Configuring event forwarding for Open LDAP
Configure syslog event forwarding for Open LDAP:
Procedure
- Log in to the command line interface for your Open LDAP server.
-
Edit the following file:
/etc/syslog.conf
-
Add the following information to the syslog configuration file:
<facility>@<IP address>
Where:
<facility> is the syslog facility, for example local4.
<IP address> is the IP address of your QRadar Console or Event Collector.
For example,
#Logging for SLAPD local4.debug /var/log/messages local4.debug @<IP_address>
Note: If your Open LDAP server stores event messages in a directory other than /var/log/messages, you must edit the directory path. - Save the syslog configuration file.
-
Type the following command to restart the syslog service:
/etc/init.d/syslog restart
The configuration for Open LDAP is complete. UDP Multiline Syslog events that are forwarded to QRadar are displayed on the Log Activity tab.