Configuring XDASv2 to forward events

By default, XDASv2 is configured to log events to a file. To forward events from XDASv2 to QRadar®, you must edit the xdasconfig.properties.template and configure the file for syslog forwarding.

About this task

Audit events must be forwarded by syslog to QRadar, instead of being logged to a file.

To configure XDASv2 to forward syslog events:

Procedure

  1. Log in to the server hosting Novell eDirectory.
  2. Open the following file for editing:
    • Windows - C:\Novell\NDS\xdasconfig.properties.template
    • Linux or Solaris - etc/opt/novell/eDirectory/conf/xdasconfig.properties.template
  3. To set the root logger, remove the comment marker (#) from the following line:

    log4j.rootLogger=debug, S, R

  4. To set the appender, remove the comment marker (#) from the following line:

    log4j.appender.S=org.apache.log4j.net.SyslogAppender

  5. To configure the IP address for the syslog destination, remove the comment marker (#) and edit the following lines:

    log4j.appender.S.Host=<IP address> log4j.appender.S.Port=<Port>

    Where,

    <IP address> is the IP address or hostname of QRadar.

    <Port> is the port number for the UDP or TCP protocol. The default port for syslog communication is port 514 for QRadar or Event Collectors.

  6. To configure the syslog protocol, remove the comment marker (#) and type the protocol (UDP, TCP, or SSL) use in the following line:

    log4j.appender.S.Protocol=TCP

    The encrypted protocol SSL is not supported by QRadar.

  7. To set the severity level for logging events, remove the comment marker (#) from the following line:

    log4j.appender.S.Threshold=INFO

    The default value of INFO is the correct severity level for events.

  8. To set the facility for logging events, remove the comment marker (#) from the following line:

    log4j.appender.S.Facility=USER

    The default value of USER is the correct facility value for events.

  9. To set the facility for logging events, remove the comment marker (#) from the following line:

    log4j.appender.R.MaxBackupIndex=10

  10. Save the xdasconfig.properties.template file.

    After you configure the syslog properties for XDASv2 events, you are ready to load the XDASv2 module.