Before you can add a log source in QRadar®, you need to configure
rsyslog on your Linux® system.
Before you begin
Rsyslog must be installed on your Linux system. For
more information, go to the rsyslog website (https://www.rsyslog.com).
Procedure
-
On your Linux system, open the /etc/rsyslog.conf file,
and then add the following entry at the end of the file:
local3.info @@<QRadar_IP_address>:12468
where
<QRadar_IP_address> is the IP address of the
QRadar
Event Collector that you want
to send events to.
-
You must be able to send rsyslog on a non-traditional TCP port. A potential challenge is that
SELinux might block TCP port 12468. For more information, see Configuring rsyslog on a logging server
(https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/s1-configuring_rsyslog_on_a_logging_server).
- Restart the rsyslog service.
What to do next
Configure osquery on your Linux system. For more
information, see Configuring osquery on your Linux system.