Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Sun ONE LDAP

The Sun ONE LDAP DSM for JSA accepts multiline UDP access and LDAP events from Sun ONE Directory Servers with the log file protocol.

Sun ONE LDLAP is known as Oracle Directory Server.

JSA retrieves access and LDAP events from Sun ONE Directory Servers by connecting to each server to download the event log. The event file must be written to a location accessible by the log file protocol of JSA with FTP, SFTP, or SCP. The event log is written in a multiline event format, which requires a special event generator in the log file protocol to properly parse the event. The ID-Linked Multiline event generator is capable of using regex to assemble multiline events for JSA when each line of a multiline event shares a common starting value.

The Sun ONE LDAP DSM also can accept events streamed using the UDP Multiline Syslog protocol. However, in most situations your system requires a 3rd party syslog forwarder to forward the event log to JSA. This can require you to redirect traffic on your JSA console to use the port defined by the UDP Multiline protocol.

Enabling the Event Log for Sun ONE Directory Server

To collect events from your Sun ONE Directory Server, you must enable the event log to write events to a file.

  1. Log in to your Sun ONE Directory Server console.

  2. Click the Configuration tab.

  3. From the navigation menu, select Logs.

  4. Click the Access Log tab.

  5. Select the Enable Logging check box.

  6. Type or click Browse to identify the directory path for your Sun ONE Directory Server access logs.

  7. Click Save.

You are now ready to configure a log source in JSA.

Log File Log Source parameters for Sun ONE LDAP

If JSA does not automatically detect the log source, add a Sun ONE LDAP log source on the JSA Console by using the Log File protocol.

When using the Log File protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Log File events from Sun ONE LDAP:

Table 1: Log File log source parameters for the Sun ONE LDAP DSM

Parameter

Value

Log Source name

Type a name for your log source.

Log Source description

Type a description for the log source.

Log Source type

Sun ONE LDAP

Protocol Configuration

Log File

Log Source Identifier

Type an IP address, host name, or name to identify the event source. IP addresses or host names enable JSA to identify a log file to a unique event source.

For example, if your network contains multiple devices, such as a management console or a file repository, specify the IP address or host name of the device that created the event. This enables events to be identified at the device level in your network, instead of identifying the event for the management console or file repository.

Service Type

Type the TCP port on the remote host that is running the selected Service Type. The valid range is 1 - 65535. The options include:

FTP

TCP Port 21.
SFTP

TCP Port 22.
SCP

TCP Port 22.
Note:

If the host for your event files is using a non-standard port number for FTP, SFTP, or SCP, you must adjust the port value.

Remote User

Type the user name necessary to log in to the host that contains your event files.

The user name can be up to 255 characters in length.

Confirm Password

Confirm the password necessary to log in to the host.

SSH Key File

If you select SCP or SFTP as the Service Type, this parameter enables you to define an SSH private key file. When you provide an SSH Key File, the Remote Password field is ignored.

Remote Directory

Type the directory location on the remote host from which the files are retrieved, relative to the user account you are using to log in.

Note:

For FTP only. If your log files are in the remote users home directory, you can leave the remote directory blank. This is to support operating systems where a change in the working directory (CWD) command is restricted.

Recursive

Enable this check box to allow FTP or SFTP connections to recursively search sub folders of the remote directory for event data. Data that is collected from sub folders depends on matches to the regular expression in the FTP File Pattern. The Recursive option is not available for SCP connections.

FTP File Pattern

If you select SFTP or FTP as the Service Type, this option enables you to configure the regular expression (regex) that is required to filter the list of files that are specified in the Remote Directory. All matching files are included in the processing.

For example, if you want to list all files that start with the word log, followed by one or more digits and ending with tar.gz, use the following entry: log[0-9]+\.tar\.gz. Use of this parameter requires knowledge of regular expressions (regex). For more information about regular expressions, see the Oracle website (http://docs.oracle.com/javase/tutorial/essential/regex/)

FTP Transfer Mode

This option only appears if you select FTP as the Service Type. The FTP Transfer Mode parameter enables you to define the file transfer mode when you retrieve log files over FTP.

From the list box, select the transfer mode that you want to apply to this log source:

Binary

Select Binary for log sources that require binary data files or compressed zip, gzip, tar, or tar+gzip archive files.
ASCII

Select ASCII for log sources that require an ASCII FTP file transfer.
Note:

You must select NONE for the Processor parameter and LINEBYLINE the Event Generator parameter when you use ASCII as the FTP Transfer Mode.

SCP Remote File

If you select SCP as the Service Type you must type the file name of the remote file.

