Configuring Linux OS to send audit logs

Configure Linux® OS to send audit logs to QRadar®.

About this task

This task applies to Red Hat® Enterprise Linux (RHEL) v6 to v8 operating systems.

If you use a SUSE, Debian, or Ubuntu operating system, see your vendor documentation for specific steps for your operating system.

Procedure

  1. Log in to your Linux OS device, as a root user.
  2. Type the following commands:

    yum install audit

    service auditd start

    chkconfig auditd on

  3. Optional: If you are using RHEL v6 to v7.9, open the /etc/audisp/plugins.d/syslog.conf file and verify that the parameters match the following values:

    active = yes

    direction = out

    path = builtin_syslog

    type = builtin

    args = LOG_LOCAL6

    format = string

  4. Optional: If you are using RHEL v8, open the /etc/audit/plugins.d/syslog.conf file and verify that the parameters match the following values:

    active = yes

    direction = out

    path = builtin_syslog

    type = builtin

    args = LOG_LOCAL6

    format = string

  5. Open the /etc/rsyslog.conf file and add the following line at the end of the file:
    local6.* @@<QRadar_Collector_IP_address>
  6. Type the following commands:

    service auditd restart

    service syslog restart

  7. Log in to the QRadar Console.
  8. Add a Linux OS log source on the QRadar Console.