Hello @Amine Hedfi,
The issue you're encountering is quite common.
The official documentation isn't always suitable for certain distributions or versions (depending on factors like age, or the specific distro, such as RHEL, CentOS, Debian, or Ubuntu).
Let me share an example for RHEL/CentOS8 to give you a direction to follow.
In the context of system logging (syslog) in Unix-like operating systems, local6 refers to one of the eight available local use facilities, which are custom-defined log facilities used for logging messages specific to the user's application or system.
local6 is simply the seventh local use facility (numbering starts at local0). It's up to the user or system administrator to configure what kind of logs get directed to local6 and how they are handled.For example, in my sample you can configure your syslog daemon (such as rsyslog or syslog-ng) to direct logs from a specific application to the local6 facility and then specify where these logs should be written (like to a specific file or forwarded to a remote logging server).
Example of an CentOS8/RHEL 8 configuration to send logs to QRadar and a local file :
1. Sample configuration of auditd (/etc/audit/auditd.conf)
2. Sample configuration of syslog.conf (/etc/audit/plugins.d/syslog.conf)
3. Sample configuration of qradar.conf (/etc/rsyslog.d/qradar.conf)
local6.* @@QRadarIP_Or_FQDN:514
local6.* /var/log/testauditpascal.log
4. Then you can restart service to check
Service auditd restart
Service syslog restart
This is the main idea configuration may differ if you use different Linux Distro or Version.
Hope this helps,
Zoldax,
------------------------------
zoldax
https://www.credly.com/users/pascal-weber.029e134d/badges------------------------------
Original Message:
Sent: Thu September 12, 2024 07:45 AM
From: Amine Hedfi
Subject: Problem send logs from Linux server to QRadar using Auditd Service
Hello,
We encountered an issue while sending logs from multiple Linux servers to QRadar. The problem lies with the auditd service. We even tried restarting the auditd service after configuring it according to IBM's procedure, but without success.
Kindly assist us in resolving the issue.
------------------------------
Amine Hedfi
------------------------------