Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring IPtables for Multiline UDP Syslog Events

 

To collect UDP Multiline Syslog events in JSA, if you are unable to send the events directly to the standard UDP Multiline port of 517 or any other available port that is not already in use by JSA, then you must redirect events from port 514 to the default port 517 or your chosen alternate port by using IPTables as outlined below. You must configure IPtables on your JSA Console or for each JSA Event Collector that receives UDP Multiline Syslog events from an Open LDAP server, and then complete the configuration for each Open LDAP server IP address that you want to receive logs from.

To configure JSA to redirect multiline UDP syslog events:

Complete this configuration method only if you can't send UDP Multiline Syslog events directly to the chosen UDP Multiline port on JSA from your Open LDAP server, and you are restricted to only sending to the standard syslog port 514.

  1. Using SSH, log in to JSA as the root user.

    Login: <root>

    Password: <password>

  2. Type the following command to edit the IPtables file:

    vi /opt/qradar/conf/iptables-nat.post

    The IPtables NAT configuration file is displayed.

  3. Type the following command to instruct JSA to redirect syslog events from UDP port 514 to UDP port 517:

    Where:

    <IP address> is the IP address of your Open LDAP server.

    <New port> is the port number that is configured in the UDP Multiline protocol for Open LDAP.

    You must include a redirect for each Open LDAP IP address that sends events to your JSA console or Event Collector. For example, if you had three Open LDAP servers that communicate to an Event Collect, type the following code:

  4. Save your IPtables NAT configuration.

    You are now ready to configure IPtables on your JSA console or Event Collector to accept events from your Open LDAP servers.

  5. Type the following command to edit the IPtables file:

    vi /opt/qradar/conf/iptables.post

    The IPtables configuration file is displayed.

  6. Type the following command to instruct JSA to allow communication from your Open LDAP servers:

    -I QChain 1 -m udp -p udp --src <IP address> --dport <New port> -j ACCEPT

    Where:

    <IP address> is the IP address of your Open LDAP server.

    <New port> is the port number that is configured in the UDP Multiline protocol for Open LDAP.

    You must include a redirect for each Open LDAP IP address that sends events to your JSA console or Event Collector. For example, if you had three Open LDAP servers that communicate to an Event Collect, you would type the following code:

  7. Type the following command to update IPtables in JSA:

    ./opt/qradar/bin/iptables_update.pl

Repeat theses steps if you need to configure another JSA console or Event Collector that receives syslog events from an Open LDAP server.

You can now configure your Open LDAP server to forward events to JSA.