ibm.qradar.qradar_log_sources_management 模块 – Qradar 日志源管理资源模块
注意
此模块是 ibm.qradar 集合 (版本 4.0.0) 的一部分。
如果您使用的是 ansible 包,则可能已经安装了此集合。它不包含在 ansible-core 中。要检查它是否已安装,请运行 ansible-galaxy collection list。
要安装它,请使用: ansible-galaxy collection install ibm.qradar。
要在 playbook 中使用它,请指定: ibm.qradar.qradar_log_sources_management。
ibm.qradar 2.1.0 中新增
概要
此模块允许添加、删除或修改 QRadar 中的日志源。
别名:log_sources_management
参数
参数 |
注释 |
|---|---|
Qradar 日志源选项的字典 |
|
过去 60 秒内日志源的平均每秒事件数 (EPS)。 |
|
如果此日志源收集的事件基于公共属性合并,则条件设置为“true”。如果存储每个单独的事件,则条件设置为“false”。 选项
|
|
日志源的描述 |
|
如果日志源已启用,则条件设置为“true”;否则,条件设置为“false”。 选项
|
|
如果日志源配置为网关,则条件设置为“true”;否则,条件设置为“false”。网关日志源是独立的协议配置。日志源本身不接收任何事件,而是充当协议配置的主机,该配置检索事件数据以馈送其他日志源。它充当来自多个系统进入事件管道的事件的“网关”。 选项
|
|
此日志源所属的日志源组 ID 集合。每个 ID 必须对应于现有的日志源组。 |
|
日志源标识符(通常是日志源的 IP 地址或主机名) |
|
如果日志源是内部的(当日志源类型定义为内部时),则条件设置为“true”。 选项
|
|
此日志源正在处理的事件的语言。必须对应于现有的日志源语言。单个日志源类型只能支持所有可用日志源语言的一个子集,如日志源类型结构的 supported_language_ids 字段所示。 |
|
日志源名称 |
|
协议参数集 如果未提供,模块将自行设置协议参数。 注意,在收集并修改参数的事实或往返场景中,参数将主要用于。 |
|
协议类型的 ID。 |
|
协议类型的唯一名称。 |
|
允许的协议值。 |
|
协议类型,根据 QRadar 日志源类型文档中定义的 ID。 |
|
如果您需要部署更改以启用日志源以供使用,则设置为“true”;否则,如果日志源已处于活动状态,则设置为“false”。 选项
|
|
日志源的状态。 |
|
last_updated |
|
last_updated |
|
last_updated |
|
如果存储此日志源收集的事件的有效负载,则条件设置为“true”。如果仅存储标准化的事件记录,则条件设置为“false”。 选项
|
|
日志源发送其数据的事件收集器的 ID。ID 必须对应于现有的事件收集器。 |
|
日志源的类型。必须对应于现有的日志源类型。 |
|
按名称划分的资源类型 |
|
配置应保留的状态 状态 *gathered* 将从设备获取模块 API 配置,并将其转换为模块 argspec 中指定的格式的结构化数据,该值将返回到结果中的 *gathered* 密钥中。 选项
|
示例
# Using MERGED state
# -------------------
- name: Add Snort n Apache log sources to IBM QRadar
ibm.qradar.qradar_log_sources_management:
config:
- name: "Snort logs"
type_name: "Snort Open Source IDS"
description: "Snort IDS remote logs from rsyslog"
identifier: "192.0.2.1"
- name: "Apache HTTP Server logs"
type_name: "Apache HTTP Server"
description: "Apache HTTP Server remote logs from rsyslog"
identifier: "198.51.100.1"
state: merged
# RUN output:
# -----------
# qradar_log_sources_management:
# after:
# - auto_discovered: false
# average_eps: 0
# coalesce_events: true
# creation_date: 1654727311444
# credibility: 5
# description: Snort IDS remote logs from rsyslog
# enabled: true
# gateway: false
# group_ids:
# - 0
# id: 181
# internal: false
# language_id: 1
# last_event_time: 0
# log_source_extension_id: null
# modified_date: 1654727311444
# name: Snort logs
# protocol_parameters:
# - id: 1
# name: incomingPayloadEncoding
# value: UTF-8
# - id: 0
# name: identifier
# value: 192.0.2.1
# protocol_type_id: 0
# requires_deploy: true
# status:
# last_updated: 0
# messages: null
# status: NA
# store_event_payload: true
# target_event_collector_id: 7
# type_id: 2
# wincollect_external_destination_ids: null
# wincollect_internal_destination_id: null
# - auto_discovered: false
# average_eps: 0
# coalesce_events: true
# creation_date: 1654727311462
# credibility: 5
# description: Apache HTTP Server remote logs from rsyslog
# enabled: true
# gateway: false
# group_ids:
# - 0
# id: 182
# internal: false
# language_id: 1
# last_event_time: 0
# log_source_extension_id: null
# modified_date: 1654727311462
# name: Apache HTTP Server