This section describes the steps to configure syslog-ng in non-encrypted mode and syslogd
to forward syslog messages to IBM®
QRadar®.
About this task
If you are using encrypted syslog-ng, refer to your Extreme documentation.
Do not run both syslog-ng and syslogd at the same time.
To configure syslog-ng in non-encrypted mode:
Procedure
-
On your EMS system, open the following file:
/opt/syslog-ng/etc/syslog-ng.conf
-
Configure a Facility filter for the Syslog notification rule.
For example, if you selected facility local1:
filter filt_facility_local1 {facility(local1); };
-
Configure a Level filter for the Syslog notification rule.
For example, if you selected level notice:
filter filt_level_notice {level(notice); };
-
Configure a destination statement for the QRadar.
For example, if the IP address of the QRadar is 192.0.2.1 and you want
to use syslog port of 514, type:
destination siem { tcp("192.0.2.1" port(514)); };
-
Add a log statement for the notification rule:
log { source(s_local); filter (filt_facility_local1); filter (filt_level_notice);
destination(siem); };
-
Save the file and restart syslog-ng.
cd /etc/rc.d ./rc.syslog-ng stop ./rc.syslog-ng start
-
The Extreme Dragon EMS configuration is complete.