Linux OS
The Linux OS DSM for JSA records Linux operating system events and forwards the events using syslog or syslog-ng.
If you are using syslog on a UNIX host, upgrade the standard syslog to a more recent version, such as, syslog-ng.
Do not run both syslog and syslog-ng at the same time.
To integrate Linux OS with JSA, select one of the following syslog configurations for event collection:
You can also configure your Linux operating system to send audit logs to JSA. For more information, see Configuring Linux OS to send audit logs.
Supported Event Types
The Linux OS DSM supports the following event types:
cron
HTTPS
FTP
NTP
Simple Authentication Security Layer (SASL)
SMTP
SNMP
SSH
Switch User (SU)
Pluggable Authentication Module (PAM) events.
Configuring Syslog on Linux OS
Configuring Linux OS to forward events by using the syslog protocol.
Log in to your Linux OS device, as a root user.
Open the /etc/syslog.conf file and add the following facility information:
authpriv.*@<ip_address>
where:
<ip_address> is the IP address of JSA.
Save the file.
Restart syslog by typing the following command:
service syslog restart
Log in to the JSA Console.
Add a Linux OS log source on the JSA Console.
For more information about syslog, see the Linux operating system documentation.
Configuring Syslog-ng on Linux OS
If you are using syslog on a UNIX host to forward events, upgrade the standard syslog to syslog-ng, which is a more recent version.
Log in to your Linux OS device, as a root user.
Open the /etc/syslog-ng/syslog-ng.conf file and add the following facility information:
source qr_source {
internal();
system();
};
filter qr_filter {
facility(auth, authpriv);
};
destination qr_destination {
tcp("<qradar_ip_address>" port(514));
};
log{
source(qr_source);
filter(qr_filter);
destination(qr_destination);
};
Where:
<JSA_ip_address> is the IP address of the JSA.
Save the file.
Restart syslog-ng by typing the following command:
service syslog-ng restart
Log in to the JSA Console.
Add a Linux OS log source on the JSA Console.
For more information about syslog-ng, see the Linux operating system documentation.
Configuring Linux OS to Send Audit Logs
Configure Linux OS to send audit logs to JSA.
This task applies to Red Hat Enterprise Linux v6 operating systems.
If you use SUSE, Debian, or Ubuntu operating system, see your vendor documentation for specific steps for your operating system.
Log in to your Linux OS device, as a root user.
-
Type the following commands:
yum install audit
service auditd start
chkconfig auditd on
-
Open the /etc/audisp/plugins.d/syslog.conf file and verify that the parameters match the following values:
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_LOCAL6
format = string
Open the /etc/rsyslog.conf file and add the following line to the end of the file:
local6.* @@<QRadar_Collector_IP_address>
Type the following commands:
service auditd restart
service syslog restart
Log in to the JSA Console..
Add a Linux OS log source on the JSA Console.
Linux OS Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.
Linux OS sample message when you use the syslog protocol
The following sample event message shows that SELinux is preventing /usr/bin/bask from using the transition access.
<13>May 22 05:57:26 gnu.linuxserver.test python:
SELinux is preventing /usr/bin/bash from using the transition access
on a process.#012#012***** Plugin catchall (100. confidence) suggests
**************************#012#012If you believe that bash should
be allowed transition access on processes labeled unconfined_t by
default.#012Then you should report this as a bug.#012You can generate
a local policy module to allow this access.#012Do#012allow this access
for now by executing :#012# ausearch -c 'bash' --raw | audit2allow
-M my-bash#012# semodule -i my-bash.pp#012