Configuring Linux OS to send audit logs

Configure Linux® OS to send audit logs to the QRadar® product.

About this task

This task applies to Red Hat® Enterprise Linux V6 to V8 operating systems.

If you use a SUSE, Debian, or Ubuntu operating system, see your vendor documentation for specific steps for your operating system.


  1. Log in to your Linux OS device, as a root user.
  2. Type the following commands:

    yum install audit

    service auditd start

    chkconfig auditd on

  3. Open the /etc/audisp/plugins.d/syslog.conf file and verify that the parameters match the following values:

    active = yes

    direction = out

    path = builtin_syslog

    type = builtin

    args = LOG_LOCAL6

    format = string

  4. Open the /etc/rsyslog.conf file and add the following line at the end of the file:
    local6.* @@<QNGLM_Collector_IP_address>
  5. Type the following commands:

    service auditd restart

    service syslog restart

  6. Log in to the QRadar product.
  7. Add a Linux OS data source in the QRadar product.

What to do next

For more information about adding a data source, see Adding ingestion data sources.