If you are using syslog on a UNIX host to forward
events, upgrade the standard syslog to syslog-ng, which is a more recent version.
Procedure
-
Log in to your Linux® OS device, as a root user.
-
Open the /etc/syslog-ng/syslog-ng.conf file and add the following facility
information:
source qr_source {
internal();
system();
};
filter qr_filter {
facility(auth, authpriv);
};
destination qr_destination {
tcp("<qradar_ip_address>" port(514));
};
log{
source(qr_source);
filter(qr_filter);
destination(qr_destination);
};
where:
<qradar_ip_address> is the IP address of IBM
QRadar.
-
Save the file.
-
Restart syslog-ng by typing the following command:
service syslog-ng restart
-
Log in to the QRadar
Console.
-
Add a Linux OS log source on the QRadar
Console.
For more information about syslog-ng, see the Linux documentation
(https://www.linux.com/what-is-linux/).