Configuring Suricata to communicate with QRadar

To send events to IBM QRadar, you must configure a Syslog integration.

Before you begin

You must have access to the Suricata device and have the permissions to write to configuration files and to restart services. You need a username and password, such as Windows or Linux® login information, for the system where you installed Suricata.

Ensure that rsyslog is installed on the system where you installed Suricata. For more information, see the rsyslog website (https://www.rsyslog.com).

Procedure

  1. Log in to the Suricata device.
  2. Open the Suricata configuration file called suricata.yaml, located in the Suricata installation directory. Update the eve-log entry under the outputs header.
    Use the following example as a guide:
    outputs:
      - eve-log:
        enabled: yes
        filetype: syslog
        identity: “suricata”
        facility: <facility>
        types:
          - alert:
    
    The <facility> variable is a Syslog facility name between local0 and local7, such as local5.
  3. Open the rsyslog configuration file called /etc/rsyslog.conf and add a forwarding rule to send the alerts to QRadar.
    Use the following example as a guide:

    <facility>.* @@<QRadar IP/hostname>:514

    The <facility> variable is the same Syslog facility that you configured in the previous step. The <QRadar IP/hostname> is the IP or hostname of the QRadar Console or managed host that you want to forward Suricata alerts to.

  4. Restart the Suricata and rsyslog services.

What to do next

Syslog log source parameters for Suricata