select the file "Custom_ext.xml"
- Click done and proceed to open the DSM menu and select your log source (OpenVPN) that you created earlier.
- You will need to select Event Mappings tab in the DSM editor and create the manual entries located in the file "Event Mappings.txt"
- Finally, you will need to create a new log source selecting the custom Log source type we just created.
- 04-05-2019 - Discovered slight bug with parsing certain events. Tweaked eventID again for missing port label when username is present.
- 04-05-2019 - Tweaked EventID parsing as the latest OPNSense released included the port number with IP address. This should both be forwards and backwards compatible with OPNsense 19/18.
- 01-25-2019 - Changed the mapping of 4 Authentication events to a subcategory of User Login Failure/Success. This was done to make it easier for creating authentication failure rules.
- 01-21-2019 - Mapped an additional unknown event related to port probing the OpenVPN causing an invalid connection.
- 01-11-2019 - Changed the regex for Event ID to support additional events. Remapped additional events discovered and fixed issues with existing events to provide better fidelity.
- 12-15-2018 - Mapped additional events.
- 12-12-2018 - Added additional events for when the VPN service is restarted and when IP addresses are assigned. Additional regex logic was created for the destination IP field for when the server assigns a new IP address to the client. The regex logic for event ID was adjusted to account for the additional events.
- 12-11-2018 - Initial Upload of the source code.