Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Suricata to Communicate with JSA

To send events to JSA, you must configure a Syslog integration.

Before you begin

You must have access to the Suricata device and have the permissions to write to configuration files and to restart services. You need a username and password, such as Windows or Linux login information, for the system where you installed Suricata.

Ensure that rsyslog is installed on the system where you installed Suricata. For more information, see the rsyslog website.

  1. Log in to the Suricata device.
  2. Open the Suricata configuration file called suricata.yaml, located in the Suricata installation directory. Update the eve-log entry under the outputs header.

    Use the following example as a guide:

    The <facility> variable is a Syslog facility name between local0 and local7, such as local5.

  3. Open the rsyslog configuration file called /etc/rsyslog.conf and add a forwarding rule to send the alerts to JSA.

    Use the following example as a guide:

    <facility>.* @@<QRadar IP/hostname>:514

    The <facility> variable is the same Syslog facility that you configured in the previous step. The <JSAIP/hostname> is the IP or hostname of the JSA Console or managed host that you want to forward Suricata alerts to.

  4. Restart the Suricata and rsyslog services.