logs
# protocol_parameters:
# - id: 1
# name: incomingPayloadEncoding
# value: UTF-8
# - id: 0
# name: identifier
# value: 198.51.100.1
# protocol_type_id: 0
# requires_deploy: true
# status:
# last_updated: 0
# messages: null
# status: NA
# store_event_payload: true
# target_event_collector_id: 7
# type_id: 10
# wincollect_external_destination_ids: null
# wincollect_internal_destination_id: null
# before: []
# Using REPLACED state
# --------------------
- name: Replace existing Log sources to IBM QRadar
ibm.qradar.qradar_log_sources_management:
state: replaced
config:
- name: "Apache HTTP Server logs"
type_name: "Apache HTTP Server"
description: "REPLACED Apache HTTP Server remote logs from rsyslog"
identifier: "192.0.2.1"
# RUN output:
# -----------
# qradar_log_sources_management:
# after:
# - auto_discovered: false
# average_eps: 0
# coalesce_events: true
# creation_date: 1654727944017
# credibility: 5
# description: REPLACED Apache HTTP Server remote logs from rsyslog
# enabled: true
# gateway: false
# group_ids:
# - 0
# id: 183
# internal: false
# language_id: 1
# last_event_time: 0
# log_source_extension_id: null
# modified_date: 1654727944017
# name: Apache HTTP Server logs
# protocol_parameters:
# - id: 1
# name: incomingPayloadEncoding
# value: UTF-8
# - id: 0
# name: identifier
# value: 192.0.2.1
# protocol_type_id: 0
# requires_deploy: true
# status:
# last_updated: 0
# messages: null
# status: NA
# store_event_payload: true
# target_event_collector_id: 7
# type_id: 10
# wincollect_external_destination_ids: null
# wincollect_internal_destination_id: null
# before:
# - auto_discovered: false
# average_eps: 0
# coalesce_events: true
# creation_date: 1654727311462
# credibility: 5
# description: Apache HTTP Server remote logs from rsyslog
# enabled: true
# gateway: false
# group_ids:
# - 0
# id: 182
# internal: false
# language_id: 1
# last_event_time: 0
# log_source_extension_id: null
# modified_date: 1654727311462
# name: Apache HTTP Server logs
# protocol_parameters:
# - name: identifier
# value: 198.51.100.1
# - name: incomingPayloadEncoding
# value: UTF-8
# protocol_type_id: 0
# requires_deploy: true
# status:
# last_updated: 0
# messages: null
# status: NA
# store_event_payload: true
# target_event_collector_id: 7
# type_id: 10
# wincollect_external_destination_ids: null
# wincollect_internal_destination_id: null
# Using GATHERED state
# --------------------
- name: Gather Snort n Apache log source from IBM QRadar
ibm.qradar.qradar_log_sources_management:
config:
- name: "Snort logs"
- name: "Apache HTTP Server logs"
state: gathered
# RUN output:
# -----------
# gathered:
# - auto_discovered: false
# average_eps: 0
# coalesce_events: true
# creation_date: 1654727311444
# credibility: 5
# description: Snort IDS remote logs from rsyslog
# enabled: true
# gateway: false
# group_ids:
# - 0
# id: 181
# internal: false
# language_id: 1
# last_event_time: 0
# log_source_extension_id: null
# modified_date: 1654728103340
# name: Snort logs
# protocol_parameters:
# - id: 0
# name: identifier
# value: 192.0.2.1
# - id: 1
# name: incomingPayloadEncoding
# value: