Configuring event forwarding for Open LDAP

Configure syslog event forwarding for Open LDAP:

Procedure

  1. Log in to the command line interface for your Open LDAP server.
  2. Edit the following file:

    /etc/syslog.conf

  3. Add the following information to the syslog configuration file:

    <facility>@<IP address>

    Where:

    <facility> is the syslog facility, for example local4.

    <IP address> is the IP address of your QRadar Console or Event Collector.

    For example,

    #Logging for SLAPD local4.debug /var/log/messages local4.debug @<IP_address>
    Note: If your Open LDAP server stores event messages in a directory other than /var/log/messages, you must edit the directory path.
  4. Save the syslog configuration file.
  5. Type the following command to restart the syslog service:

    /etc/init.d/syslog restart

    The configuration for Open LDAP is complete. UDP Multiline Syslog events that are forwarded to QRadar are displayed on the Log Activity tab.