Configuring Sun Solaris OS to communicate with QRadar

The Sun Solaris OS DSM for IBM QRadar records all relevant Solaris Operating System Authentication Messages events by using the Syslog protocol.

About this task

To collect events from Sun Solaris OS, you must configure syslog to forward events to QRadar.

Procedure

  1. Log in to the Sun Solaris command-line interface (CLI).
  2. Open the /etc/syslog.conf file.
  3. To forward system authentication logs to QRadar, add the following line to the file:

    *.err;auth.notice;auth.info@<IP_address>

    Where <IP_address> is the IP address of your QRadar Console or Event Collector. Use tabs instead of spaces to format the line.

    Tip: Depending on your version of Sun Solaris, you might need to add more log types to the file. Contact your system administrator for more information.
  4. Save and exit the file.
  5. Type the following command:

    kill -HUP `cat /etc/syslog.pid`

What to do next

Configure a log source in QRadar. For more information, see Syslog log source parameters for Sun Solaris OS.
Important: If a Linux® log source is created for the Solaris System that is sending events, disable the Linux log source, and then adjust the parsing order. Ensure that the Sun Solaris OS DSM is listed first.