syslog-ng & QRadar CE integration

View Only

Expand all | Collapse all

syslog-ng & QRadar CE integration

1. syslog-ng & QRadar CE integration

0 Like
Phil Freeman
Posted Thu February 04, 2021 03:10 PM

Reply
Hi,

I have a comprehensive syslog-ng environment which is collecting logs, I am now looking at sending these logs to CE for demonstration purposes, however I am unable to see any logs that I send from syslog-ng appear in CE, in addition I cannot see that CE is listening on IPv4 Port 514 or 601 (Standard syslog ports).

If anyone has any idea or can guide me it would be greatly appreciated.

Phil.

------------------------------
Phil Freeman
------------------------------
2. RE: syslog-ng & QRadar CE integration

1 Like
IBM Champion

Ralph Belfiore
Posted Fri February 05, 2021 04:49 AM

Reply
Hi Phil,

this sounds like your CE hits this issue: https://www.ibm.com/support/pages/node/6395080
Please check this first. Just run this command as described in this support note..

/opt/qradar/support/all_servers.sh -Ck 'if [ -f /opt/qradar/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/ecs/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec-ingress/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ep/current/eventgnosis/license.txt ; fi ; if [ -f /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/ibm/si/services/ecs-ec/current/eventgnosis/license.txt ; fi ; if [ -f /usr/eventgnosis/ecs/license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /usr/eventgnosis/ecs/license.txt ; fi ; if [ -f /opt/qradar/conf/templates/ecs_license.txt ] ; then echo -n "QRadar:Q1 Labs Inc.:0007634bda1e2:WnT9X7BDFOgB1WaXwokODc:12/31/20" > /opt/qradar/conf/templates/ecs_license.txt ; fi'
Verify, if events are received after you've applied this command.

Regards,
Ralph

------------------------------
Ralph Belfiore
IT Security Senior Consulting
pro4bizz GmbH
Karlsruhe
+49 721 90981720
------------------------------

Original Message
3. RE: syslog-ng & QRadar CE integration

0 Like
Phil Freeman
Posted Fri February 05, 2021 05:10 AM

Reply
@Ralph Belfiore

Thank you so much. I can now see logs being received by QRadar CE 🎉

Thanks again.

Phil Freeman.

------------------------------
Phil Freeman
------------------------------

Original Message
4. RE: syslog-ng & QRadar CE integration

0 Like
IBM Champion

Ralph Belfiore
Posted Fri February 05, 2021 05:37 AM

Reply
Your welcome :)
good to know your CE is up and Running again.

Regards,
Ralph

------------------------------
Ralph Belfiore
IT Security Senior Consulting
pro4bizz GmbH
Karlsruhe
+49 721 90981720
------------------------------

Original Message

IBM Security QRadar

syslog-ng & QRadar CE integration

Phil FreemanThu February 04, 2021 03:10 PM

Ralph BelfioreFri February 05, 2021 04:49 AM

Phil FreemanFri February 05, 2021 05:10 AM

Ralph BelfioreFri February 05, 2021 05:37 AM

1. syslog-ng & QRadar CE integration

2. RE: syslog-ng & QRadar CE integration

3. RE: syslog-ng & QRadar CE integration

4. RE: syslog-ng & QRadar CE integration