To send syslog messages to IBM
QRadar, the Netgate pfSense
remote logging options must be configured to specify a remote log server.
Before you begin
If you want to send Snort IDS events to QRadar, ensure that the Snort
package for Netgate pfSense is installed and configured. Snort is an open source network intrusion
detection and prevention system.
Procedure
-
Log in to your Netgate pfSense device.
- Configure remote logging options for Netgate pfSense.
- Select .
- Click the Settings tab and then go to the Remote
Logging Options section.
- Select a Source Address, or use the default.
- Select an IP Protocol or use the default.
- In the Remote log servers options section, enable
System Events, Firewall Events, DNS
Events, and DHCP Events.
Important: If the System Events logging option is enabled,
Unknown or Stored events might occur because extra
services that are installed by packages for Netgate pfSense can output log messages to the system
log. Due to the large number of packages available for Netgate pfSense, the DSM was developed to
support the base installation of the device. The DSM Editor can be used in this case to create
custom parsing for any Unknown or Stored events that
result from user installed packages. For more information about the DSM Editor, see the IBM
QRadar Administration Guide.
Important: For DNS logs to be properly send to QRadar, complete the following steps.
These steps apply only for the Unbound DNS Resolver, the default DNS service configured on Netgate
pfSense. If you’re running BIND instead of Unbound, these steps do not apply.
- Go to .
- On the General Settings tab, scroll down to Custom Options.
- Add the following lines in custom options.
server:
log-replies:yes
- Click Save.
- To confirm that Netgate pfSense is generating DNS logs, go to .
- Optional: Configure the Snort service to output logs to the Netgate pfSense
system log.
- Select
.
- On the Snort Interface tab, click Edit this Snort
interface mapping (pencil icon).
- In the Alert Settings section, enable Send Alerts to
System Log.
- Click Save.
- On the Snort Interface tab, click Restart Snort on
this interface.