Configuring syslog-ng on Linux OS

If you are using syslog on a UNIX host to forward events, upgrade the standard syslog to syslog-ng, which is a more recent version.

1. Log in to your Linux® OS device, as a root user.
2. Open the /etc/syslog-ng/syslog-ng.conf file and add the following facility information:

   source qr_source {
   	internal();
   	system();
   };
   filter qr_filter {
       facility(auth, authpriv);
   };
   destination qr_destination {
       tcp("<qradar_ip_address>" port(514));
   };
   log{
       source(qr_source);
       filter(qr_filter);
       destination(qr_destination);
   };

   where:

   <qradar_ip_address> is the IP address of IBM® QRadar®.

3. Save the file.
4. Restart syslog-ng by typing the following command:
   service syslog-ng restart
5. Log in to the QRadar Console.
6. Add a Linux OS log source on the QRadar Console.

   For more information about syslog-ng, see the Linux documentation (https://www.linux.com/what-is-linux/).