Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

IBM Security Directory Server

 

The JSA DSM for IBM Security Directory Server collects event logs from your IBM Security Directory Server.

To integrate IBM Security Directory Server with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent versions of the following RPMs on your JSA Console:

    • DSMCommon RPM

    • IBM Security Directory Server DSM RPM

  2. Configure each IBM Security Directory Server system in your network to enable communication with JSA.

  3. If JSA does not automatically detect the log source, add a log source on the JSA Console.

IBM Security Directory Server DSM Specifications

When you configure the IBM Security Directory Server DSM, understanding the specifications for the IBM Security Directory Server DSM can help ensure a successful integration. For example, knowing what protocol to use before you begin can help reduce frustration during the configuration process.

The following table identifies the specifications for the IBM Security Directory Server DSM:

Table 1: IBM Security Directory Server DSM Specifications

Specification

Value

Manufacturer

IBM

DSM

IBM Security Directory Server

RPM file name

DSM-IBMSecurityDirectoryServer-build_number .noarch.rpm

Supported version

6.3.1 and later

Protocol

Syslog (LEEF)

JSA recorded events

All relevant events

Automatically discovered

Yes

Includes identity

Yes

For more information

IBM website

Configuring IBM Security Directory Server to Communicate with JSA

JSA can collect LEEF formatted audit events from your IBM Security Directory Server.

To configure IBM Security Directory Server to send logs to JSA, you must use the IBM Security Directory Server command line to add an auxiliary object class and then set values for the JSA log management attributes.

  1. Create a file (file_name) on the IBM Security Director Server with the following content:

    dn: cn=Audit, cn=Log Management, cn=Configuration changetype: modify add: objectclass objectclass: ibm-slapdQRadarConfig

  2. To add the auxiliary object class ibm-slapdQRadarConfig for JSA configuration attributes to cn=Audit,cn=Log Management,cn=Configuration, run the following command:

    # idsldapmodify -h host_name -p portnumber -D cn=RDN_value -w password -f file_name

  3. Create a new file (new_file) with the following content:

    dn: cn= specific_log_name, cn=Log Management, cn=configuration changetype: modify add:ibm-slapdLogEventQRadarEnabled ibm-slapdLogEventQRadarEnabled: true - add:ibm-slapdLogEventQRadarHostName ibm-slapdLogEventQRadarHostName: host_name_of_qradar_instance - add: ibm-slapdLogEventQRadarPort ibm-slapdLogEventQRadarPort: port_of_qradar_instance - add: ibm-slapdLogEventQRadarMapFilesLocation ibm-slapdLogEventQRadarMapFilesLocation: directory_location_of_qradar_mapfiles

  4. Replace the following values in the new_file content:
    1. Replace host_name_of_qradar_instance with the destination JSA Event Collector hostname or IP address.

    2. Replace port_of_qradar_instance with 514.

    3. If IBM Security Directory Server V6.3.1 is installed, replace directory_location_of_qradar_mapfiles with /opt/ibm/ldap/V6.3.1/idstools/ idslogmgmt/.

    4. If IBM Security Directory Server V6.4 is installed, replace directory_location_of_qradar_mapfiles with /opt/ibm/ldap/V6.4/idstools/ idslogmgmt/.

    For example:

    dn: cn= specific_log_name, cn=Log Management, cn=configuration changetype: modify add:ibm-slapdLogEventQRadarEnabled ibm-slapdLogEventQRadarEnabled: true - add:ibm-slapdLogEventQRadarHostName ibm-slapdLogEventQRadarHostName: qradar-collector.example.com - add: ibm-slapdLogEventQRadarPort ibm-slapdLogEventQRadarPort: 514 - add: ibm-slapdLogEventQRadarMapFilesLocation ibm-slapdLogEventQRadarMapFilesLocation: /opt/ibm/ldap/V6.3.1/idstools/idslogmgmt/

  5. To set the attribute values for JSA integration, run the following command:

    # idsldapmodify -h host_name -p portnumber -D cn=RDN_value -w password -f new_file

  6. To start an instance, run the following command

    # ibmslapd -I <instance_name> -n

  7. Optional: To start log management locally, run the following command:

    # idslogmgmt -I <instance_name>

    To start, get status, and stop log management remotely, run the following commands:

    ibmdirctl -D <adminDN> -w <password> -h <host_name> -p <administration server port number> startlogmgmt# ibmdirctl -D <adminDN> -w <password> -h <host_name> -p <administration server port number> statuslogmgmt# ibmdirctl -D <adminDN> -w <password> -h <host_name> -p <administration server port number> stoplogmgmt

Syslog Log Source Parameters for IBM Security Directory Server

If JSA does not automatically detect the log source, add an IBM Security Directory Server log source on the JSA Console by using the Syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Syslog events from IBM Security Directory Server:

Table 2: Syslog Log Source Parameters for the IBM Security Directory Server DSM

Parameter

Value

Log Source type

IBM Security Directory Server

Protocol Configuration

Syslog