Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Sun ONE LDAP

 

The Sun ONE LDAP DSM for JSA accepts multiline UDP access and LDAP events from Sun ONE Directory Servers with the log file protocol.

Sun ONE LDLAP is known as Oracle Directory Server.

JSA retrieves access and LDAP events from Sun ONE Directory Servers by connecting to each server to download the event log. The event file must be written to a location accessible by the log file protocol of JSA with FTP, SFTP, or SCP. The event log is written in a multiline event format, which requires a special event generator in the log file protocol to properly parse the event. The ID-Linked Multiline event generator is capable of using regex to assemble multiline events for JSA when each line of a multiline event shares a common starting value.

The Sun ONE LDAP DSM also can accept events streamed using the UDP Multiline Syslog protocol. However, in most situations your system requires a 3rd party syslog forwarder to forward the event log to JSA. This can require you to redirect traffic on your JSA console to use the port defined by the UDP Multiline protocol.

Enabling the Event Log for Sun ONE Directory Server

To collect events from your Sun ONE Directory Server, you must enable the event log to write events to a file.

  1. Log in to your Sun ONE Directory Server console.
  2. Click the Configuration tab.
  3. From the navigation menu, select Logs.
  4. Click the Access Log tab.
  5. Select the Enable Logging check box.
  6. Type or click Browse to identify the directory path for your Sun ONE Directory Server access logs.
  7. Click Save.

You are now ready to configure a log source in JSA.

Configuring a Log Source for Sun ONE LDAP

To receive events, you must manually create a log source for your Sun ONE Directory Server. JSA does not automatically discover log file protocol events.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. In the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for your log source.
  8. From the Log Source Type list box, select Sun ONE LDAP.
  9. From the Protocol Configuration list box, select Log File.
  10. From the Event Generator list box, select ID-Linked Multiline.
  11. In the Message ID Pattern field, type conn=(\d+) as the regular expression that defines your multiline events.
  12. Configure the following log file protocol parameters:

    Parameter

    Description

    Log Source Identifier

    Type an IP address, host name, or name to identify the event source. IP addresses or host names enable JSA to identify a log file to a unique event source.

    For example, if your network contains multiple devices, such as a management console or a file repository, specify the IP address or host name of the device that created the event. This enables events to be identified at the device level in your network, instead of identifying the event for the management console or file repository.

    Service Type

    Type the TCP port on the remote host that is running the selected Service Type. The valid range is 1 - 65535. The options include:

    FTPTCP Port 21.
    SFTPTCP Port 22.
    SCPTCP Port 22.

    Note: If the host for your event files is using a non-standard port number for FTP, SFTP, or SCP, you must adjust the port value.

    Remote User

    Type the user name necessary to log in to the host that contains your event files.

    The user name can be up to 255 characters in length.

    Confirm Password

    Confirm the password necessary to log in to the host.

    SSH Key File

    If you select SCP or SFTP as the Service Type, this parameter enables you to define an SSH private key file. When you provide an SSH Key File, the Remote Password field is ignored.

    Remote Directory

    Type the directory location on the remote host from which the files are retrieved, relative to the user account you are using to log in.

    Note: For FTP only. If your log files are in the remote users home directory, you can leave the remote directory blank. This is to support operating systems where a change in the working directory (CWD) command is restricted.

    Recursive

    Enable this check box to allow FTP or SFTP connections to recursively search sub folders of the remote directory for event data. Data that is collected from sub folders depends on matches to the regular expression in the FTP File Pattern. The Recursive option is not available for SCP connections.

    FTP File Pattern

    If you select SFTP or FTP as the Service Type, this option enables you to configure the regular expression (regex) that is required to filter the list of files that are specified in the Remote Directory. All matching files are included in the processing.

    For example, if you want to list all files that start with the word log, followed by one or more digits and ending with tar.gz, use the following entry: log[0-9]+\.tar\.gz. Use of this parameter requires knowledge of regular expressions (regex). For more information about regular expressions, see the Oracle website (http://docs.oracle.com/javase/tutorial/essential/regex/)

    FTP Transfer Mode

    This option only appears if you select FTP as the Service Type. The FTP Transfer Mode parameter enables you to define the file transfer mode when you retrieve log files over FTP.

    From the list box, select the transfer mode that you want to apply to this log source:

    BinarySelect Binary for log sources that require binary data files or compressed zip, gzip, tar, or tar+gzip archive files.
    ASCIISelect ASCII for log sources that require an ASCII FTP file transfer.

    Note: You must select NONE for the Processor parameter and LINEBYLINE the Event Generator parameter when you use ASCII as the FTP Transfer Mode.

    SCP Remote File

    If you select SCP as the Service Type you must type the file name of the remote file.

    Start Time

    Type the time of day you want the processing to begin. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24-hour clock, in the following format: HH: MM.

    Recurrence

    Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D). For example, 2H if you want the directory to be scanned every 2 hours. The default is 1H.

    Run On Save

    Select this check box if you want the log file protocol to run immediately after you click Save. After the Run On Save completes, the log file protocol follows your configured start time and recurrence schedule.

    Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File parameter.

    EPS Throttle

    Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 5000.

