Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring IPtables for Multiline UDP Syslog Events

 

To collect events, you must redirect events from the standard PostFix MTA port to port 517 for the UDP multiline protocol.

  1. Use SSH to log in to JSA as the root user.
  2. To edit the IPtables file, type the following command:

    vi /opt/qradar/conf/iptables-nat.post

  3. To instruct JSA to redirect syslog events from UDP port 514 to UDP port 517, type the following command:

    -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port <new-port> -s <IP address>

    Where:

    • <IP address> is the IP address of your PostFix MTA installation.

    • <New port> is the port number that is configured in the UDP Multiline protocol for PostFix MTA.

    For example, if you had three PostFix MTA installations that communicate to JSA, you can type the following code:

  4. Save your IPtables NAT configuration.

    You are now ready to configure IPtables on your JSA console or Event Collector to accept events from your PostFix MTA installation.

  5. Type the following command to edit the IPtables file:

    vi /opt/qradar/conf/iptables.post

  6. Type the following command to instruct JSA to allow communication from your PostFix MTA installations:

    -I QChain 1 -m udp -p udp --src <IP address> --dport <New port> -j ACCEPT

    Where:

    • <IP address> is the IP address of your PostFix MTA installation.

    • <New port> is the port number that is configured in the UDP Multiline protocol.

    For example, if you had three PostFix MTA installations that communicate with an Event Collector, you can type the following code:

  7. To save the changes and update IPtables, type the following command:

    ./opt/qradar/bin/iptables_update.pl