Configure FreeRADIUS to send logs to the syslog daemon
of the host and configure the daemon to send events to QRadar.
Before you begin
You must have a working knowledge of syslog configuration
and the Linux® distribution.
About this task
FreeRADIUS has multiple distributions. Some files might
not be in the same locations that are described in this procedure.
For example, the location of the FreeRADIUS startup script is based
on distribution. Conceptually, the configuration steps are the same
for all distributions.
Procedure
- Log in to the system that hosts FreeRADIUS.
- Edit the /etc/freeradius/radius.conf file.
- Change the text in the file to match the following lines:
logdir = syslog
Log_destination = syslog
log{
destination = syslog
syslog_facility = daemon
stripped_names = no
auth = yes
auth_badpass = no
auth_goodpass = no
}
- Edit the /etc/syslog.conf file.
- To configure log options, add the following text.
# .=notice
logs authentication messages (L_AUTH).
# <facility_name>.=notice @<IP_address_of_QRadar_Event_Collector_or_QRadar_Console>
# .=err
logs module errors for FreeRADIUS.
#<facility_name>.=err @<IP_address_of_QRadar_Event_Collector_or_QRadar_Console>
# .*
logs messages to the same target.
# <facility_name>.* @<IP_address_of_QRadar_Event_Collector_or_QRadar_Console>
An example syslog facility name is local1.
You can rename it.
To configure a log option, remove the comment
tag (#
) from one of the active lines that contains
an @
symbol.
- If the configuration change does not load automatically,
restart the syslog daemon. The method to restart the syslog daemon
depends on the distribution that is used. The following table lists
possible methods.
Operating system distribution |
Command to restart daemon |
Red Hat Enterprise Linux |
service syslog restart |
Debian Linux or Ubuntu Linux |
/etc/init.d/syslog restart |
FreeBSD operating system |
/etc/rc.d/syslogd restart |
- Add the following options to the FreeRADIUS startup script:
-l syslog
-g <facility_name>
The -g
value must match the facility name
in Step 5.
- Restart FreeRADIUS.