You can configure syslog on a ProFTPd device:
Procedure
-
Open the /etc/proftd.conf file.
-
Below the LogFormat directives add the following line:
SyslogFacility <facility>
Where <facility> is one of the following options: AUTH
(or AUTHPRIV), CRON, DAEMON,
KERN, LPR, MAIL,
NEWS, USER, UUCP, LOCAL0,
LOCAL1, LOCAL2, LOCAL3,
LOCAL4, LOCAL5, LOCAL6, or
LOCAL7.
-
Save the file and exit.
-
Open the
/etc/syslog.conf
file
-
Add the following line at the end of the file:
<facility> @<QRadar host>
Where:
<facility> matches the facility that is chosen in Configuring ProFTPd. The facility must be typed in
lowercase.
<QRadar host> is the IP address of your QRadar
Console or Event Collector.
-
Restart syslog and ProFTPd:
/etc/init.d/syslog restart
/etc/init.d/proftpd restart
What to do next
You can now configure the log source in QRadar.