Ok - the next question is can you be sure that the syslog daemon is (a) receiving the events? and (b) is forwarding?
Use "logger" from the command line on the host to confirm (a) [that events you put in are in the right log file and then can get picked up] ... and then use tcpdump on the interface sending out that it is leaving the host to confirm (b).
Also, use tcpdump on the SIEM to confirm you are seeing packets from that host arriving wherever the QRadar event collector process is (assuming your SIEM is an all-in-one - you've not said).
------------------------------
Darren H.
------------------------------
Original Message:
Sent: Wed July 22, 2020 10:43 AM
From: Aleksandar Stojanovski
Subject: SLES as a log source
Hi Darren,
I tried to add SUSE Linux Enterprise Server 15 as a Linux OS, Syslog.
First step that i did is check network connectivity between QRadar and the SLES server. From the SLES server there is successful connection on port 514.
Second, on the SLES server i edit the /etc/audisp/plugins.d/syslog.conf with:
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_LOCAL6
format = string
Third, in /etc/rsyslog.conf at the end i added
#Qradar
*.* @@IP-of-Qradar:514
*.* @IP-of-Qradar:514
Fourth, in /etc/rsyslog.d/remote.conf i added:
# Remote Logging using TCP for reliable delivery
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host
*.* @@IP-of-Qradar:514
# ######### Enable On-Disk queues for remote logging ##########
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#
#$WorkDirectory /var/spool/rsyslog # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName accesslog # unique name prefix for spool files
$ActionQueueMaxFileSize 10m
$ActionQueueMaxDiskSpace 5gb #space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeInterval 30
$ActionResumeRetryCount -1 # infinite retries if host is down
$ActionQueueHighWaterMark 2 #8000
$ActionQueueLowWaterMark 1 #2000
Fifth, in /etc/sysconfig/syslog i added:
#
RSYSLOGD_PARAMS=""
SYSLOG_DAEMON="rsyslogd"
RSYSLOGD_COMPAT_VERSION="4"
After that in Qradar i added the log source as an Linux OS, and Syslog protocol type. And after deploy the status is Status: Not Available
Where do i make mistake?
BR,
------------------------------
Aleksandar Stojanovski
Original Message:
Sent: Wed July 22, 2020 08:46 AM
From: Darren H.
Subject: SLES as a log source
Hi Aleksandar,
To help those on the list, what did you find when you got to the end of the procedure? Any errors or messages? What sort of debugging did you perform?
Regards,
------------------------------
Darren H.
Original Message:
Sent: Wed July 22, 2020 07:33 AM
From: Aleksandar Stojanovski
Subject: SLES as a log source
Hi,
Has any one successfully added SLES (SUSE Linux Enterprise Server 15) as a log source and will be kind to share the procedure?
I follow the procedures :
https://www.suse.com/c/how-configure-sles11-cache-and-send-log-events-sentinel-rsyslogd/
https://www.ibm.com/mysupport/s/question/0D50z00006PEFCD/configure-linux-os-to-send-audit-logs-to-qradar?language=en_US
But no success.
BR,
------------------------------
Aleksandar Stojanovski
------------------------------