To send events to IBM
QRadar, you must configure a
Syslog integration.
Before you begin
You must have access to the Suricata device and have the permissions to write to configuration
files and to restart services. You need a username and password, such as Windows or Linux® login information, for the
system where you installed Suricata.
Ensure that rsyslog is installed on the system where you installed Suricata. For more
information, see the rsyslog
website (https://www.rsyslog.com).
Procedure
- Log in to the Suricata device.
- Open the Suricata configuration file called suricata.yaml, located
in the Suricata installation directory. Update the eve-log entry under the
outputs header.
Use the following example as a
guide:
outputs:
- eve-log:
enabled: yes
filetype: syslog
identity: “suricata”
facility: <facility>
types:
- alert:
The <
facility> variable is a Syslog facility name between
local0 and
local7, such as
local5.
- Open the rsyslog configuration file called /etc/rsyslog.conf and add
a forwarding rule to send the alerts to QRadar.
Use the
following example as a guide:
<facility>.* @@<QRadar
IP/hostname>:514
The <facility> variable is the same
Syslog facility that you configured in the previous step. The <QRadar
IP/hostname> is the IP or hostname of the QRadar
Console or managed host that you want
to forward Suricata alerts to.
- Restart the Suricata and rsyslog services.