To collect events, you must configure syslog on your PostFix MTA installation to forward
mail events to IBM
QRadar.
Procedure
-
Use SSH to log in to your PostFix MTA installation as a root user.
-
Edit the following file:
-
To forward all mail events, type the following command to change
-/var/log/maillog/ to an IP address. Make sure that all other lines remain
intact:
mail.*@<IP address>
Where <IP address> is the IP address of the QRadar
Console, Event Processor, or Event Collector, or all-in-one
system.
-
Save and exit the file.
-
Restart your syslog daemon to save the changes.