You can configure syslog on a ProFTPd device:
- Open the /etc/proftd.conf file.
Below the LogFormat directives add the following line:
Where <facility> is one of the following options: AUTH (or AUTHPRIV), CRON, DAEMON, KERN, LPR, MAIL, NEWS, USER, UUCP, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, or LOCAL7.
- Save the file and exit.
Add the following line at the end of the file:
<facility> @<QRadar host>
<facility> matches the facility that is chosen in Configuring ProFTPd. The facility must be typed in lowercase.
<QRadar host> is the IP address of your QRadar® Console or Event Collector.
Restart syslog and ProFTPd: