Scribd Logo
Upload

Welcome to Scribd!

  • QRADAR Linux OS - Guia Integracao

    Uploaded by

    Paulo
    8 views6 pages
    The document provides instructions for configuring Linux systems to send syslog and audit log data to an IBM QRadar SIEM. It includes steps for configuring rsyslog, syslog-ng, and the audit daemon to send logs to QRadar and modifying configuration files to define what events are logged. References for further information on integrating Linux with QRadar are also provided.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document provides instructions for configuring Linux systems to send syslog and audit log data to an IBM QRadar SIEM. It includes steps for configuring rsyslog, syslog-ng, and the audit daemon to send logs to QRadar and modifying configuration files to define what events are logged. References for further information on integrating Linux with QRadar are also provided.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views6 pages

    QRADAR Linux OS - Guia Integracao

    Uploaded by

    Paulo
    The document provides instructions for configuring Linux systems to send syslog and audit log data to an IBM QRadar SIEM. It includes steps for configuring rsyslog, syslog-ng, and the audit daemon to send logs to QRadar and modifying configuration files to define what events are logged. References for further information on integrating Linux with QRadar are also provided.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    -

    QRadar
    15/12/2021

    SIEM IBM QRadar


    Guia Integração

    Agosto 2022

    Matheus Queiroz

    matheus.queiroz@redbelt.com.br

    Thiago Felipe Karas

    thiago.karas@redbelt.com.br

    Data: 15/12/2021

    1
    -
    QRadar
    15/12/2021

    Linux OS
    Configuring syslog/rsyslog on Linux OS

    1 – Faça login como usuário “root” no servidor;

    2 – Abra o arquivo /etc/syslog.conf e /etc/rsyslog.conf, e adicione a seguinte linha:

    authpriv.* @IPCOLETORA
    local6.* @IPCOLETORA

    3 – Instalar auditd e audispd-plugins

    $ sudo yum install auditd


    $ sudo yum install audispd-plugins

    4 – Iniciar o serviço de auditd e ativação do chkconfig:

    $ sudo service auditd start


    $ sudo chkconfig auditd on

    5 – Editar o syslog.conf do audit em:

    $ sudo vim /etc/audisp/plugins.d/syslog.conf


    ou
    $ sudo vim /etc/audit/plugins.d/syslog.conf

    6 – Inserir o conteúdo abaixo:

    active = yes
    direction = out
    path = builtin_syslog
    type = builtin
    args = LOG_LOCAL6
    format = string

    7– Editar o audit.rules em:

    $ sudo vim /etc/audit/audit.rules


    ou
    $ sudo vim /etc/audit/rules.d/audit.rules

    Data: 15/12/2021

    2
    -
    QRadar
    15/12/2021

    8 – Inserir o conteúdo abaixo:

    -w /var/spool/atspool
    -w /etc/at.allow
    -w /etc/at.deny
    -w /etc/cron.allow -p wa
    -w /etc/cron.deny -p wa
    -w /etc/cron.d/ -p wa
    -w /etc/cron.daily/ -p wa
    -w /etc/cron.hourly/ -p wa
    -w /etc/cron.monthly/ -p wa
    -w /etc/cron.weekly/ -p wa
    -w /etc/crontab -p wa
    -w /var/spool/cron/root
    -w /etc/group -p wa
    -w /etc/passwd -p wa
    -w /etc/resolv.conf -p wa
    -w /etc/shadow
    -w /etc/login.defs -p wa
    -w /etc/securetty
    -w /var/log/lastlog
    -w /etc/hosts -p wa
    -w /etc/sysconfig/
    -w /etc/init.d/
    -w /etc/ld.so.conf -p wa
    -w /etc/localtime -p wa
    -w /etc/sysctl.conf -p wa
    -w /etc/modprobe.d/
    -w /etc/modprobe.conf.local -p wa
    -w /etc/modprobe.conf -p wa
    -w /etc/pam.d/
    -w /etc/aliases -p wa
    -w /etc/postfix/ -p wa
    -w /etc/ssh/sshd_config
    -w /etc/stunnel/stunnel.conf
    -w /etc/stunnel/stunnel.pem
    -w /etc/vsftpd.ftpusers
    -w /etc/vsftpd.conf
    -a exit,always -S sethostname
    -w /etc/issue -p wa
    -w /etc/issue.net -p wa

    9 – Salve o arquivo;

    10 – Reiniciar o auditd e rsyslog:

    $ sudo service syslog restart


    $ sudo service rsyslog restart

    Data: 15/12/2021

    3
    -
    QRadar
    15/12/2021

    Configuring syslog-ng on Linux OS

    1 – Faça login como usuário “root” no servidor;

    2 – Abra o arquivo /etc/syslog-ng/syslog-ng.conf, e adicione as seguintes informações:

    source qr_source {

    internal();

    system();

    };

    filter qr_filter {

    facility(auth, authpriv);

    };

    destination qr_destination {

    tcp(10.150.10.74 port(514));

    };

    log{

    source(qr_source);

    filter(qr_filter);

    destination(qr_destination);

    };

    3 – Salve o arquivo;

    4 – Restart o serviço do syslog-ng

    $ sudo service syslog-ng restart

    Configuring Linux OS to send audit logs

    Este processo se aplica às distribuições Red Hat, porém para SUSE, Debian, Ubuntu,
    etc., verificar nas documentações da distribuição.

    Data: 15/12/2021

    4
    -
    QRadar
    15/12/2021

    1 – Faça login como usuário “root” no servidor;

    2 – Digite os seguintes comandos:

    yum install audit

    service auditd start

    chkconfig auditd on

    3 – Abra o arquivo /etc/audisp/plugins.d/syslog.conf e ajuste os parâmetros de acordo


    com:

    active = yes

    direction = out

    path = builtin_syslog

    type = builtin

    args = LOG_LOCAL6

    format = string

    4 – Abra o arquivo /etc/rsyslog.conf e adicione também a seguinte linha:

    local6.* @@10.150.10.74

    5 – Reinicie os serviços com:

    $ service auditd restart

    $ service rsyslog restart

    Data: 15/12/2021

    5
    -
    QRadar
    15/12/2021

    Referências - URLs

    Linux OS

    https://www.ibm.com/docs/en/dsm?topic=linux-os

    Data: 15/12/2021

    You might also like