How Do I Forward Logs To QRadar?

The process for forwarding logs to QRadar varies depending on the operating system and the type of log. Standard log forwarding for most devices is done via the Syslog protocol. For Windows, IBM recommends using the WinCollect agent, while Linux hosts can be configured to forward logs using their built-in rsyslog or syslog-ng services.

Prerequisites

Before you begin, ensure you have the following in place:

• Network connectivity: Your log sources must be able to communicate with the QRadar Event Collector or Console over the designated port (e.g., UDP 514 or TCP 514 for Syslog).
• Administrative access: You need administrative privileges on both the QRadar Console and the log-generating devices.
• Available QRadar resources: Confirm that your QRadar Event Collector has the capacity to handle the new log sources without performance issues.

Log forwarding from Windows with WinCollect

For Windows systems, the IBM WinCollect agent is the most efficient and recommended method for collecting Windows event logs. It can be configured for local collection or to remotely poll other Windows machines.

Part 1: Install the WinCollect agent on your Windows host

1. Download the WinCollect agent installer from IBM Fix Central.
2. Run the installer on the Windows machine designated to collect events.
3. During installation, specify if the agent is a standalone agent or a managed agent. For most deployments, a managed agent is best.
4. If installing a managed agent, you must provide the IP address of your QRadar Console or Event Collector to complete the setup.

Part 2: Create a log source in QRadar

1. On the QRadar console, navigate to the Admin tab and open the QRadar Log Source Management app.
2. Click + New Log Source and select Single Log Source.
3. For the Log Source Type, select Microsoft Windows Security Event Log. QRadar uses this for both local and remotely polled events from Windows.
4. Select the WinCollect protocol type.
5. Configure the protocol parameters:
   • Agent: Select the WinCollect agent you installed from the list.
   • Managed Host: Select your Event Collector or Console.
   • Log Source Identifier: Enter the hostname or IP address of the Windows machine that is forwarding logs.
6. Click Save.
7. Deploy the changes from the Admin tab.

Log forwarding from Linux using rsyslog

Most Linux distributions use rsyslog for system logging. You can configure it to forward logs to your QRadar deployment.

Part 1: Configure the Linux host

1. Log into your Linux server as the root user.
2. Open the /etc/rsyslog.conf file using a text editor like vi.
3. Add a forwarding rule at the end of the file. The format depends on whether you want to use TCP or UDP:
   • For UDP:*.* @<qradar_ip_address>:514
   • For TCP:*.* @@<qradar_ip_address>:514
4. Save and close the file.
5. Restart the rsyslog service to apply the new configuration. The command depends on your Linux distribution:
   • Red Hat/CentOS:sudo systemctl restart rsyslog
   • Ubuntu:sudo service rsyslog restart

Part 2: Create a log source in QRadar

1. In the QRadar Log Source Management app, click + New Log Source.
2. Select Single Log Source.
3. For the Log Source Type, select Linux OS.
4. Select the Syslog protocol type.
5. Configure the protocol parameters:
   • Log Source Identifier: Enter the IP address of your Linux host.
6. Click Save.
7. Deploy the changes from the Admin tab. QRadar will often auto-discover syslog-based log sources after receiving a certain number of events.

Log forwarding from other network devices via Syslog

Many network devices, such as routers, firewalls, and switches, can be configured to send Syslog events directly to QRadar.

1. Configure the device: Log into the device's administrative interface. Find the logging or monitoring section and specify the QRadar Event Collector's IP address and the Syslog port (usually UDP 514) as the remote logging server.
2. Create a log source in QRadar:
   • In the QRadar Log Source Management app, create a new log source.
   • Select the Log Source Type that matches your device (e.g., Cisco IOS, Juniper ScreenOS). If no specific DSM exists, you can use Universal DSM.
   • Select the Syslog protocol type.
   • Configure the protocol parameters, including the Log Source Identifier, which should be the IP address of your device.
   • Save and Deploy the changes.

Final analysis and verification

After completing the configuration, verify that logs are correctly flowing into QRadar and being parsed by the appropriate Device Support Module (DSM).

1. Check Log Activity: Navigate to the Log Activity tab on your QRadar console. You should start seeing events from your newly configured log sources.
2. Inspect Events: Double-click on an event to open it. Check that the parsed fields (e.g., Source IP, Destination IP, Event Name) are correctly identified. If events are not parsed correctly, it may indicate a misconfiguration on the log source or the need for a specific DSM update.
3. Confirm Auto-Discovery: In the case of Syslog-based logs, QRadar often auto-discovers the log source once it receives a sufficient number of events. A log source with a manually configured log source identifier and a correctly formatted payload is more likely to be auto-discovered and correctly parsed.
4. Troubleshoot: If logs are not arriving, confirm network connectivity and port accessibility. Use a tool like tcpdump on your QRadar appliance to verify that packets are being received on the Syslog port.