IBM Support

QRadar: How to create a passwordless SSH log in for log file protocol

How To


Administrators might need to create a passwordless login on log sources when the passwords are long or when they are set to expire frequently. In some cases, it can result in logs being lost if the administrator is not aware that the password expired.


Before you begin
Copy only the SSH public key to the Log Source. Create a non-root user to allow QRadar to log in to the Log Source.

Creating the SSH key pair on a QRadar Console or Event Collector

  1. Use SSH to log in to the QRadar console as root user.
  2. If the events are coming into an Event Collector, SSH to the appliance receiving the events.
  3. Create a directory to save your keys. For example,
    mkdir -p /opt/qradar/conf/keys
  4. Run the command ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/root/.ssh/id_rsa):
  5. Enter the directory and file, where keys are saved. For this example, the file is mykey
  6. Enter a passphrase > press enter.
    Note: Leave empty when you do not want to use a passphrase.
  7. Enter the same passphrase > press enter again.
A public and private key mykey is created in /opt/qradar/conf/keys for your Log Source.  For the example, the key fingerprint is GtideH6ikBZuphYw9na59df5wrqUPX8tbnxxxxxxxx

Installing the SSH public key on the Log Source

When installing your SSH public key, it is best practices to install it for a non-root or Sudo user.

  • Installing the SSH public key by using ssh-copy-id

    Note: If the ssh-copy-id is not installed on your appliance or fails to install the SSH public key, use the manual installation method to install the key.

    1. Type the command ssh-copy-id -i <path to public key/public_key> user@<Log Source IP address>
      ssh-copy-id -i /opt/qradar/conf/keys/  qradar@
      /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/opt/qradar/conf/keys/"
      /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
      /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
      qradar@'s password:
      Permission denied, please try again.
      qradar@'s password:
    2. Enter the password for the Log Source user.
    The SSH public key is added to the log source with the directory created and all user permissions set correctly.
    Number of key(s) added: 1
    Now try logging into the machine, with:   "ssh 'qradar@'"
    and check to make sure that only the key(s) you wanted were added.

  • Manually installing the SSH public key
    Note: If there is a user with a .ssh directory in the users home directory, skip to step 6.
    1. Use the command pwd to confirm you are in the user home directory
      $ pwd
    2. Verify that .ssh exists.
      ls -lad ./.ssh
      ls: cannot access '/home/user/.ssh': No such file or directory
    3. Create the .ssh directory if required.
      mkdir .ssh
    4. Apply the proper settings to the .ssh directory.
      chmod 755 .ssh
    5. Change the owner to the logged in user.
      chown user:user .ssh
    6. Create the authorization file.
      touch authorized_keys
    7. Set the permissions on the file to 600.
      chmod 600 authorized_keys
    8. Change the owner of the file to the logged in user.
      chown user:user authorized_keys
    9. Use SCP to copy the public key file from the QRadar Event Collector under the directory /opt/qradar/conf/keys to the Log Source Device user’s /home/user/.ssh/
    10.  Add the public ssh key file to the authorized_keys file.
      cat >> authorized_keys
You now can log in to the Log Source from the appliance were you create the keys by using the command ssh -i <Path to private SSH key/private_key> user@<Log source IP address>
ssh -i /opt/qradar/conf/keys/mykey qradar@
Last login: Tue May 11 14:36:43 2021 from
[qradar@Testserver ~]$

Troubleshooting "No ECDSA host key" messages

If you see a message similar to:

No ECDSA host key is known for and you have requested strict checking.

Run the command:

ssh-keyscan -t ecdsa <IP_address_Log_Source> >> ~/.ssh/known_hosts

Document Location


[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
19 May 2021