UDP Multiline Syslog log source parameters for PostFix MTA

If QRadar does not automatically detect the log source, add a PostFix MTA log source on the QRadar Console by using the UDP Multiline Syslog protocol.

When using the UDP Multiline Syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect UDP Multiline Syslog events from PostFix MTA:
Table 1. UDP Multiline Syslog log source parameters for the PostFix MTA DSM

Parameter

Description

Log Source Identifier

Type the IP address, host name, or name to identify your PostFix MTA installation.

Listen Port

Type 517 as the port number used by QRadar to accept incoming UDP Multiline Syslog events. The valid port range is 1 - 65535.

To edit a saved configuration to use a new port number:

  1. In the Listen Port field, type the new port number for receiving UDP Multiline Syslog events.
  2. Click Save.
  3. On the Admin tab toolbar, click Deploy Changes to make this change effective.

The port update is complete and event collection starts on the new port number.

Message ID Pattern

Type the following regular expression (regex) needed to filter the event payload messages.

postfix/.*?[ \[]\d+[ \]](?:- - |: )([A-Z0-9]{8,})

Enabled

Select this check box to enable the log source.

Credibility

Select the credibility of the log source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

Target Event Collector

Select the Target Event Collector to use as the target for the log source.

Coalescing Events

Select this check box to enable the log source to coalesce (bundle) events.

By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in QRadar. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Store Event Payload

Select this check box to enable the log source to store event payload information.

By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in QRadar. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

For a complete list of UDP Multiline Syslog protocol parameters and their values, see UDP multiline syslog protocol configuration options.