Configuring a BalaBit Syslog-ng PE Relay

The BalaBit Syslog-ng Agent for Windows sends Microsoft TMG and ISA event logs to a Balabit Syslog-ng PE installation, which is configured in relay mode.

About this task

The relay mode installation is responsible for receiving the event log from the BalaBit Syslog-ng Agent for Windows, parsing the event logs in to the LEEF format, then forwarding the events to IBM® QRadar® by using syslog.

To configure your BalaBit Syslog-ng PE Relay, you must:

  1. Install BalaBit Syslog-ng PE for Linux® or Unix in relay mode. For more information, see your BalaBit Syslog-ne PE vendor documentation.
  2. Configure syslog on your Syslog-ng PE relay.

The BalaBit Syslog-ng PE formats the TMG and ISA events in the LEEF format based on the configuration of your syslog.conf file. The syslog.conf file is responsible for parsing the event logs and forwarding the events to QRadar.

Procedure

  1. Using SSH, log in to your BalaBit Syslog-ng PE relay command-line interface (CLI).
  2. Edit the following file:

    /etc/syslog-ng/etc/syslog.conf

  3. From the destinations section, add an IP address and port number for each relay destination.

    For example,

    ###### # destinations destination d_messages { file("/var/log/messages"); }; destination d_remote_tmgfw { tcp("QRadar_IP" port(QRadar_PORT) log_disk_fifo_size(10000000) template(t_tmgfw)); }; destination d_remote_tmgweb { tcp("QRadar_IP" port(QRadar_PORT) log_disk_fifo_size(10000000) template(t_tmgweb)); };

    Where:

    QRadar_IP is the IP address of your QRadar Console or Event Collector.

    QRadar_Port is the port number that is required for QRadar to receive syslog events. By default, QRadar receives syslog events on port 514.

  4. Save the syslog configuration changes.
  5. Restart Syslog-ng PE to force the configuration file to be read.

    The BalaBit Syslog-ng PE configuration is complete. Syslog events that are forwarded from the BalaBit Syslog-ng relay are automatically discovered by QRadar as Microsoft Windows Security Event Logs on the Log Activity tab. For more information, see the IBM QRadar Users Guide.

    Note: When you are using multiple syslog destinations, messages are considered to be delivered when they successfully arrive at the primary syslog destination.