Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure IBM QRadar as a Monitoring Sink

You can configure Paragon Automation to send all types of log data to IBM QRadar. We recommend two approaches for different types of logs:

Host Syslog

System logs on Paragon Automation clusters are managed by rsyslog, which supports multiple output modules. Although Paragon Automation monitoring does support collecting these host system logs, you can configure rsyslog to directly forward the system log to QRadar.

To configure rsyslog to send system log-data to QRadar:

  1. Log in to a Paragon Automation cluster node and type exit to access the Linux root shell.

  2. Navigate to the /etc/rsyslog.d/ directory.

  3. Create a .conf configuration file using the rsyslog naming convention, or modify an existing configuration file.

  4. Add the following line to the configuration file.

    Replace qradar_host with your QRadar host IP address or hostname.

  5. Restart the rsyslogd process.

    # service rsyslog restart

    Host system logs will start streaming into QRadar.

Repeat this process on the remaining Paragon Automation cluster nodes.

Other Logs Supported by Paragon Automation

For all other types of logs (Kubernetes container log, Docker log, Audit log) supported by Paragon Automation monitoring, perform the following steps to send system data to QRadar.

  1. Log in to a Paragon Automation cluster node and type configure in Paragon Shell to enter the configuration mode.

  2. Enter the following commands in configuration mode.

    Replace ID with the ID of the log source. Retrieve the source ID using the show paragon monitoring source ? command.

    To add multiple inputs, repeat the inputs command for different IDs or specify a list of inputs.

  3. Type commit and-quit to commit the configuration and exit configuration mode.

  4. Deploy the monitoring updates.