Question & Answer
Question
Does QRadar SIEM work with Rsyslog and how do you test it?
Cause
QRadar works with any listed protocols to accept events including syslog.
Rsyslog is no different than other syslog daemons, but will require a destination.
Rsyslog is no different than other syslog daemons, but will require a destination.
Answer
In the example below, UDP is used for transmitting the message. The destination port is set to the default of 514. Rsyslog is also capable of using much more secure and reliable TCP sessions for message forwarding.
Also, the destination port can be specified. To select TCP, simply add one additional @ in front of the host name (that is, @host is UDP, @@host is TCP).
To ensure that you are sending to port 514 or other port use the syntax.
The logger command is a shell script to Rsyslog. You can use it to send commands using Host, TCP, UDP or Port options.
Logger options.
-d, --udp use UDP (TCP is default)
-n, --server write to this remote syslog server where the remote server will be the Console or Managed host receiving events.
-P, --port number use this UDP port
To test if Rsyslog is sending to events you can use the logger command.
To send a message using rsyslog use this command to the QRadar appliance receiving the logs.
logger -n host_ip -P port Test_message
Example logger -n 192.168.0.77 -P 514 Test
From the QRadar Appliance receiving the events use the tcpdump command
tcpdump -nnAs0 -i interface port 514 | grep Test
In QRadar 7.3.x the interface will start with en and with QRadar 7.2.x it will start with eth
Note: you need to have logger version 2.2.21 or greater installed to use either the -n or -P option.
To determine what version is installed on your system type logger -V
For more information refer the Rsyslog page:
Rsyslog Examples
authpriv.* @someplaceAlso, the destination port can be specified. To select TCP, simply add one additional @ in front of the host name (that is, @host is UDP, @@host is TCP).
To ensure that you are sending to port 514 or other port use the syntax.
authpriv.* @someplace:514The logger command is a shell script to Rsyslog. You can use it to send commands using Host, TCP, UDP or Port options.
Logger options.
-d, --udp use UDP (TCP is default)
-n, --server write to this remote syslog server where the remote server will be the Console or Managed host receiving events.
-P, --port number use this UDP port
To test if Rsyslog is sending to events you can use the logger command.
To send a message using rsyslog use this command to the QRadar appliance receiving the logs.
logger -n host_ip -P port Test_message
Example logger -n 192.168.0.77 -P 514 Test
From the QRadar Appliance receiving the events use the tcpdump command
tcpdump -nnAs0 -i interface port 514 | grep Test
In QRadar 7.3.x the interface will start with en and with QRadar 7.2.x it will start with eth
[root@QRadar1601 ~]# tcpdump -nnAs0 -i eth0 port 514 | grep test
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
E..:..@.@......Z...M.+...&.p<5>Aug 10 14:56:55 root: Test.Note: you need to have logger version 2.2.21 or greater installed to use either the -n or -P option.
To determine what version is installed on your system type logger -V
For more information refer the Rsyslog page:
Rsyslog Examples
[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
22 February 2021
UID
swg21622696