UTF-8
# protocol_type_id: 0
# requires_deploy: true
# status:
# last_updated: 0
# messages: null
# status: NA
# store_event_payload: true
# target_event_collector_id: 7
# type_id: 2
# wincollect_external_destination_ids: null
# wincollect_internal_destination_id: null
# - auto_discovered: false
# average_eps: 0
# coalesce_events: true
# creation_date: 1654727944017
# credibility: 5
# description: Apache HTTP Server remote logs from rsyslog
# enabled: true
# gateway: false
# group_ids:
# - 0
# id: 183
# internal: false
# language_id: 1
# last_event_time: 0
# log_source_extension_id: null
# modified_date: 1654728103353
# name: Apache HTTP Server logs
# protocol_parameters:
# - id: 0
# name: identifier
# value: 192.0.2.1
# - id: 1
# name: incomingPayloadEncoding
# value: UTF-8
# protocol_type_id: 0
# requires_deploy: true
# status:
# last_updated: 0
# messages: null
# status: NA
# store_event_payload: true
# target_event_collector_id: 7
# type_id: 10
# wincollect_external_destination_ids: null
# wincollect_internal_destination_id: null
- name: TO Gather ALL log sources from IBM QRadar
tags: gather_log_all
ibm.qradar.qradar_log_sources_management:
state: gathered
# Using DELETED state
# -------------------
- name: Delete Snort n Apache log source from IBM QRadar
ibm.qradar.qradar_log_sources_management:
config:
- name: "Snort logs"
- name: "Apache HTTP Server logs"
state: deleted
# RUN output:
# -----------
# qradar_log_sources_management:
# after: []
# before:
# - auto_discovered: false
# average_eps: 0
# coalesce_events: true
# creation_date: 1654727311444
# credibility: 5
# description: Snort IDS remote logs from rsyslog
# enabled: true
# gateway: false
# group_ids:
# - 0
# id: 181
# internal: false
# language_id: 1
# last_event_time: 0
# log_source_extension_id: null
# modified_date: 1654728103340
# name: Snort logs
# protocol_parameters:
# - id: 0
# name: identifier
# value: 192.0.2.1
# - id: 1
# name: incomingPayloadEncoding
# value: UTF-8
# protocol_type_id: 0
# requires_deploy: true
# status:
# last_updated: 0
# messages: null
# status: NA
# store_event_payload: true
# target_event_collector_id: 7
# type_id: 2
# wincollect_external_destination_ids: null
# wincollect_internal_destination_id: null
# - auto_discovered: false
# average_eps: 0
# coalesce_events: true
# creation_date: 1654727944017
# credibility: 5
# description: Apache HTTP Server remote logs from rsyslog
# enabled: true
# gateway: false
# group_ids:
# - 0
# id: 183
# internal: false
# language_id: 1
# last_event_time: 0
# log_source_extension_id: null
# modified_date: 1654728103353
# name: Apache HTTP Server logs
# protocol_parameters:
# - id: 0
# name: identifier
# value: 192.0.2.1
# - id: 1
# name: incomingPayloadEncoding
# value: UTF-8
# protocol_type_id: 0
# requires_deploy: true
# status:
# last_updated: 0
# messages: null
# status: NA
# store_event_payload: true
# target_event_collector_id: 7
# type_id: 10
# wincollect_external_destination_ids: null
# wincollect_internal_destination_id: null
返回值
常见的返回值在此处记录,以下是此模块特有的字段
键 |
描述 |
|---|---|
模块完成后的结构化数据配置。 返回:已更改时 示例: |
|
模块调用之前的结构化数据配置。 返回:始终 示例: |