Configuring IBM Security Verify Directory to communicate with QRadar
IBM QRadar can collect LEEF formatted audit events from your IBM Security Verify Directory.
About this task
To configure IBM Security Verify Directory to send logs to IBM QRadar, you must use the IBM Security Verify Directory command line to add an auxiliary object class and then set values for the QRadar log management attributes.
Procedure
- Create a file (file_name) on the IBM Security
Verify Directory or IBM Security Director Server with
the following content:
dn: cn=Audit, cn=Log Management, cn=Configuration changetype: modify add: objectclass objectclass: ibm-slapdQRadarConfig
- To add the auxiliary object class
ibm-slapdQRadarConfig
for QRadar configuration attributes tocn=Audit,cn=Log Management,cn=Configuration
, run the following command:# idsldapmodify -h host_name -p portnumber -D cn=RDN_value -w password -f file_name
-
Create a new file (new_file) with the following content:
dn: cn= specific_log_name, cn=Log Management, cn=configuration changetype: modify add:ibm-slapdLogEventQRadarEnabled ibm-slapdLogEventQRadarEnabled: true - add:ibm-slapdLogEventQRadarHostName ibm-slapdLogEventQRadarHostName: host_name_of_qradar_instance - add: ibm-slapdLogEventQRadarPort ibm-slapdLogEventQRadarPort: port_of_qradar_instance - add: ibm-slapdLogEventQRadarMapFilesLocation ibm-slapdLogEventQRadarMapFilesLocation: directory_location_of_qradar_mapfiles
- Replace the following values in the new_file content:
- Replace
host_name_of_qradar_instance
with the destination QRadar Event Collector hostname or IP address. - Replace
port_of_qradar_instance
with 514. - If IBM Security
Directory Server or IBM Security
Verify Directory is
installed, replace
directory_location_of_qradar_mapfiles
with/opt/ibm/ldap/<INSTALLED_VERSION>/idstools/idslogmgmt/
. - If V6.3.1 is installed, replace
directory_location_of_qradar_mapfiles
with/opt/ibm/ldap/V6.3.1/idstools/idslogmgmt/
. - If V6.4 is installed, replace
directory_location_of_qradar_mapfiles
with/opt/ibm/ldap/V6.4/idstools/idslogmgmt/
.
For example:dn: cn= specific_log_name, cn=Log Management, cn=configuration changetype: modify add:ibm-slapdLogEventQRadarEnabled ibm-slapdLogEventQRadarEnabled: true - add:ibm-slapdLogEventQRadarHostName ibm-slapdLogEventQRadarHostName: qradar-collector.example.com - add: ibm-slapdLogEventQRadarPort ibm-slapdLogEventQRadarPort: 514 - add: ibm-slapdLogEventQRadarMapFilesLocation ibm-slapdLogEventQRadarMapFilesLocation: /opt/ibm/ldap/V6.3.1/idstools/idslogmgmt/
- Replace
- To set the attribute values for QRadar integration, run the
following command:
# idsldapmodify -h host_name -p portnumber -D cn=RDN_value -w password -f new_file
- To start an instance, run the following command:
# ibmslapd -I <instance_name> -n
- Optional: To start log management locally, run the following command:
# idslogmgmt -I <instance_name>
To start, get status, and stop log management remotely, run the following commands:# ibmdirctl -D <adminDN> -w <password> -h <host_name> -p <administration server port number> startlogmgmt# ibmdirctl -D <adminDN> -w <password> -h <host_name> -p <administration server port number> statuslogmgmt# ibmdirctl -D <adminDN> -w <password> -h <host_name> -p <administration server port number> stoplogmgmt