Configuring Cloudera Navigator to communicate with QRadar

You can configure Cloudera Navigator device to send JSON format syslog events to IBM QRadar.

Before you begin

Ensure that Cloudera Navigator can access port 514 on the QRadar system.

About this task

When you install Cloudera Navigator, all audit logs are collected automatically. However, you must configure Cloudera Navigator to send audits logs to QRadar by using syslog.

Procedure

  1. Do one of the following tasks:
    • Click Clusters > Cloudera Management Service > Cloudera Management Service.
    • On the Status tab of the Home page, click the Cloudera Management Service link in Cloudera Management Service table.
  2. Click the Configuration tab.
  3. Search for Navigator Audit Server Logging Advanced Configuration Snippet.
  4. Depending on the format type, enter one of the following values in the Value field:
    • log4j.logger.auditStream = TRACE,SYSLOG
    • log4j.appender.SYSLOG = org.apache.log4j.net.SyslogAppender
    • log4j.appender.SYSLOG.SyslogHost = <QRadar Hostname>
    • log4j.appender.SYSLOG.Facility = Local2
    • log4j.appender.SYSLOG.FacilityPrinting = true
    • log4j.additivity.auditStream = false
  5. Click Save Changes.