ISC BIND

The IBM® QRadar® DSM for Internet System Consortium (ISC) BIND collects Syslog events from your ISC BIND device.

Complete the following steps to configure ISC BIND to communicate with QRadar.

About this task

You can configure syslog on your ISC BIND device to forward events to QRadar.

Procedure

  1. Log in to your ISC BIND device.
  2. Open the following file to add a logging clause:

    named.conf

    logging {

    channel <channel_name> {

    syslog <syslog_facility>;

    severity <critical | error | warning | notice | info | debug [level ] | dynamic >;

    print-category yes;

    print-severity yes;

    print-time yes;

    };

    category queries {

    <channel_name>;

    };

    category notify {

    <channel_name>;

    };

    category network {

    <channel_name>;

    };

    category client {

    <channel_name>;

    };

    };

    For Example:

    logging {

    channel QRadar {

    syslog local3;

    severity info;

    };

    category queries {

    QRadar;

    };

    category notify {

    QRadar;

    };

    category network {

    QRadar;

    };

    category client {

    QRadar;

    };

    };

  3. Save and exit the file.
  4. Edit the syslog configuration to log to your QRadar using the facility you selected in ISC BIND:

    <syslog_facility>.* @<IP_address>

    Where <IP Address> is the IP address of your QRadar.

    For example:

    local3.* @<IP_address>

    Note: QRadar only parses logs with a severity level of info or higher.
  5. Restart the following services.

    service syslog restart

    service named restart

What to do next

Add a log source in QRadar.