IBM QRadar

 View Only

  • 1.  Problem send logs from Linux server to QRadar using Auditd Service

    Posted Thu September 12, 2024 07:46 AM

    Hello, 

    We encountered an issue while sending logs from multiple Linux servers to QRadar. The problem lies with the auditd service. We even tried restarting the auditd service after configuring it according to IBM's procedure, but without success.

    Kindly assist us in resolving the issue.



    ------------------------------
    Amine Hedfi
    ------------------------------


  • 2.  RE: Problem send logs from Linux server to QRadar using Auditd Service

    Posted Thu September 12, 2024 08:00 AM

    Hi Amine,

    Unfortunately there is not enough information available in the screen shots to indicate what the problem is.  I suggest you open a support case and attach get_logs and screenshots of the issue to allow this to be effectively worked.

    Thanks



    ------------------------------
    John Dawson
    Qradar Support Architect
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Problem send logs from Linux server to QRadar using Auditd Service

    IBM Champion
    Posted 2 hours ago

    Hello @Amine Hedfi,

    The issue you're encountering is quite common.
     
    The official documentation isn't always suitable for certain distributions or versions (depending on factors like age, or the specific distro, such as RHEL, CentOS, Debian, or Ubuntu).

    Let me share an example for RHEL/CentOS8 to give you a direction to follow.


    In the context of system logging (syslog) in Unix-like operating systems, local6 refers to one of the eight available local use facilities, which are custom-defined log facilities used for logging messages specific to the user's application or system.

    local6 is simply the seventh local use facility (numbering starts at local0). It's up to the user or system administrator to configure what kind of logs get directed to local6 and how they are handled.For example, in my sample you can configure your syslog daemon (such as rsyslog or syslog-ng) to direct logs from a specific application to the local6 facility and then specify where these logs should be written (like to a specific file or forwarded to a remote logging server).


    Example of an CentOS8/RHEL 8 configuration to send logs to QRadar and a local file : 


    1. Sample configuration of auditd (/etc/audit/auditd.conf) 


    2. Sample configuration of syslog.conf  (/etc/audit/plugins.d/syslog.conf)


    3. Sample configuration of qradar.conf (/etc/rsyslog.d/qradar.conf)

     
    local6.* @@QRadarIP_Or_FQDN:514
    local6.* /var/log/testauditpascal.log


    4. Then you can restart service to check 

     
    Service auditd restart
    Service syslog restart


    This is the main idea configuration may differ if you use different Linux Distro or Version.


    Hope this helps,

    Zoldax,



    ------------------------------
    zoldax

    https://www.credly.com/users/pascal-weber.029e134d/badges
    ------------------------------

    Original Message