We are trying to setup logging for QRadar following their documentation to add the configuration from the command line. I see that you can set logging from the Security Console. Is there any reason we can't do this from the GUI. Note: we only want to send logs to one server.
3. Add the following entries to the ims.properties file:
ims.logging.audit.admin.syslog_host = <IP address>
ims.logging.audit.admin.use_os_logger = true
ims.logging.audit.runtime.syslog_host = <IP address>
ims.logging.audit.runtime.use_os_logger = true
ims.logging.system.syslog_host = <IP address>
ims.logging.system.use_os_logger = true
Where <IP address> is the IP address or host name of IBM QRadar.
4. Save the ims.properties file.
5. Open the following file for editing:
6. Type the following command to add QRadar as a syslog entry:
*.* @<IP address>
Where <IP address> is the IP address or host name of QRadar.
7. Type the following command to restart the syslog services for Linux.
service syslog restart