Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Linux OS

The Linux OS DSM for JSA records Linux operating system events and forwards the events using syslog or syslog-ng.

If you are using syslog on a UNIX host, upgrade the standard syslog to a more recent version, such as, syslog-ng.

Note:

Do not run both syslog and syslog-ng at the same time.

To integrate Linux OS with JSA, select one of the following syslog configurations for event collection:

You can also configure your Linux operating system to send audit logs to JSA. For more information, see Configuring Linux OS to send audit logsConfigure Linux OS to send audit logs to JSA..

Supported Event Types

The Linux OS DSM supports the following event types:

  • cron

  • HTTPS

  • FTP

  • NTP

  • Simple Authentication Security Layer (SASL)

  • SMTP

  • SNMP

  • SSH

  • Switch User (SU)

  • Pluggable Authentication Module (PAM) events.

Configuring Syslog on Linux OS

Configuring Linux OS to forward events by using the syslog protocol.

  1. Log in to your Linux OS device, as a root user.

  2. Open the /etc/syslog.conf file and add the following facility information:

    authpriv.*@<ip_address>

    where:

    <ip_address> is the IP address of JSA.

  3. Save the file.

  4. Restart syslog by typing the following command:

    service syslog restart

  5. Log in to the JSA Console.

  6. Add a Linux OS log source on the JSA Console.

    For more information about syslog, see the Linux operating system documentation.

Configuring Syslog-ng on Linux OS

If you are using syslog on a UNIX host to forward events, upgrade the standard syslog to syslog-ng, which is a more recent version.

  1. Log in to your Linux OS device, as a root user.

  2. Open the /etc/syslog-ng/syslog-ng.conf file and add the following facility information:

    source qr_source {

    internal();

    system();

    };

    filter qr_filter {

    facility(auth, authpriv);

    };

    destination qr_destination {

    tcp("<qradar_ip_address>" port(514));

    };

    log{

    source(qr_source);

    filter(qr_filter);

    destination(qr_destination);

    };

    Where:

    • <JSA_ip_address> is the IP address of the JSA.

  3. Save the file.

  4. Restart syslog-ng by typing the following command:

    service syslog-ng restart

  5. Log in to the JSA Console.

  6. Add a Linux OS log source on the JSA Console.

    For more information about syslog-ng, see the Linux operating system documentation.

Configuring Linux OS to Send Audit Logs

Configure Linux OS to send audit logs to JSA.

This task applies to Red Hat Enterprise Linux v6 operating systems.

If you use SUSE, Debian, or Ubuntu operating system, see your vendor documentation for specific steps for your operating system.

  1. Log in to your Linux OS device, as a root user.

  2. Type the following command:

    yum install audit service auditd start chkconfig auditd on

  3. Open the /etc/audisp/plugins.d/syslog.conf file and verify that the parameters match the following values:

    active = yes direction = out path = builtin_syslog type = builtin args = LOG_LOCAL6 format = string

  4. Open the /etc/rsyslog.conf file and add the following line to the end of the file:

    local6.* @@ JSA_Collector_IP_address

  5. Type the following commands:

    1. service auditd restart

    2. service syslog restart

  6. Log in to the JSA Console..

  7. Add a Linux OS log source on the JSA Console.

Linux OS Sample Event Message

Use this sample event message to verify a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

Linux OS sample message when you use the syslog protocol

The following sample event message shows that SELinux is preventing /usr/bin/bask from using the transition access.

<13>May 22 05:57:26 gnu.linuxserver.test python: SELinux is preventing /usr/bin/bash from using the transition access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed transition access on processes labeled unconfined_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing :#012# ausearch -c 'bash' --raw | audit2allow -M my-bash#012# semodule -i my-bash.pp#012