UDP Multiline Syslog log source parameters for Cisco ACS
The Cisco ACS DSM for IBM QRadar accepts syslog events from Cisco ACS appliances with log sources that are configured to use the UDP Multiline Syslog protocol.
If QRadar does not automatically detect the log source, add a Cisco ACS log source on the QRadar Console by using the UDP Multiline Syslog protocol.
Parameter | Value |
---|---|
Log Source type | Cisco ACS |
Protocol Configuration | UDP Multiline Syslog |
Log Source Identifier |
The Packet IP address of the source data. If you select Show Advanced options and you select the Use As A Gateway Log Source option, the Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you have more than one Cisco ACS log source that is configured, you might want to identify the first log source as ciscoacs1, the second log source as ciscoacs2, and the third log source as ciscoacs3. For for more information about using a gateway, see UDP multiline syslog protocol configuration options. |
Listen Port | The default port number that is used by QRadar to accept incoming UDP
Multiline Syslog events is 517. You can use a different port. The valid port range is 1 - 65535. |
Message ID Pattern |
\s(\d{10})\s |
Event Formatter |
Select Cisco ACS Multiline from the list. |
For a complete list of UDP Multiline Syslog protocol parameters and their values, see UDP multiline syslog protocol configuration options.