Configuring IBM Security Directory Server to communicate with QRadar

IBM® QRadar® can collect LEEF formatted audit events from your IBM Security Directory Server.

About this task

To configure IBM Security Directory Server to send logs to IBM QRadar, you must use the IBM Security Directory Server command line to add an auxiliary object class and then set values for the QRadar log management attributes.

Procedure

  1. Create a file (file_name) on the IBM Security Director Server with the following content: 
    dn: cn=Audit, cn=Log Management, cn=Configuration
changetype: modify
add: objectclass
objectclass: ibm-slapdQRadarConfig
  2. To add the auxiliary object class ibm-slapdQRadarConfig for QRadar configuration attributes to cn=Audit,cn=Log Management,cn=Configuration, run the following command: 
    # idsldapmodify -h host_name -p portnumber -D cn=RDN_value -w password -f file_name
  3. Create a new file (new_file) with the following content: 
    dn: cn= specific_log_name, cn=Log Management, cn=configuration
changetype: modify
add:ibm-slapdLogEventQRadarEnabled
ibm-slapdLogEventQRadarEnabled: true
-
add:ibm-slapdLogEventQRadarHostName
ibm-slapdLogEventQRadarHostName: host_name_of_qradar_instance
-
add: ibm-slapdLogEventQRadarPort
ibm-slapdLogEventQRadarPort: port_of_qradar_instance
-
add: ibm-slapdLogEventQRadarMapFilesLocation
ibm-slapdLogEventQRadarMapFilesLocation: directory_location_of_qradar_mapfiles
  4. Replace the following values in the new_file content:
    1. Replace host_name_of_qradar_instance with the destination QRadar Event Collector hostname or IP address.
    2. Replace port_of_qradar_instance with 514.
    3. If IBM Security Directory Server V6.3.1 is installed, replace directory_location_of_qradar_mapfiles with /opt/ibm/ldap/V6.3.1/idstools/idslogmgmt/.
    4. If IBM Security Directory Server V6.4 is installed, replace directory_location_of_qradar_mapfiles with /opt/ibm/ldap/V6.4/idstools/idslogmgmt/.
    For example:
    dn: cn= specific_log_name, cn=Log Management, cn=configuration
changetype: modify
add:ibm-slapdLogEventQRadarEnabled
ibm-slapdLogEventQRadarEnabled: true
-
add:ibm-slapdLogEventQRadarHostName
ibm-slapdLogEventQRadarHostName: qradar-collector.example.com
-
add: ibm-slapdLogEventQRadarPort
ibm-slapdLogEventQRadarPort: 514
-
add: ibm-slapdLogEventQRadarMapFilesLocation
ibm-slapdLogEventQRadarMapFilesLocation: /opt/ibm/ldap/V6.3.1/idstools/idslogmgmt/
  5. To set the attribute values for QRadar integration, run the following command: 
    # idsldapmodify -h host_name -p portnumber -D cn=RDN_value -w password -f new_file
  6. To start an instance, run the following command: 
    # ibmslapd -I <instance_name> -n
  7. Optional: To start log management locally, run the following command: 
    # idslogmgmt -I <instance_name>
    To start, get status, and stop log management remotely, run the following commands:
    # ibmdirctl -D <adminDN> -w <password> -h <host_name> -p <administration server port number> startlogmgmt# ibmdirctl -D <adminDN> -w <password> -h <host_name> -p <administration server port number> statuslogmgmt# ibmdirctl -D <adminDN> -w <password> -h <host_name> -p <administration server port number> stoplogmgmt