Nortel Multiprotocol Router
The Nortel Multiprotocol Router DSM for IBM QRadar records all relevant Nortel Multiprotocol Router events by using syslog.
About this task
Before you configure QRadar to integrate with a Nortel Multiprotocol Router device, you must:
Procedure
- Log in to your Nortel Multiprotocol Router device.
- At the prompt, type the following command:
bcc
The Bay Command Console prompt is displayed.
Welcome to the Bay Command Console!
* To enter configuration mode, type config
* To list all system commands, type ?
* To exit the BCC, type exit
bcc>
- Type the following command to access configuration mode:
config
- Type the following command to access syslog configuration:
syslog
- Type the following commands:
log-host address <IP address>
Where <IP address> is the IP address of your QRadar.
- View current default settings for your QRadar:
info
For example:
log-host/<IP_address># info
address <IP_address>
log-facility local0
state enabled
- If the output of the command entered in Nortel Multiprotocol Router indicates that the state is not enabled,
type the following command to enable forwarding for the syslog host:
state enable
- Configure the log facility parameter:
log-facility local0
- Create a filter for the hardware slots to enable them to forward the syslog events. Type
the following command to create a filter with the name WILDCARD:
filter name WILDCARD entity all
- Configure the slot-upper bound parameter:
slot-upper bound <number of slots>
Where <number of slots> is the number of slots available on your device. This parameter can require different configuration which depends on your version of Nortel Multiprotocol Router device, which determines the maximum number of slots available on the device.
- Configure the level of syslog messages you want to send to your QRadar.
severity-mask all
- View the current settings for this filter:
info
For example:
filter/<IP_address>/WILDCARD# info
debug-map debug
entity all
event-lower-bound 0
event-upper-bound 255
fault-map critical
info-map info
name WILDCARD
severity-mask {fault warning info trace debug}
slot-lower-bound 0
slot-upper-bound 1
state enabled
trace-map debug
warning-map warning
- View the currently configured settings for the syslog filters:
show syslog filters
When the syslog and filter parameters are correctly configured, the Operational State indicates up.
For example:
syslog# show syslog filters
show syslog filters Sep 15, 2008 18:21:25 [GMT+8]
Table 1. Syslog filters Host IP address
Filter Name
Entity Name
Entity Code
Configured State
Operational State
<IP_address1>
WILDCARD
all
255
enabled
up
<IP_address2>
WILDCARD
all
255
enabled
up
- View the currently configured syslog host information:
show syslog log-host
The host log displays the number of packets that are going to the various syslog hosts.
For example:
syslog# show syslog log-host
show syslog log-host Sep 15, 2008 18:21:32 [GMT+8]
Table 2. Syslog host log Host IP address
Configured State
Operational State
Time Sequencing
UDP Port
Facility Code
#Messages Sent
<IP_address1>
enabled
up
disabled
514
local0
1402
<IP_address2>
enabled
up
disabled
514
local0
131
- Exit the command line interface:
- Exit the current command line to return to the bcc command line:
exit
- Exit the current command line to return to the bcc command line:
- Exit the bbc command line:
exit
- Exit the command-line session:
logout
- You can now configure the log source in QRadar.
To configure QRadar to receive events from a Nortel Multiprotocol Router device:
- From the Log Source Type list, select the Nortel Multiprotocol Router option.