IBM QRadar 4) Collecting logs(Unix / Linux)
This post will show you how to configure to collect logs.
syslog configuration have to be configured on each devices.
Most of devices and os have different way to configure syslog forwarding, so If you can't find manual in this post, please find solution manual.
In this post show you collecting operation system syslog like AIX, Linux, HP-UX, Solaris.
I define QRadar's IP address is 192.168.0.16.
1. Configure forwarding IBM AIX syslog
1) modify syslog.conf file
Add comment from ## QRadar to IP address in bottom of file.
It means AIX host will forward syslog to 192.168.0.16 ip address(it is QRadar).
'## QRadar' is comment in this file and has no impact.
'*.debug @192.168.0.16' means server forward every logs in all category that have debug level to 192.168.0.16 ip address(QRadar).
2) restart syslog service
0513-095 The request for subsystem refresh was completed successfully.
'refresh -s' command is used to restart services.
2. Configure forwarding Linux syslog
1) modify syslog.conf file
Add this two line like AIX setting.
2) restart syslog service
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
'/etc/init.d' directory has service files.
And If you have RHEL based linux, you can use service command as below box.
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
3. Configure fording Solaris / HP-UX syslog
1) modify syslog.conf File
2) restart syslog service
syslog configuration have to be configured on each devices.
Most of devices and os have different way to configure syslog forwarding, so If you can't find manual in this post, please find solution manual.
In this post show you collecting operation system syslog like AIX, Linux, HP-UX, Solaris.
I define QRadar's IP address is 192.168.0.16.
1. Configure forwarding IBM AIX syslog
1) modify syslog.conf file
<root@aix ># vi /etc/syslog.conf
## QRadar
*.debug @192.168.0.16
## QRadar
*.debug @192.168.0.16
Add comment from ## QRadar to IP address in bottom of file.
It means AIX host will forward syslog to 192.168.0.16 ip address(it is QRadar).
'## QRadar' is comment in this file and has no impact.
'*.debug @192.168.0.16' means server forward every logs in all category that have debug level to 192.168.0.16 ip address(QRadar).
2) restart syslog service
<root@aix ># refresh -s syslogd
'refresh -s' command is used to restart services.
2. Configure forwarding Linux syslog
1) modify syslog.conf file
<root@linux ># vi /etc/syslog.conf
## QRadar
*.* @192.168.0.16
## QRadar
*.* @192.168.0.16
Add this two line like AIX setting.
2) restart syslog service
<root@linux ># /etc/init.d/syslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
'/etc/init.d' directory has service files.
And If you have RHEL based linux, you can use service command as below box.
<root@linux ># service syslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
3. Configure fording Solaris / HP-UX syslog
1) modify syslog.conf File
<root@uniux ># vi /etc/syslog.conf
## QRadar
*.* @192.168.0.16
## QRadar
*.* @192.168.0.16
2) restart syslog service
<root@uniux ># kill -HUP `cat /etc/syslog.pid`
Now, most operating system can be collected syslog service.
Categories:
Hi Kyeong-Ho Choi,
ReplyDeleteReally good post more helpful and handy.
I have one doubt, While integrating linux os with qradar. We are editing conf file by using this line "*.*@IP".
By this it will send all logs (under dir /var/log) in that linux system to qradar server. If it was sending logs can you help me how to test this. Whether it is sending or not.
Please help me on this.
BR,
Teja R
I want to Integrate an Application with SIEM that is running on Linux OS and Linux Os is already integrated with SIEM and receiving Linux OS logs. Kindly guide me how i can integrate application logs with SIEM.
ReplyDelete