IBM Support

QRadar: Testing Rsyslog

Question & Answer


Does QRadar SIEM work with Rsyslog and how do you test it?


QRadar works with any listed protocols to accept events including syslog.
Rsyslog is no different than other syslog daemons, but will require a destination.


In the example below, UDP is used for transmitting the message. The destination port is set to the default of 514. Rsyslog is also capable of using much more secure and reliable TCP sessions for message forwarding.

authpriv.* @someplace

Also, the destination port can be specified. To select TCP, simply add one additional @ in front of the host name (that is, @host is UDP, @@host is TCP).

To ensure that you are sending to port 514 or other port use the syntax.
authpriv.* @someplace:514

The logger command is a shell script to Rsyslog. You can use it to send commands using Host, TCP, UDP or Port options.
Logger options.
-d, --udp use UDP (TCP is default)
-n, --server write to this remote syslog server where the remote server will be the Console or Managed host receiving events.
-P, --port number use this UDP port

To test if Rsyslog is sending to events you can use the logger command.
To send a message using rsyslog use this command to the QRadar appliance receiving the logs.

logger -n host_ip -P port Test_message
Example logger -n -P 514 Test

From the QRadar Appliance receiving the events use the tcpdump command

tcpdump -nnAs0 -i interface port 514 | grep Test
In QRadar 7.3.x the interface will start with en and with QRadar 7.2.x it will start with eth

[root@QRadar1601 ~]# tcpdump -nnAs0 -i eth0 port 514 | grep test
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
E..:..@.@......Z...M.+...&.p<5>Aug 10 14:56:55 root: Test.

Note: you need to have logger version 2.2.21 or greater installed to use either the -n or -P option.
To determine what version is installed on your system type logger -V

For more information refer the Rsyslog page:

Rsyslog Examples

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
22 February 2021