IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Multiple log source types for linux ? (Parsing)

    Posted Wed February 01, 2023 02:46 AM
    Dear Experts,

    I'm wondering if creating multiple log sources type for different Linux flavors (Debian, Suse, Red Hat, Cent OS, ...etc.) or creating log sources types as per syslog daemons (rsyslog, syslog-ng, ....etc. )is it a best practice for parsing the logs or only keep one log source (Linux OS) for all different OS es ? may it help to organize the parsing ?since QR failed to parse all Linux syslog messages as ArcSight could successfully parse the Linux logs and I'm sad hearing that from IBM. 

    Regards,


    ------------------------------
    Donald Lavag
    ------------------------------


  • 2.  RE: Multiple log source types for linux ? (Parsing)

    Posted Mon February 06, 2023 12:50 AM
    i need someone to support me

    ------------------------------
    Donald Lavag
    ------------------------------

    Original Message


  • 3.  RE: Multiple log source types for linux ? (Parsing)
    Best Answer

    Posted Wed February 08, 2023 10:14 AM
    The option is "yours's"

    Within QRadar currently I see this issue against Linux OS DSM and the VMWare DSM overlapping.

    If this was a Windows host - I would utilise / enhance the Windows DSM (regardless if it was 2012 or a workstation) , if it ran Exchange then I would also add the Exchange DSM as a log source type.

    I follow the similar method for Linux - I would generally keep most of the family to the Linux OS DSM and enhance. Obviously applications running on top of these would have the additional log sources with different DSM types.

    ------------------------------
    James H
    ------------------------------

    Original Message


Related Content