The IBM
QRadar DSM
for Internet System Consortium (ISC) BIND collects Syslog events from your ISC BIND device.
Complete the following steps to configure ISC BIND to communicate with QRadar.
About this task
You can configure syslog on your ISC BIND device to forward events to QRadar.
Procedure
- Log in to your ISC BIND device.
- Open the following file to add a logging clause:
named.conf
logging {
channel <channel_name> {
syslog <syslog_facility>;
severity <critical | error | warning | notice | info | debug [level ] | dynamic
>;
print-category yes;
print-severity yes;
print-time yes;
};
category queries {
<channel_name>;
};
category notify {
<channel_name>;
};
category network {
<channel_name>;
};
category client {
<channel_name>;
};
};
For Example:
logging {
channel QRadar {
syslog local3;
severity info;
};
category queries {
QRadar;
};
category notify {
QRadar;
};
category network {
QRadar;
};
category client {
QRadar;
};
};
- Save and exit the file.
- Edit the syslog configuration to log to your QRadar using the facility you
selected in ISC BIND:
<syslog_facility>.* @<IP_address>
Where <IP Address> is the IP address of your QRadar.
For example:
local3.* @<IP_address>
Note: QRadar only parses logs
with a severity level of info or higher.
- Restart the following services.
service syslog restart
service named restart
What to do next
Add a log source in QRadar.