Configuring a Log Source
JSA does not automatically discover Open LDAP events that are forwarded in UDP multiline format. To complete the integration, you must manually create a log source for the UDP Multiline Syslog protocol by using the Admin tab in JSA. Creating the log source allows JSA to establish a listen port for incoming Open LDAP multiline events.
To configure an Open LDAP log source in JSA:
- Log in to JSA.
- Click the Admin tab.
- In the navigation menu, click Data Sources.
The Data Sources pane is displayed.
- Click the Log Sources icon.
The Log Sources window is displayed.
- Click Add.
The Add a log source window is displayed.
- In the Log Source Name field, type a name for your log source.
- In the Log Source Description field, type a description for your log source.
- From the Log Source Type list, select Open LDAP Software.
- From the Protocol Configuration list, select UDP Multiline Syslog.
- Configure the following values:
Table 1: UDP Multiline Protocol Configuration
Log Source Identifier
Type the IP address or host name for the log source as an identifier for events from your Open LDAP server.
Type the port number that is used by JSA to accept incoming UDP Multiline Syslog events. The valid port range is 1 - 65536.
The default UDP Multiline Syslog listen port is 517.
If you do not see the Listen Port field, you must restart Tomcat on JSA.
To edit the Listen Port number:
Update IPtables on your JSA console or Event Collector with the new UDP Multiline Syslog port number. For more information, see Configuring IPtables for Multiline UDP Syslog Events.
In the Listen Port field, type the new port number for receiving UDP Multiline Syslog events.
On the Admin tab, select Advanced > Deploy Full Configuration.
When you click Deploy Full Configuration, JSA restarts all services, resulting in a gap in data collection for events and flows until the deployment completes.
The port update is complete and event collection starts on the new port number.
Message ID Pattern
Type the regular expression (regex) that is needed to filter the event payload messages. All matching events are included when processing Open LDAP events.
The following regular expression is suggested for Open LDAP events:
For example, Open LDAP starts connection messages with the word conn, followed by the rest of the event payload. Use of this parameter requires knowledge of regular expressions (regex). For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/
- Click Save.
- On the Admin tab, click Deploy Changes.
The log source is created for Open LDAP events. You are now ready to configure IPtables for JSA to redirect Open LDAP events to the proper UDP multiline syslog port on your JSA console or Event Collector.