Configure Linux® OS to send audit logs to QRadar®.
About this task
This task applies to Red Hat® Enterprise Linux (RHEL) v6 to v8 operating systems.
If you use a SUSE, Debian, or Ubuntu operating system, see your vendor documentation for specific
steps for your operating system.
Procedure
-
Log in to your Linux OS device, as a root user.
-
Type the following commands:
yum install audit
service auditd start
chkconfig auditd on
- Optional:
If you are using RHEL v6 to v7.9, open the
/etc/audisp/plugins.d/syslog.conf file and verify that the parameters match the
following values:
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_LOCAL6
format = string
- Optional: If you are using RHEL v8, open the
/etc/audit/plugins.d/syslog.conf file and verify that the parameters match the
following values:
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_LOCAL6
format = string
-
Open the /etc/rsyslog.conf file and add the following line at the end of
the file:
local6.* @@<QRadar_Collector_IP_address>
-
Type the following commands:
service auditd restart
service syslog restart
-
Log in to the QRadar
Console.
-
Add a Linux OS log source on the QRadar
Console.