Configuring Syslog Forwarding for Illumio PCE
Because the PCE software exports logs to a local syslog, you must configure either rsyslog or syslog-ng service on each node in your PCE cluster to forward these logs to QRadar.
Procedure
-
If you want to configure rsyslog, complete the following steps.
-
Edit the /etc/rsyslog.conf file by adding the following entries or
uncomment if they are already present. Replace <QRadar Event Collector IP>
with the IP address of the QRadar event collector:
### LEEF (flow data, audit events) ### if $syslogseverity <= 6 \ and $syslogtag startswith 'illumio_pce/collector[' \ and $msg contains 'LEEF:' \ and $msg contains '|Illumio|PCE|' \ and $msg contains 'cat=flow_summary' \ then @@<QRadar Event Collector IP>:514 if $syslogseverity <= 6 \ and $syslogtag startswith 'illumio_pce/' \ and $msg contains 'LEEF:' \ and $msg contains '|Illumio|PCE|' \ and $msg contains 'audit_events' \ then @@<QRadar Event Collector IP>:514
-
Restart the rsyslog service.
service rsyslog restart
-
Edit the /etc/rsyslog.conf file by adding the following entries or
uncomment if they are already present. Replace <QRadar Event Collector IP>
with the IP address of the QRadar event collector:
-
If you want to configure syslog-ng, complete the following steps.
-
Edit the /etc/syslog-ng/syslog-ng.conf file by adding the following
entries or uncomment if they are already present. Replace <QRadar Event Collector
IP> with the IP address of the QRadar event collector:
#destination d_net { tcp("<QRadar Event Collector IP>" port(514) flush_lines(1)); }; #log { source(s_src); filter(flow_events); destination(d_net); };#log { source(s_src); filter(audit_events); destination(d_net); }; ### LEEF (flow data, audit events) ### filter flow_events { level(info..emerg) and program("^illumio_pce/collector$") and message('LEEF:[^\|]+\|Illumio\|PCE\|') and message('cat=flow_summary'); }; filter audit_events { level(info..emerg) and program("^illumio_pce/") and message('LEEF:[^\|]+\|Illumio\|PCE\|') and message('cat=[^ #]*audit_events'); };
-
Restart the syslog-ng service.
service syslog-ng restart
-
Edit the /etc/syslog-ng/syslog-ng.conf file by adding the following
entries or uncomment if they are already present. Replace <QRadar Event Collector
IP> with the IP address of the QRadar event collector: