Linux OS

The Linux OS DSM for JSA records Linux operating system events and forwards the events using syslog or syslog-ng.

If you are using syslog on a UNIX host, upgrade the standard syslog to a more recent version, such as, syslog-ng.

Note:

Do not run both syslog and syslog-ng at the same time.

To integrate Linux OS with JSA, select one of the following syslog configurations for event collection:

You can also configure your Linux operating system to send audit logs to JSA. For more information, see Configuring Linux OS to send audit logs.

Supported Event Types

The Linux OS DSM supports the following event types:

cron
HTTPS
FTP
NTP
Simple Authentication Security Layer (SASL)
SMTP
SNMP
SSH
Switch User (SU)
Pluggable Authentication Module (PAM) events.

Configuring Syslog on Linux OS

Configuring Linux OS to forward events by using the syslog protocol.

Log in to your Linux OS device, as a root user.
Open the /etc/syslog.conf file and add the following facility information:

authpriv.*@<ip_address>

where:

<ip_address> is the IP address of JSA.
Save the file.
Restart syslog by typing the following command:

service syslog restart
Log in to the JSA Console.
Add a Linux OS log source on the JSA Console.

For more information about syslog, see the Linux operating system documentation.

Configuring Syslog-ng on Linux OS

If you are using syslog on a UNIX host to forward events, upgrade the standard syslog to syslog-ng, which is a more recent version.

Log in to your Linux OS device, as a root user.
Open the /etc/syslog-ng/syslog-ng.conf file and add the following facility information:

source qr_source {

internal();

system();

};

filter qr_filter {

facility(auth, authpriv);

};

destination qr_destination {

tcp("<qradar_ip_address>" port(514));

};

log{

source(qr_source);

filter(qr_filter);

destination(qr_destination);

};

Where:
- <JSA_ip_address> is the IP address of the JSA.
Save the file.
Restart syslog-ng by typing the following command:

service syslog-ng restart
Log in to the JSA Console.
Add a Linux OS log source on the JSA Console.

For more information about syslog-ng, see the Linux operating system documentation.

Configuring Linux OS to Send Audit Logs

Configure Linux OS to send audit logs to JSA.

This task applies to Red Hat Enterprise Linux v6 operating systems.

If you use SUSE, Debian, or Ubuntu operating system, see your vendor documentation for specific steps for your operating system.

Log in to your Linux OS device, as a root user.
Type the following commands:

yum install audit

service auditd start

chkconfig auditd on
Open the /etc/audisp/plugins.d/syslog.conf file and verify that the parameters match the following values:

active = yes

direction = out

path = builtin_syslog

type = builtin

args = LOG_LOCAL6

format = string
Open the /etc/rsyslog.conf file and add the following line to the end of the file:
local6.* @@<QRadar_Collector_IP_address>
Type the following commands:
1. service auditd restart
2. service syslog restart
Log in to the JSA Console..
Add a Linux OS log source on the JSA Console.

Linux OS Sample Event Message

Use this sample event message to verify a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.

Linux OS sample message when you use the syslog protocol

The following sample event message shows that SELinux is preventing /usr/bin/bask from using the transition access.

<13>May 22 05:57:26 gnu.linuxserver.test python: SELinux is preventing /usr/bin/bash from using the transition access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed transition access on processes labeled unconfined_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing :#012# ausearch -c 'bash' --raw | audit2allow -M my-bash#012# semodule -i my-bash.pp#012