Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring IPtables for Multiline UDP Syslog Events

 

Open LDAP requires that events are redirected from your Open LDAP servers from port 514 to another JSA port for the UDP multiline protocol. You must configure IPtables on your JSA console or for each JSA Event Collectors that receives multiline UDP syslog events from an Open LDAP server.

To configure JSA to redirect multiline UDP syslog events:

  1. Using SSH, log in to JSA as the root user.

    Login: <root>

    Password: <password>

  2. Type the following command to edit the IPtables file:

    vi /opt/qradar/conf/iptables-nat.post

    The IPtables NAT configuration file is displayed.

  3. Type the following command to instruct JSA to redirect syslog events from UDP port 514 to UDP port 517:

    Where:

    <IP address> is the IP address of your Open LDAP server.

    <New port> is the port number that is configured in the UDP Multiline protocol for Open LDAP.

    You must include a redirect for each Open LDAP IP address that sends events to your JSA console or Event Collector. For example, if you had three Open LDAP servers that communicate to an Event Collect, type the following code:

  4. Save your IPtables NAT configuration.

    You are now ready to configure IPtables on your JSA console or Event Collector to accept events from your Open LDAP servers.

  5. Type the following command to edit the IPtables file:

    vi /opt/qradar/conf/iptables.post

    The IPtables configuration file is displayed.

  6. Type the following command to instruct JSA to allow communication from your Open LDAP servers:

    -I QChain 1 -m udp -p udp --src <IP address> --dport <New port> -j ACCEPT

    Where:

    <IP address> is the IP address of your Open LDAP server.

    <New port> is the port number that is configured in the UDP Multiline protocol for Open LDAP.

    You must include a redirect for each Open LDAP IP address that sends events to your JSA console or Event Collector. For example, if you had three Open LDAP servers that communicate to an Event Collect, you would type the following code:

  7. Type the following command to update IPtables in JSA:

    ./opt/qradar/bin/iptables_update.pl

Repeat theses steps if you need to configure another JSA console or Event Collector that receives syslog events from an Open LDAP server.

You can now configure your Open LDAP server to forward events to JSA.