Configuring your FreeRADIUS device to communicate with QRadar

Configure FreeRADIUS to send logs to the syslog daemon of the host and configure the daemon to send events to QRadar.

Before you begin

You must have a working knowledge of syslog configuration and the Linux® distribution.

About this task

FreeRADIUS has multiple distributions. Some files might not be in the same locations that are described in this procedure. For example, the location of the FreeRADIUS startup script is based on distribution. Conceptually, the configuration steps are the same for all distributions.

Procedure

  1. Log in to the system that hosts FreeRADIUS.
  2. Edit the /etc/freeradius/radius.conf file.
  3. Change the text in the file to match the following lines:
    logdir = syslog
    Log_destination = syslog
    log{
        destination = syslog
        syslog_facility = daemon
        stripped_names = no
        auth = yes
        auth_badpass = no
        auth_goodpass = no
    }
  4. Edit the /etc/syslog.conf file.
  5. To configure log options, add the following text.
    # .=notice logs authentication messages (L_AUTH).
    # <facility_name>.=notice @<IP_address_of_QRadar_Event_Collector_or_QRadar_Console>
    # .=err logs module errors for FreeRADIUS.
    #<facility_name>.=err @<IP_address_of_QRadar_Event_Collector_or_QRadar_Console>
    # .* logs messages to the same target.
    # <facility_name>.* @<IP_address_of_QRadar_Event_Collector_or_QRadar_Console>

    An example syslog facility name is local1. You can rename it.

    To configure a log option, remove the comment tag (#) from one of the active lines that contains an @ symbol.

  6. If the configuration change does not load automatically, restart the syslog daemon. The method to restart the syslog daemon depends on the distribution that is used. The following table lists possible methods.
    Operating system distribution Command to restart daemon
    Red Hat Enterprise Linux service syslog restart
    Debian Linux or Ubuntu Linux /etc/init.d/syslog restart
    FreeBSD operating system /etc/rc.d/syslogd restart
  7. Add the following options to the FreeRADIUS startup script:
    • -l syslog
    • -g <facility_name>

    The -g value must match the facility name in Step 5.

  8. Restart FreeRADIUS.