Configuring Centrify Infrastructure Services on a UNIX or Linux device to communicate with QRadar

You can configure your UNIX or Linux® device to send audit events to IBM® QRadar®. The audit events are available locally in the syslog event logs where the Centrify Infrastructure Services is installed and configured.


  1. Log in to your Centrify Infrastructure Services device.
  2. Ensure that syslog or rsyslog is installed:
    • To verify that syslog is installed, type service syslog status.
    • To verify that rsyslog is installed, type service rsyslog status.
  3. If syslog or rsyslog is not installed, install them by using your preferred method based on your UNIX or Linux device. For example, you can type the following command to install rsyslog on a Linux device:

    yum install rsyslog

  4. To forward events to your QRadar Event Collector, open the rsyslog.conf file or the syslog.conf file that is located in /etc/ directory, and then add the following line:

    :msg, contains, "AUDIT_TRAIL" @@<QRadar Event Collector IP>:514

    Example: :msg, contains, "AUDIT_TRAIL" @@
  5. Restart the syslog or rsyslog service:
    • If you are using syslog, type service syslog restart.
    • If you are using rsyslog, type service rsyslog restart.
    Note: The Centrify Linux agent might forward some Linux system messages with the Audit Trail logs. If no specific category is found, the Linux OS log source type in QRadar discovers the Linux messages and normalizes them as stored.