To collect IBM®
QRadar® Packet Capture events, you must configure event
forwarding to a remote syslog server.
Procedure
-
Using SSH, log in to your IBM QRadar Packet Capture device as the root user.
-
Choose one of the following options to enable syslog.
-
Option 1: Open the /etc/rsyslog.conf file in a text
editor such as vi:
Then add the following line at the end of the file:
*.* @@<QRadar Event collector IP>:514
-
Option 2: Create the <filename>.conf file in the
/etc/rsyslog.d/ directory, and then add the following line to the file that you
created:
*.* @@<QRadar Event collector IP>:514
-
Restart the Syslog service by typing the following command:
service rsyslog restart
The message logs are sent to the QRadar
Event Collector and local
copies are saved.
Note: QRadar parses only LEEF
events for IBM
QRadar Packet Capture. On the Log
Activity tab in QRadar, the Event
Name displays as IBM QRadar Packet Capture Message and the
Low Level Category displays as Stored for all other
events.
What to do next
To verify that LEEF events are being logged on your IBM QRadar Packet Capture device, inspect /var/log/messages.
tail /var/log/messages