Configuring IPtables for multiline UDP syslog events
To collect events, you must redirect events from the standard PostFix MTA port to port 517 for the UDP multiline protocol.
Procedure
- Use SSH to log in to IBM QRadar as the root user.
-
To edit the IPtables file, type the following command:
vi /opt/qradar/conf/iptables-nat.post
-
To instruct QRadar to
redirect syslog events from UDP port 514 to UDP port 517, type the following command:
-A PREROUTING -p udp --dport 514 -j REDIRECT --to-port <new-port> -s <IP address>
Where:
-
<IP address> is the IP address of your PostFix MTA installation.
-
<New port> is the port number that is configured in the UDP Multiline protocol for PostFix MTA.
For example, if you had three PostFix MTA installations that communicate to QRadar, you can type the following code:
-A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 517 -s <IP_address1> -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 517 -s <IP_address2> -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 517 -s <IP_address3>
-
-
Save your IPtables NAT configuration.
You are now ready to configure IPtables on your QRadar Console or Event Collector to accept events from your PostFix MTA installation.
-
Type the following command to edit the IPtables file:
vi /opt/qradar/conf/iptables.post
-
Type the following command to instruct QRadar to allow communication from
your PostFix MTA installations:
-I QChain 1 -m udp -p udp --src <IP address> --dport <New port> -j ACCEPT
Where:
-
<IP address> is the IP address of your PostFix MTA installation.
-
<New port> is the port number that is configured in the UDP Multiline protocol.
For example, if you had three PostFix MTA installations that communicate with an Event Collector, you can type the following code:
-I QChain 1 -m udp -p udp --src <IP_address1> --dport 517 -j ACCEPT -I QChain 1 -m udp -p udp --src <IP_address2> --dport 517 -j ACCEPT -I QChain 1 -m udp -p udp --src <IP_address3> --dport 517 -j ACCEPT
-
-
To save the changes and update IPtables, type the following command:
./opt/qradar/bin/iptables_update.pl