Friday, February 26, 2016

Spoofing/Replaying A QRadar Log Source

In this post, we will be spoofing the log source only for testing purposes. This may be needed if you don't have an actual log source forwarding data but you have a sample of what the logs look like. This post is related to the one in which we built the Universal Device Support Module (UDSM).

First step is to have a file with some sample log events of the log source you would like to test. In this case our log data looks like
----------- start of sample logs ------------
Fri Mar 21 15:10:49 2014: hostname: info:Backup Started by user:admin pid:27387 source: sport:12345 destination: dport:22 protocol:tcp
Fri Mar 21 15:10:49 2014: hostname: info:Backup Started by user:root pid:27387 source: sport:54321 destination: dport:22 protocol:udp
Fri Mar 21 15:10:49 2014: hostname: info:Backup Started by user:test pid:27387 source: destination: protocol:icmp
----------- end of sample logs ------------

Next we will use the "" script in Qradar.
As always, to understand what a tool does, we should first check it's help. In this case we can get the help by executing "/opt/qradar/bin/" without any arguments.

Considering the above we will use the following command:
"/opt/qradar/bin/ -f udsm_testing.txt -t -u 10"
-f = tells the script to use filename "udsm_testing.txt". This file is our sample log
-t = tell the script to use TCP instead of UDP to send the logs
-u = tells the script to spoof the source as ""
10 = tells the script to send 10 events

Let see how this works!

So did it work?! Let's find out!

As can be seen from above "Log Activity" the logs are being seen by QRadar.

So let's try this again. Let's use a spoofed source of and send 20 events.

Below we execute the "" script to generate 20 events.
And the results ...

Good stuff! Once again QRadar sees the log source. However as can be seen it does not know what to do with the logs. We will address here!

Voila. Between using this post and the one on building your first UDSM, you should be in a better position to rule the world of your QRadar SIEM.


  1. Nice concise but informative description. Nice job!

  2. Thanks Nik,it works,And how to spoof source port?

    1. Hey Anonymous,
      Glad you found it helpful!

      Spoofing the source port is trivial. Considering the example I have above, just put whatever source port value you want for the "sport" key value pair. In my case let's say I have "sport=54321", you can then change this value to reflect whatever you want, eg "sport=12345". You can also do the same for the destination port.

      Hope this helps.

    2. thanks for reply Nik.
      Already sport added , i am using same logs as you have given above,but not succeed

    3. What is the error you are getting? Alternatively you can email me screenshot with the issue(s)

  3. How about flow source?

  4. Interesting but I never thought about the flows. Maybe I can look into it in the future.

  5. Can you provide a sample if we want to use logrun utility for generating Qradar's internal system notifications QID logs?

    For example, if I have an event based rule which should trigger when it matches the QID (38750040). We are in a scenario where we have to do testing of Health Monitoring rules.

    Please help.