If you are using syslog on a UNIX host to forward
events, upgrade the standard syslog to syslog-ng, which is a more recent version.
Procedure
-
Log in to your Linux® OS device, as a root user.
-
Open the /etc/syslog-ng/syslog-ng.conf file and add the following facility
information. Replace <qradar_ip_address> with the IP address of the QRadar® product.
source qr_source {
internal();
system();
};
filter qr_filter {
facility(auth, authpriv);
};
destination qr_destination {
tcp("<qradar_ip_address>" port(514));
};
log{
source(qr_source);
filter(qr_filter);
destination(qr_destination);
};
-
Save the file.
-
Restart syslog-ng by typing the following command:
service syslog-ng restart
- Log in to the QRadar product.
- Add a Linux OS data source in the QRadar product.
For more information about syslog-ng, see the Linux documentation
(https://www.linux.com/what-is-linux/).
What to do next
For more information about adding a data source, see Adding ingestion data
sources.