AnsweredAssumed Answered

Logging

Question asked by David Berner on Nov 5, 2019
Latest reply on Nov 5, 2019 by Edward Davis

We are trying to setup logging for QRadar following their documentation to add the configuration from the command line.  I see that you can set logging from the Security Console.  Is there any reason we can't do this from the GUI.  Note: we only want to send logs to one server.

 

QRadar steps:

 

Version 8
/opt/rsa/am/utils/resources/ims.properties
3. Add the following entries to the ims.properties file:
ims.logging.audit.admin.syslog_host = <IP address>
ims.logging.audit.admin.use_os_logger = true
ims.logging.audit.runtime.syslog_host = <IP address>
ims.logging.audit.runtime.use_os_logger = true
ims.logging.system.syslog_host = <IP address>
ims.logging.system.use_os_logger = true
Where <IP address> is the IP address or host name of IBM QRadar.
4. Save the ims.properties file.
5. Open the following file for editing:

/etc/syslog.conf
6. Type the following command to add QRadar as a syslog entry:
*.* @<IP address>
Where <IP address> is the IP address or host name of QRadar.
7. Type the following command to restart the syslog services for Linux.
service syslog restart

Outcomes