logs
Using RSyslog to monitor and forward log files to QRadar
Although it is possible to use SSH/SFTP/SCP to collect log files with QRadar, that option may not be the most appropriated for every company. Those collection methods, called pull-collection, requires an extra account in the system (so QRadar can login to collect the log). Moreover, the pull-collection methods collect the logs in an interval (usually, 5 minutes), meaning that logs may take up to 5 minutes to arrive in QRadar.
One alternative for collecting logs stored in files is using the rsyslog service, which is already pre-installed in the majority of the RedHat and CentOS versions. Those services are able to monitor a log file and forward each new log line to QRadar.
The first step is to check which version of rsyslog you have:
$ rsyslogd -version
If you have the newer rsyslog versions (7.x or above), then edit the /etc/rsyslog.conf file and add the following lines:
#### Load the file reader module #### module(load="imfile" PollingInterval="10") #### Configure to read a file #### input(type="imfile" File="/var/log/logfile1.log" Tag="LogFileName:" StateFile="/var/spool/rsyslog/state-LogFileName" Severity="info" Facility="local3") #### Forward the logs to QRadar local3.info @@qradar_ip_address:514
If you have the legacy versions (5.x or below), then edit the /etc/rsyslog.conf file and add the following lines:
##### Load file reader module ####### $ModLoad imfile ##### Configure to read a file ######## $InputFileName /var/log/logfile1.log $InputFileTag LogFileName: $InputFileStateFile state-LogFileName $InputFileSeverity info $InputFileFacility local3 $InputRunFileMonitor ##### Set the file monitoring for every 10 seconds ###### $InputFilePollInterval 10 ##### Forward logs in local3.info to Qradar ####### local3.info @@qradar_ip_address:514
After the changes being done on the rsyslog.conf file, all you have to to is restart the service:
$ systemctl stop rsyslog $ systemctl start rsyslog
To check if the service was started without errors, check the status by:
$ systemctl status rsyslog
If everything worked well, your service should be started without any errors.
One very common issue is when the rsyslog is not able to access the log file. This usually happens due to the SELinux service, which blocks access to sensitive files on the machine. To check if that is the case, temporarily disable the SELinux by using the following command:
$ setenforce 0
After that, restart rsyslog and check if the error persist. If it the issue is solved, then all you have to do is adding an exception to your SELinux to allow rsyslog to access the specific log file.
Using Syslog-ng to monitor and forward log files to QRadar
Although it is possible to use SSH/SFTP/SCP to collect log files with QRadar, that option may not be the most appropriated for every company. Those collection methods, called pull-collection, requires an extra account in the system (so QRadar can login to collect the log). Moreover, the pull-collection methods collect the logs in an interval (usually, 5 minutes), meaning that logs may take up to 5 minutes to arrive in QRadar.
One alternative for collecting logs stored in files is using the syslog-ng service, which is already pre-installed in the majority of the newer Linux releases. This service can be used to monitor a specific file (in smaller intervals, such as 10 seconds) and in case of any changes, send the logs to QRadar. The configuration is fairly simple, here are the steps:
- Check if the syslog-ng is installed:
$ service syslog-ng status
if not installed, install using:
$ apt-get install syslog-ng
- Edit the syslog-ng configuration file (usually at: /etc/syslog-ng/syslog-ng.conf), inserting the following lines:
source s_logfile1 { file("[[[PATH_TO_FILE]]]" follow_freq(10) flags(no-parse)); }; destination d_qradar { tcp("[[[QRADAR_COLLECTOR_IP]]]" port(514) template("<$PRI>$DATE $HOST $MESSAGE\n")); }; log { source(s_logfile1); destination(d_qradar); };The first line adds a “file monitoring” rule to the specific file. You can update the file monitoring frequency (in seconds) by changing the follow_freq parameter.
The second line adds a syslog destination, if you already had syslog-ng configured for another log monitoring, this line may not be necessary.
The third line adds a logging action from the source file to the destination syslog recipient. - Restart the syslog-ng service
$ service syslog-ng restart
- Done! You can now check on QRadar if logs are coming.
- If you need to troubleshoot, you can check the syslog-ng logs by using the following commands:
$ syslog-ng $ service syslog-ng status
Who added a new account ?
Sometimes is necessary to audit the configurations of the QRadar and find the people involved on the changes in the system. Those changes can be verified inside the “events” tab of QRadar (and filtering by the events from the QRadar device). Another quick way to find the audit information about the QRadar is checking it own logs. For example, to check the history of accounts added on the system, there is a quick command that you can execute to check who and when added new account. To get this information just execute the following command :
[root@MY_RADAR]# cat /var/log/audit/audit.log | grep ‘AccountAdded’ | less
You will get log lines such as the example below :
Jun 12 14:34:37 127.0.0.1 X&Y (7638) /console/JSON-RPC/QRadar.saveUser QRadar.saveUser | [Configuration] [UserAccount] [AccountAdded] ID: 24 | Username: ABC | Email: ABC@DEF | Description: | Role ID: 2 | Security Profile ID: 1
By analyzing the log line, we can verify that X&Y added new account ABC with the e-mail address of ABC@DEF at Jun the 12th at 14:43.
QRadar Insights 