Using RSyslog to monitor and forward log files to QRadar

Posted on Updated on

Although it is possible to use SSH/SFTP/SCP to collect log files with QRadar, that option may not be the most appropriated for every company. Those collection methods, called pull-collection, requires an extra account in the system (so QRadar can login to collect the log). Moreover, the pull-collection methods collect the logs in an interval (usually, 5 minutes), meaning that logs may take up to 5 minutes to arrive in QRadar.

One alternative for collecting logs stored in files is using the rsyslog service, which is already pre-installed in the majority of the RedHat and CentOS versions. Those services are able to monitor a log file and forward each new log line to QRadar.

The first step is to check which version of rsyslog you have:

$ rsyslogd -version

 

If you have the newer rsyslog versions (7.x or above), then edit the /etc/rsyslog.conf file and add the following lines:

#### Load the file reader module ####
module(load="imfile" PollingInterval="10")

#### Configure to read a file ####
input(type="imfile" File="/var/log/logfile1.log" 
Tag="LogFileName:" 
StateFile="/var/spool/rsyslog/state-LogFileName" 
Severity="info" 
Facility="local3")

#### Forward the logs to QRadar
local3.info @@qradar_ip_address:514

 

If you have the legacy versions (5.x or below), then edit the /etc/rsyslog.conf file and add the following lines:

##### Load file reader module #######
$ModLoad imfile

##### Configure to read a file ########
$InputFileName /var/log/logfile1.log
$InputFileTag LogFileName:
$InputFileStateFile state-LogFileName
$InputFileSeverity info
$InputFileFacility local3
$InputRunFileMonitor  

##### Set the file monitoring for every 10 seconds ######
$InputFilePollInterval 10

##### Forward logs in local3.info to Qradar #######
local3.info                     @@qradar_ip_address:514

 

After the changes being done on the rsyslog.conf file, all you have to to is restart the service:

$ systemctl stop rsyslog
$ systemctl start rsyslog

To check if the service was started without errors, check the status by:

$ systemctl status rsyslog

If everything worked well, your service should be started without any errors.

One very common issue is when the rsyslog is not able to access the log file. This usually happens due to the SELinux service, which blocks access to sensitive files on the machine. To check if that is the case, temporarily disable the SELinux by using the following command:

$ setenforce 0

After that, restart rsyslog and check if the error persist. If it the issue is solved, then all you have to do is adding an exception to your SELinux to allow rsyslog to access the specific log file.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s