Hi

I am new here and I heard about qradar solutions not long ago. So I apologize if I'm asking about some obvious things.

I search the documentation and found that QRadar SOAR only supports RHEL from Linux distributions. Is it possible to use Ubuntu/Debian as well? What about support for Centos/Centos stream?

Note: My response is related to QRadar SIEM. If you meant QRadar SOAR, you should post your question in the QRadar SOAR discussions here: https://community.ibm.com/community/user/security/communities/community-home?CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e

---- QRadar SIEM & Linux OS DSM ----
The QRadar SIEM Linux OS DSM can parse events from different distros, such as Ubuntu, but we do not document the procedure for all distributions in the official guide. As long as you are sending the same event types from your distro that are listed in the DSM Guide, then they should parse as long as the format is not different. 

Supported security event types

• cron
• HTTPS
• FTP
• NTP
• Simple Authentication Security Layer (SASL)
• SMTP
• SNMP
• SSH
• Switch User (SU)
• Pluggable Authentication Module (PAM) events.

Per the Linux OS DSM, the core documentation that the steps listed are for RHEL and users with other distributions can review the guides for their specific Linux-based OS: If you use a SUSE, Debian, or Ubuntu operating system, see your vendor documentation for specific steps for your operating system.

I will note that there is a support article on configuring Ubuntu with RSyslog for Apache HTTPS events here: https://www.ibm.com/support/pages/node/6587382.

So, you can use the Linux OS DSM to parse events from other distros, but the DSM will only parse and map the supported security event types.

Hope this helps...

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------