Before you can add a log source in QRadar®, you must configure osquery
on your Linux device.
Before you begin
Osquery V3.3.2 must be installed and running on your Linux system. For more
information about installing osquery for Linux, see Downloading and
Installing Osquery (https://osquery.io/downloads/official/3.3.2).
Procedure
-
Download the qradar.pack.conf file from IBM Fix Central
(https://www.ibm.com/support/fixcentral).
- Copy the qradar.pack.conf file to your osquery host. For example,
<location_of_pack_file>/qradar.pack.conf
-
Edit the osquery.conf file. The default file location is
/etc/osquery/osquery.conf.
- Ensure the following options are included in the osquery.conf
file.
"disable_logging": "false"
"disable_events" : "false"
"logger_plugin": "filesystem,syslog"
- Add qradar.pack.conf to the osquery.conf
file.
"qradar": "/<path_to_packs>/qradar.pack.conf"
Example <osquery>.conf file:
{ // Configure the daemon below: "options": { "disable_logging": "false", "disable_events" : "false", "logger_plugin": "filesystem,syslog", "utc": "true" }, "packs": { "qradar": "<location_of_pack_file>/qradar.pack.conf" }}
Note: The qradar.pack.conf file contains a “file_paths”
section that defines default file integrity monitoring for the QRadar pack.
“file_paths” that are defined inside customer
<osquery>.conf files take precedent over the
qradar.pack.conf file.
- Restart the osquery daemon.
What to do next
To get the parameter values that you need to add a log source in QRadar, see osquery log source parameters.