Start Time

Type the time of day you want the processing to begin. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24-hour clock, in the following format: HH: MM.

Recurrence

Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D). For example, 2H if you want the directory to be scanned every 2 hours. The default is 1H.

Run On Save

Select this check box if you want the log file protocol to run immediately after you click Save. After the Run On Save completes, the log file protocol follows your configured start time and recurrence schedule.

Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File parameter.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 5000.

Processor

If the files on the remote host are stored in a zip, gzip, tar, or tar+gzip archive format, select the processor that allows the archives to be expanded and contents to be processed.

Ignore Previously Processed File(s)

Select this check box to track files that were processed and you do not want the files to be processed a second time.

This only applies to FTP and SFTP Service Types.

Change Local Directory?

Select this check box to define the local directory on your JSA that you want to use for storing downloaded files during processing.

Most configurations can leave this check box clear. When you select the check box, the Local Directory field is displayed, which enables you to configure a local directory to use for temporarily storing files.

Event Generator

Select ID-Linked Multiline to process to the retrieved event log as multiline events.

The ID-Linked Multiline format processes multiline event logs that contain a common value at the start of each line in a multiline event message. This option displays the Message ID Pattern field that uses regex to identify and reassemble the multiline event in to single event payload.

Folder Separator

Type the character that is used to separate folders for your operating system. The default value is /.

Most configurations can use the default value in the Folder Separator field. This field is only used by operating systems that use an alternate character to define separate folders. For example, periods that separate folders on mainframe systems.

UDP Multiline Syslog Log Source Parameters for Sun ONE LDAP

If JSA does not automatically detect the log source, add a Sun ONE LD log source on the JSA Console by using the UDP Multiline Syslog protocol.

When using the UDP Multiline Syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect UDP Multiline Syslog events from Sun ONE LD:

Table 2: UDP Multiline Syslog Log Source Parameters for the Squid Web Proxy DSM

Parameter

Value

Log Source Type

Sun ONE LDAP

Protocol Configuration

UDP Multiline Syslog

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your Sun ONE LDAP devices.

Configuring IPtables for UDP Multiline Syslog Events

You might be unable to send events directly to the standard UDP Multiline port 517 or any unused available ports when you collect UDP Multiline Syslog events in JSA. If this error occurs, then you must redirect events from port 514 to the default port 517 or your chosen alternative port by using IPTables. You must configure IPtables on your JSA Console or for each JSA Event Collector that receives UDP Multiline Syslog events from an SunOne LDAP server. Then, you must complete the configuration for each SunOne LDAP server IP address that you want to receive logs from.

Note:

Complete this configuration method when you can't send UDP Multiline Syslog events directly to the chosen UDP Multiline port on JSA from your SunOne LDAP server. Also, you must complete this configuration when you are restricted to send only to the standard syslog port 514.

  1. Using SSH, log in to JSA as the root user.

    Login: root

    Password: <password>

  2. Type the following command to edit the IPtables file:

    vi /opt/qradar/conf/iptables.post

    The IPtables configuration file is displayed.

  3. Type the following command to instruct JSA to redirect syslog events from UDP port 514 to UDP port 517:

    -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port <new-port>-s <IP address>

    Where <IP address> is the IP address of your SunOne LDAP server.

    New port is the port number that is configured in the UDP Multiline protocol for SunOne LDAP.

    You must include a redirect for each SunOne LDAP IP address that sends events to your JSA console or Event Collector, for example,

    -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port <new-port>-s <IP address>

  4. Save your IPtables NAT configuration.

    You are now ready to configure IPtables on your JSA Console or Event Collector to accept events from your SunOne LDAP servers.

  5. Type the following command to edit the IPtables in JSA:

    vi /opt/qradar/conf/iptables.post

    The IPtables configuration file is displayed.

  6. Type the following command to instruct JSA to allow communication from your SunOne LDAP servers:

    -I QChain 1 -m udp -p udp --src <IP_address>--dport<New port>-j ACCEPT

    Where <IP address> is the IP address of your SunOne LDAP server.

    New port is the port number that is configured in the UDP Multiline protocol for SunOne LDAP.

    You must include a redirect for each SunOne LDAP IP address that sends events to your JSA console or Event Collector, for example,

    -I QChain 1 -m udp -p udp --src <IP_address>--dport<New port>-j ACCEPT

  7. Type the following command to update IPtables in JSA:

    ./opt/qradar/bin/iptables_update.pl

If you need to configure another JSA Console or Event Collector that receives syslog events from an SunOne LDAP server, repeat these steps.

Configure your SunOne LDAP server to forward events to JSA.

Related Documentation