You can configure your UNIX or Linux® device to send audit events to IBM
QRadar. The audit events are
available locally in the syslog event logs where the Centrify Infrastructure Services is installed
and configured.
Procedure
-
Log in to your Centrify Infrastructure Services device.
-
Ensure that syslog or rsyslog is installed:
- To verify that syslog is installed, type service syslog status.
- To verify that rsyslog is installed, type service rsyslog status.
-
If syslog or rsyslog is not installed, install them by using your preferred method based on
your UNIX or Linux
device. For example, you can type the following command to install rsyslog on a Linux device:
-
To forward events to your QRadar
Event Collector, open the
rsyslog.conf file or the syslog.conf file that is located
in /etc/ directory, and then add the following line:
:msg, contains, "AUDIT_TRAIL" @@<QRadar Event Collector
IP>:514
Example: :msg, contains, "AUDIT_TRAIL"
@@127.0.0.1:514
-
Restart the syslog or rsyslog service:
- If you are using syslog, type service syslog restart.
- If you are using rsyslog, type service rsyslog restart.
Note: The Centrify Linux agent might forward some Linux system messages with the Audit Trail logs. If no specific
category is found, the Linux OS log source type in QRadar discovers the Linux messages and normalizes them as stored.