SecurID^® Discussions

DavidBerner · ‎2019-11-05

We are trying to setup logging for QRadar following their documentation to add the configuration from the command line. I see that you can set logging from the Security Console. Is there any reason we can't do this from the GUI. Note: we only want to send logs to one server.

QRadar steps:

Version 8
/opt/rsa/am/utils/resources/ims.properties
3. Add the following entries to the ims.properties file:
ims.logging.audit.admin.syslog_host = <IP address>
ims.logging.audit.admin.use_os_logger = true
ims.logging.audit.runtime.syslog_host = <IP address>
ims.logging.audit.runtime.use_os_logger = true
ims.logging.system.syslog_host = <IP address>
ims.logging.system.use_os_logger = true
Where <IP address> is the IP address or host name of IBM QRadar.
4. Save the ims.properties file.
5. Open the following file for editing:

/etc/syslog.conf
6. Type the following command to add QRadar as a syslog entry:
*.* @<IP address>
Where <IP address> is the IP address or host name of QRadar.
7. Type the following command to restart the syslog services for Linux.
service syslog restart

EdwardDavis · ‎2019-11-05

Those steps of editing the ims.properties file was used for an older unsupported version 7.x of Authentication Manager.

In Authentication Manager 8.x, no need to edit any files on command line, this is all set in Security Console, Setup, System Settings, Logging, (pick a server) and you can then see syslog options, and set one destination host as syslog destination.

here I have not picked any syslog destinations, but you can add one syslog destination if you wanted for each type of log

The only time you'd be on command line in 8.x editing anything is if you wanted more advanced syslog options such as different ports, or multiple destinations, then you'd check these articles 000037206 - How to configure RSA Authentication Manager 8.4 or later to send data to multiple remote syslog servers

(if below 8.4 see KB 000030329 - How to configure RSA Authentication Manager 8.1 to send data to multiple remote syslog servers )

View solution in original post

EdwardDavis · ‎2019-11-05

Those steps of editing the ims.properties file was used for an older unsupported version 7.x of Authentication Manager.

In Authentication Manager 8.x, no need to edit any files on command line, this is all set in Security Console, Setup, System Settings, Logging, (pick a server) and you can then see syslog options, and set one destination host as syslog destination.

here I have not picked any syslog destinations, but you can add one syslog destination if you wanted for each type of log

The only time you'd be on command line in 8.x editing anything is if you wanted more advanced syslog options such as different ports, or multiple destinations, then you'd check these articles 000037206 - How to configure RSA Authentication Manager 8.4 or later to send data to multiple remote syslog servers

(if below 8.4 see KB 000030329 - How to configure RSA Authentication Manager 8.1 to send data to multiple remote syslog servers )

DavidBerner · ‎2019-11-05

Thanks Ed. This worked for the RSA AM logs but we still don't see the Linux Audit Log on the QRadar side. Do I have to follow the KB above for rsyslog ?

EdwardDavis · ‎2019-11-05

if you want OS syslog also, then yes, use the KB

a) config RSA AM Security Console, to send syslog to it's own IP....

b) then configure rsyslog to forward those to [destination(s)]....and you can get OS logs this way

SecurID® Discussions

Logging

SecurID^® Discussions