Complete this configuration method only if
you can't send UDP Multiline Syslog events directly to the chosen
UDP Multiline port on JSA from your Open LDAP server,
and you are restricted to only sending to the standard syslog port
514.
To collect UDP Multiline Syslog events in JSA,
if you are unable to send the events directly to the standard UDP
Multiline port of 517 or any other available port that is not already
in use by JSA, then you must redirect events from port
514 to the default port 517 or your chosen alternate port by using
IPTables as outlined below. You must configure IPtables on your JSA Console or for each JSA Event Collector that
receives UDP Multiline Syslog events from an Open LDAP server, and
then complete the configuration for each Open LDAP server IP address
that you want to receive logs from.
To configure JSA to redirect multiline UDP syslog
events:
- Using SSH, log in to JSA as the root user.
Login: <root>
Password: <password>
- Type the following command to edit the IPtables file:
vi /opt/qradar/conf/iptables-nat.post
The IPtables NAT configuration file is displayed.
- Type the following command to instruct JSA to redirect syslog events from UDP port 514 to UDP port 517:
-A PREROUTING -p udp --dport 514 -j REDIRECT --to-port
<new-port> -s <IP address>
Where:
<IP address> is the IP address of your
Open LDAP server.
<New port> is the port number that is
configured in the UDP Multiline protocol for Open LDAP.
You must include a redirect for each Open LDAP IP address that
sends events to your JSA console or Event Collector. For example, if you had three Open LDAP servers that communicate
to an Event Collect, type the following code:
-A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 517
-s 10.10.10.10 -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 517
-s 10.10.10.11 -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 517
-s 10.10.10.12
- Save your IPtables NAT configuration.
You are now ready to configure IPtables on your JSA console or Event Collector to accept events from your Open
LDAP servers.
- Type the following command to edit the IPtables file:
vi /opt/qradar/conf/iptables.post
The IPtables configuration file is displayed.
- Type the following command to instruct JSA to allow communication from your Open LDAP servers:
-I QChain 1 -m udp -p udp --src <IP address>
--dport <New port> -j ACCEPT
Where:
<IP address> is the IP address of your
Open LDAP server.
<New port> is the port number that is
configured in the UDP Multiline protocol for Open LDAP.
You must include a redirect for each Open LDAP IP address that
sends events to your JSA console or Event Collector. For example, if you had three Open LDAP servers that communicate
to an Event Collect, you would type the following code:
-I QChain 1 -m udp -p udp --src 10.10.10.10 --dport 517
-j ACCEPT -I QChain 1 -m udp -p udp --src 10.10.10.11 --dport 517
-j ACCEPT -I QChain 1 -m udp -p udp --src 10.10.10.12 --dport 517
-j ACCEPT
- Type the following command to update IPtables in JSA:
./opt/qradar/bin/iptables_update.pl
Repeat theses steps if you need to configure another JSA console or Event Collector that receives
syslog events from an Open LDAP server.
You can now configure your Open LDAP server to forward events
to JSA.
