osquery log source parameters
When you add an osquery log source on the QRadar® Console by using the TCP multiline syslog protocol, there are specific parameters you must use.
Note: You might need to restart rsyslog after you add the log source in QRadar.
The following table describes the parameters that require specific values to collect TCP
multiline syslog events from osquery:
| Parameter | Value |
|---|---|
| Log Source type | osquery |
| Protocol Configuration | TCP Multiline Syslog |
| Log Source Identifier | osquery |
| Listen Port | 12468 |
| Aggregation Method | Id-Linked |
| Message ID Pattern | "Unique_ID":\"(.*?)" |
| Event Formatter | No Formatting |
| Show Advanced Options | Yes |
| Use As A Gateway Log Source | Select this option. When selected, events that flow through the log source can be routed to other log sources based on the source name tagged on the events. |
| Retain Entire Lines During Event Aggregation | Select this option. When this option is selected, you can either discard or keep the part of the events that come before Message IDPattern when you concatenate events with the same ID pattern together. |
| Time Limit | 5 |
| Enabled | Select this option to enable the log source. |
For a complete list of TCP multiline syslog protocol parameters and their values, see TCP Multiline Syslog protocol configuration options.