Configuring IBM Security Verify Directory to communicate with QRadar

IBM QRadar can collect LEEF formatted audit events from your IBM Security Verify Directory.

About this task

To configure IBM Security Verify Directory to send logs to IBM QRadar, you must use the IBM Security Verify Directory command line to add an auxiliary object class and then set values for the QRadar log management attributes.

Procedure

  1. Create a file (file_name) on the IBM Security Verify Directory or IBM Security Director Server with the following content:
    dn: cn=Audit, cn=Log Management, cn=Configuration
    changetype: modify
    add: objectclass
    objectclass: ibm-slapdQRadarConfig
  2. To add the auxiliary object class ibm-slapdQRadarConfig for QRadar configuration attributes to cn=Audit,cn=Log Management,cn=Configuration, run the following command:
    # idsldapmodify -h host_name -p portnumber -D cn=RDN_value -w password -f file_name
  3. Create a new file (new_file) with the following content:
    dn: cn= specific_log_name, cn=Log Management, cn=configuration
    changetype: modify
    add:ibm-slapdLogEventQRadarEnabled
    ibm-slapdLogEventQRadarEnabled: true
    -
    add:ibm-slapdLogEventQRadarHostName
    ibm-slapdLogEventQRadarHostName: host_name_of_qradar_instance
    -
    add: ibm-slapdLogEventQRadarPort
    ibm-slapdLogEventQRadarPort: port_of_qradar_instance
    -
    add: ibm-slapdLogEventQRadarMapFilesLocation
    ibm-slapdLogEventQRadarMapFilesLocation: directory_location_of_qradar_mapfiles
  4. Replace the following values in the new_file content:
    1. Replace host_name_of_qradar_instance with the destination QRadar Event Collector hostname or IP address.
    2. Replace port_of_qradar_instance with 514.
    3. If IBM Security Directory Server or IBM Security Verify Directory is installed, replace directory_location_of_qradar_mapfiles with /opt/ibm/ldap/<INSTALLED_VERSION>/idstools/idslogmgmt/.
    4. If V6.3.1 is installed, replace directory_location_of_qradar_mapfiles with /opt/ibm/ldap/V6.3.1/idstools/idslogmgmt/.
    5. If V6.4 is installed, replace directory_location_of_qradar_mapfiles with /opt/ibm/ldap/V6.4/idstools/idslogmgmt/.
    For example:
    dn: cn= specific_log_name, cn=Log Management, cn=configuration
    changetype: modify
    add:ibm-slapdLogEventQRadarEnabled
    ibm-slapdLogEventQRadarEnabled: true
    -
    add:ibm-slapdLogEventQRadarHostName
    ibm-slapdLogEventQRadarHostName: qradar-collector.example.com
    -
    add: ibm-slapdLogEventQRadarPort
    ibm-slapdLogEventQRadarPort: 514
    -
    add: ibm-slapdLogEventQRadarMapFilesLocation
    ibm-slapdLogEventQRadarMapFilesLocation: /opt/ibm/ldap/V6.3.1/idstools/idslogmgmt/
  5. To set the attribute values for QRadar integration, run the following command:
    # idsldapmodify -h host_name -p portnumber -D cn=RDN_value -w password -f new_file
  6. To start an instance, run the following command:
    # ibmslapd -I <instance_name> -n
  7. Optional: To start log management locally, run the following command:
    # idslogmgmt -I <instance_name>
    To start, get status, and stop log management remotely, run the following commands:
    # ibmdirctl -D <adminDN> -w <password> -h <host_name> -p <administration server port number> startlogmgmt# ibmdirctl -D <adminDN> -w <password> -h <host_name> -p <administration server port number> statuslogmgmt# ibmdirctl -D <adminDN> -w <password> -h <host_name> -p <administration server port number> stoplogmgmt