So, on our internal network, I have added my MongoDB Server as server IP:27017 in forwarding destinations in IBM QRadar hosted on a remote server. So basically, IBM QRadar will be forwarding a JSON payload (array of JSON objects) over TCP to my MongoDB Server on server IP:27017
I need to write this data into a MongoDB collection. What is the best way to achieve this? This needs to be done in the way I have mentioned. I don’t want to manually export JSON files from QRadar and then import them into MongoDB.
Currently, I’ve added the remote server IP in the bind-IP list in mongod.cfg file so that MongoDB listens to connections coming from remote clients. I can currently see -
where IP2 is the MongoDB Server and IP1 is the QRadar Console.
I need to use MongoDB to dump raw data logs generated by QRadar and then aggregate it based on requirements. I have mistakenly copied the Wireshark log without PSH.
I’m not an expert on QRadar and their capabilities, but I think the most straightforward way to do this is to put an API layer between QRadar and the MongoDB server. Basically the API layer would capture the incoming JSON object, then turn it into an insert statement that goes into MongoDB.
There are many community REST API layer providers, such as restheart for Java, or you can roll your own using any popular REST server (such as Express for Node) in combination with the official MongoDB Driver for the corresponding language. Of course, going this route would require you to maintain said server (uptime, resources, availability, security, etc.).