Configuring ProFTPd

You can configure syslog on a ProFTPd device:

Procedure

  1. Open the /etc/proftd.conf file.
  2. Below the LogFormat directives add the following line:

    SyslogFacility <facility>

    Where <facility> is one of the following options: AUTH (or AUTHPRIV), CRON, DAEMON, KERN, LPR, MAIL, NEWS, USER, UUCP, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, or LOCAL7.

  3. Save the file and exit.
  4. Open the /etc/syslog.conf file
  5. Add the following line at the end of the file:

    <facility> @<QRadar host>

    Where:

    <facility> matches the facility that is chosen in Configuring ProFTPd. The facility must be typed in lowercase.

    <QRadar host> is the IP address of your QRadar Console or Event Collector.

  6. Restart syslog and ProFTPd:

    /etc/init.d/syslog restart

    /etc/init.d/proftpd restart

What to do next

You can now configure the log source in QRadar.