Table of Contents

• Adding Debian Syslog as a Log Source
  • Checking Debian syslog activity
• Adding WinCollect as a Log Source
  • Checking Windows syslog activity

Adding Debian Syslog as a Log Source

First, use apt to install rsyslog and then edit its config file.

Add the line above to the config. This routes all syslog traffic to the QRadar server's IP address via UDP port 514.

Restart the rsyslog service daemon

Checking Debian syslog activity

Creating a user named qradar so the action gets caught by syslog.

Logs appear, the highlighted Unknown event may be the one

Payload contains the details of the account creation

Adding WinCollect as a Log Source

WinCollect converts Windows logs to syslog and forwards them to your QRadar server.

WinCollect can be downloaded from IBM Support.

The .msi must be executed from an admin terminal

When prompted, type in the QRadar sever's IP address

Once setup is completed, the WinCollect instance is automatically added as a log source

Checking Windows syslog activity

Performing the same user account creation test, but on Windows

WinCollect user account creation log appears

Event Information

Payload Information