Configuring Syslog Forwarding for Illumio PCE

Because the PCE software exports logs to a local syslog, you must configure either rsyslog or syslog-ng service on each node in your PCE cluster to forward these logs to QRadar.

Procedure

  1. If you want to configure rsyslog, complete the following steps.
    1. Edit the /etc/rsyslog.conf file by adding the following entries or uncomment if they are already present. Replace <QRadar Event Collector IP> with the IP address of the QRadar event collector:
      
      ### LEEF (flow data, audit events) ###
      if $syslogseverity <= 6 \
       and $syslogtag startswith 'illumio_pce/collector[' \
       and $msg contains 'LEEF:' \
       and $msg contains '|Illumio|PCE|' \
       and $msg contains 'cat=flow_summary' \
      then @@<QRadar Event Collector IP>:514
      
      if $syslogseverity <= 6 \
       and $syslogtag startswith 'illumio_pce/' \
       and $msg contains 'LEEF:' \
       and $msg contains '|Illumio|PCE|' \
       and $msg contains 'audit_events' \
      then @@<QRadar Event Collector IP>:514
      
    2. Restart the rsyslog service.

      service rsyslog restart

  2. If you want to configure syslog-ng, complete the following steps.
    1. Edit the /etc/syslog-ng/syslog-ng.conf file by adding the following entries or uncomment if they are already present. Replace <QRadar Event Collector IP> with the IP address of the QRadar event collector:
      #destination d_net { tcp("<QRadar Event
       Collector IP>" port(514) flush_lines(1)); };
      #log { source(s_src); filter(flow_events);
       destination(d_net); };#log { source(s_src);
       filter(audit_events); destination(d_net); };
      
      ### LEEF (flow data, audit events) ###
      filter flow_events {
       level(info..emerg)
       and program("^illumio_pce/collector$")
       and message('LEEF:[^\|]+\|Illumio\|PCE\|')
       and message('cat=flow_summary');
      };
      
      filter audit_events {
       level(info..emerg)
       and program("^illumio_pce/")
       and message('LEEF:[^\|]+\|Illumio\|PCE\|')
       and message('cat=[^ #]*audit_events');
      };
    2. Restart the syslog-ng service.

      service syslog-ng restart