Configuring syslog to collect Samhain events

Before you configure IBM QRadar to integrate with Samhain HIDS using syslog, you must configure the Samhain HIDS system to forward logs to your QRadar system.

About this task

The following procedure is based on the default samhainrc file. If the samhainrc file is modified, some values might be different, such as the syslog facility,

Procedure

  1. Log in to Samhain HIDS from the command-line interface.
  2. Open the following file:

    /etc/samhainrc

  3. Remove the comment marker (#) from the following line:

    SetLogServer=info

  4. Save and exit the file.

    Alerts are sent to the local system by using syslog.

  5. Open the following file:

    /etc/syslog.conf

  6. Add the following line:

    local2.* @<IP Address>

    Where <IP Address> is the IP address of your QRadar.

  7. Save and exit the file.
  8. Restart syslog:

    /etc/init.d/syslog restart

    Samhain sends logs by using syslog to QRadar.

    You are now ready to configure Samhain HIDS DSM in QRadar. To configure QRadar to receive events from Samhain:

  9. From the Log Source Type list, select the Samhain HIDS option.