Configuring Centrify Infrastructure Services on a UNIX or Linux device to communicate with QRadar
You can configure your UNIX or Linux® device to send audit events to IBM® QRadar®. The audit events are available locally in the syslog event logs where the Centrify Infrastructure Services is installed and configured.
- Log in to your Centrify Infrastructure Services device.
Ensure that syslog or rsyslog is installed:
- To verify that syslog is installed, type service syslog status.
- To verify that rsyslog is installed, type service rsyslog status.
If syslog or rsyslog is not installed, install them by using your preferred method based on
your UNIX or Linux
device. For example, you can type the following command to install rsyslog on a Linux device:
yum install rsyslog
To forward events to your QRadar
Event Collector, open the
rsyslog.conf file or the syslog.conf file that is located
in /etc/ directory, and then add the following line:
:msg, contains, "AUDIT_TRAIL" @@<QRadar Event Collector IP>:514Example: :msg, contains, "AUDIT_TRAIL" @@127.0.0.1:514
Restart the syslog or rsyslog service:
Note: The Centrify Linux agent might forward some Linux system messages with the Audit Trail logs. If no specific category is found, the Linux OS log source type in QRadar discovers the Linux messages and normalizes them as stored.
- If you are using syslog, type service syslog restart.
- If you are using rsyslog, type service rsyslog restart.