IBM QRadar

Hi everyone,

I'm setting up log forwarding from Linux servers to QRadar and trying to decide on the best approach from both a security and efficiency standpoint.

Sending all logs gives full visibility, but it creates a lot of noise and increases EPS. On the other hand, limiting to just authpriv or auditd keeps things cleaner, but I'm concerned about missing useful data.

What's considered best practice here? Do you forward everything, or only specific logs like auth, auditd, sshd, etc.? I'm aiming for a setup that catches key security events without overwhelming the SIEM.

Would really appreciate hearing how others have handled this in production.

Hi everyone,

I'm setting up log forwarding from Linux servers to QRadar and trying to decide on the best approach from both a security and efficiency standpoint.

Sending all logs gives full visibility, but it creates a lot of noise and increases EPS. On the other hand, limiting to just authpriv or auditd keeps things cleaner, but I'm concerned about missing useful data.

What's considered best practice here? Do you forward everything, or only specific logs like auth, auditd, sshd, etc.? I'm aiming for a setup that catches key security events without overwhelming the SIEM.

Would really appreciate hearing how others have handled this in production.

The way we do it is for linuxes that use rsyslogd, we have a custom config file that selectively filters the types of logs we don't care about and forwards the remainder to QRadar. On the event processor side, you could use routing rules to drop events, but a percentage of those count against your EPS, so we write and test filters with routing rules and then implement them in rsyslog.conf. 

Hi everyone,

I'm setting up log forwarding from Linux servers to QRadar and trying to decide on the best approach from both a security and efficiency standpoint.

Sending all logs gives full visibility, but it creates a lot of noise and increases EPS. On the other hand, limiting to just authpriv or auditd keeps things cleaner, but I'm concerned about missing useful data.

What's considered best practice here? Do you forward everything, or only specific logs like auth, auditd, sshd, etc.? I'm aiming for a setup that catches key security events without overwhelming the SIEM.

Would really appreciate hearing how others have handled this in production.

When creating or modifying rules, we check whether additional logs are required. So above all, the existing rules determine which logs are forwarded. But of course, some logs are always forwarded.

@Michael Richards : Do you use encryption when forwarding syslog? If I understand correctly, there is no supported way to forward with encryption. And I wonder if it makes sense to use an unsupported way. 

The way we do it is for linuxes that use rsyslogd, we have a custom config file that selectively filters the types of logs we don't care about and forwards the remainder to QRadar. On the event processor side, you could use routing rules to drop events, but a percentage of those count against your EPS, so we write and test filters with routing rules and then implement them in rsyslog.conf. 

Hi everyone,

I'm setting up log forwarding from Linux servers to QRadar and trying to decide on the best approach from both a security and efficiency standpoint.

Sending all logs gives full visibility, but it creates a lot of noise and increases EPS. On the other hand, limiting to just authpriv or auditd keeps things cleaner, but I'm concerned about missing useful data.

What's considered best practice here? Do you forward everything, or only specific logs like auth, auditd, sshd, etc.? I'm aiming for a setup that catches key security events without overwhelming the SIEM.

Would really appreciate hearing how others have handled this in production.