    Processor

    If the files on the remote host are stored in a zip, gzip, tar, or tar+gzip archive format, select the processor that allows the archives to be expanded and contents to be processed.

    Ignore Previously Processed File(s)

    Select this check box to track files that were processed and you do not want the files to be processed a second time.

    This only applies to FTP and SFTP Service Types.

    Change Local Directory?

    Select this check box to define the local directory on your JSA that you want to use for storing downloaded files during processing.

    Most configurations can leave this check box clear. When you select the check box, the Local Directory field is displayed, which enables you to configure a local directory to use for temporarily storing files.

    Event Generator

    Select ID-Linked Multiline to process to the retrieved event log as multiline events.

    The ID-Linked Multiline format processes multiline event logs that contain a common value at the start of each line in a multiline event message. This option displays the Message ID Pattern field that uses regex to identify and reassemble the multiline event in to single event payload.

    Folder Separator

    Type the character that is used to separate folders for your operating system. The default value is /.

    Most configurations can use the default value in the Folder Separator field. This field is only used by operating systems that use an alternate character to define separate folders. For example, periods that separate folders on mainframe systems.

  13. Click Save.
  14. On the Admin tab, click Deploy Changes.

Configuring a UDP Multiline Syslog Log Source

To collect syslog events, you must configure a log source for Sun ONE LDAP to use the UDP Multiline Syslog protocol.

  1. Click the Admin tab.
  2. Click the Log Sources icon.
  3. Click Add.
  4. In the Log Source Name field, type a name for your log source.
  5. From the Log Source Type list, select Sun ONE LDAP.
  6. From the Protocol Configuration list, select UDP Multiline Syslog.
  7. Configure the following values:

    Table 1: Sun ONE LDAP UDP Multiline Syslog Log Source Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address, host name, or name to identify your Sun ONE LDAP installation.

    Listen Port

    Type 517 as the port number used by JSA to accept incoming UDP Multiline Syslog events. The valid port range is 1 - 65535.

    To edit a saved configuration to use a new port number complete the following steps.

    1. In the Listen Port field, type the new port number for receiving UDP Multiline Syslog events.

    2. Click Save.

    The port update is complete and event collection starts on the new port number.

    Message ID Pattern

    Type the following regular expression (regex) needed to filter the event payload messages.

    conn=(\d+)

    Enabled

    Select this check box to enable the log source.

    Credibility

    Select the credibility of the log source. The range is 0 - 10.

    The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

    Target Event Collector

    Select the Target Event Collector to use as the target for the log source.

    Coalescing Events

    Select this check box to enable the log source to coalesce (bundle) events.

    By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

    Store Event Payload

    Select this check box to enable the log source to store event payload information.

    By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

  8. Click Save.
  9. On the Admin tab, click Deploy Changes.

Configuring IPtables for UDP Multiline Syslog Events

You might be unable to send events directly to the standard UDP Multiline port 517 or any unused available ports when you collect UDP Multiline Syslog events in JSA. If this error occurs, then you must redirect events from port 514 to the default port 517 or your chosen alternative port by using IPTables. You must configure IPtables on your JSA Console or for each JSA Event Collector that receives UDP Multiline Syslog events from an SunOne LDAP server. Then, you must complete the configuration for each SunOne LDAP server IP address that you want to receive logs from.

Note

Complete this configuration method when you can't send UDP Multiline Syslog events directly to the chosen UDP Multiline port on JSA from your SunOne LDAP server. Also, you must complete this configuration when you are restricted to send only to the standard syslog port 514.

  1. Using SSH, log in to JSA as the root user.

    Login: root

    Password: <password>

  2. Type the following command to edit the IPtables file:

    vi /opt/qradar/conf/iptables.post

    The IPtables configuration file is displayed.

  3. Type the following command to instruct JSA to redirect syslog events from UDP port 514 to UDP port 517:

    -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port <new-port>-s <IP address>

    Where <IP address> is the IP address of your SunOne LDAP server.

    New port is the port number that is configured in the UDP Multiline protocol for SunOne LDAP.

    You must include a redirect for each SunOne LDAP IP address that sends events to your JSA console or Event Collector, for example,

    -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port <new-port>-s <IP address>

  4. Save your IPtables NAT configuration.

    You are now ready to configure IPtables on your JSA Console or Event Collector to accept events from your SunOne LDAP servers.

  5. Type the following command to edit the IPtables in JSA:

    vi /opt/qradar/conf/iptables.post

    The IPtables configuration file is displayed.

  6. Type the following command to instruct JSA to allow communication from your SunOne LDAP servers:

    -I QChain 1 -m udp -p udp --src <IP_address>--dport<New port>-j ACCEPT

    Where <IP address> is the IP address of your SunOne LDAP server.

    New port is the port number that is configured in the UDP Multiline protocol for SunOne LDAP.

    You must include a redirect for each SunOne LDAP IP address that sends events to your JSA console or Event Collector, for example,

    -I QChain 1 -m udp -p udp --src <IP_address>--dport<New port>-j ACCEPT

  7. Type the following command to update IPtables in JSA:

    ./opt/qradar/bin/iptables_update.pl

If you need to configure another JSA Console or Event Collector that receives syslog events from an SunOne LDAP server, repeat these steps.

Configure your SunOne LDAP server to forward events to JSA.