syslog
Using Syslog-ng to monitor and forward log files to QRadar
Although it is possible to use SSH/SFTP/SCP to collect log files with QRadar, that option may not be the most appropriated for every company. Those collection methods, called pull-collection, requires an extra account in the system (so QRadar can login to collect the log). Moreover, the pull-collection methods collect the logs in an interval (usually, 5 minutes), meaning that logs may take up to 5 minutes to arrive in QRadar.
One alternative for collecting logs stored in files is using the syslog-ng service, which is already pre-installed in the majority of the newer Linux releases. This service can be used to monitor a specific file (in smaller intervals, such as 10 seconds) and in case of any changes, send the logs to QRadar. The configuration is fairly simple, here are the steps:
- Check if the syslog-ng is installed:
$ service syslog-ng status
if not installed, install using:
$ apt-get install syslog-ng
- Edit the syslog-ng configuration file (usually at: /etc/syslog-ng/syslog-ng.conf), inserting the following lines:
source s_logfile1 { file("[[[PATH_TO_FILE]]]" follow_freq(10) flags(no-parse)); }; destination d_qradar { tcp("[[[QRADAR_COLLECTOR_IP]]]" port(514) template("<$PRI>$DATE $HOST $MESSAGE\n")); }; log { source(s_logfile1); destination(d_qradar); };The first line adds a “file monitoring” rule to the specific file. You can update the file monitoring frequency (in seconds) by changing the follow_freq parameter.
The second line adds a syslog destination, if you already had syslog-ng configured for another log monitoring, this line may not be necessary.
The third line adds a logging action from the source file to the destination syslog recipient. - Restart the syslog-ng service
$ service syslog-ng restart
- Done! You can now check on QRadar if logs are coming.
- If you need to troubleshoot, you can check the syslog-ng logs by using the following commands:
$ syslog-ng $ service syslog-ng status
Windows Desktops Log Collection – Methods Comparison
Hi folks! I’m glad of receiving good feedback from you guys! The topic of this post was one recent request from our followers, asking about what the best way to send windows logs to QRadar is. As you can imagine, there’s no best solution, it depends on what kind of environment we have. So to reply this question as simple and short as possible, I created the following table comparing some log collection methods.
To get more information about the Snare Agent, you can check out the vendor website. To get more information about the another two collection methods, you can check out our post about configuring log sources and the official documentation in this another post.
Do you have any question or suggestion? Let us know in the comments!
Configuring the Log Sources
When implementing a large QRadar environment we can face several types of log sources across the network. QRadar support more than one hundred type of devices out-of-the-box and can integrate with any another log source using customized parsers. The log source parsers are known in QRadar as Device Support Modules (DSMs).
A personal recommendation to integrate log sources with QRadar is: always use syslog when it is possible. Why? Basically syslog is the standard log protocol for many devices, and QRadar can easily collect, identify and receive logs using this protocol. The syslog typically uses UDP connections, so make the log collection more fast and with almost zero latency. Make sure that all the firewalls of your environment allow traffic to QRadar in the port 514 (default syslog port).
IBM provide a good documentation explaining thorougly how to configure each type of device to send logs to QRadar. You can find the DSM configuration guide in the following link:
QRadar_721_DSMConfigurationGuide
Do you have another tips to configure your devices? Share with us!
QRadar Insights 