Configuring rsyslog on your Linux system
Before you can add a log source in QRadar®, you need to configure rsyslog on your Linux® system.
Rsyslog must be installed on your Linux system. For more information, go to the rsyslog website (https://www.rsyslog.com).
Before you begin
On your Linux system, open the /etc/rsyslog.conf file,
and then add the following entry at the end of the file:
where <QRadar_IP_address> is the IP address of the QRadar Event Collector that you want to send events to.
- You must be able to send rsyslog on a non-traditional TCP port. A potential challenge is that SELinux might block TCP port 12468. For more information, see Configuring rsyslog on a logging server (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/s1-configuring_rsyslog_on_a_logging_server).
- Restart the rsyslog service.
Configure osquery on your Linux system. For more information, see Configuring osquery on your Linux system.