Hello friends, I have inserted my antivirus which is checkpoint to see all the logs from the antivirus on my qradar and made all the fields from the payload to be recognized by the qradar with regular expression but i encounter now another problem. The problem is that i can not see who is logging in into my checkpoint as administrator on the console and on the linux via ssh. I know that the commands to see the logs are last and lastb but i would like to see them on the qradar.. I saw a video that showed that a file has to be changed in the linux server ( the /etc/rsyslog.conf) and there are have added a line:

auth.* qradarIP:514 

But i still can not see the logs..
Can you please help me how to resolve this issue?

Thank you