Log File log source parameters for Sun ONE LDAP
If QRadar does not automatically detect the log source, add a Sun ONE LDAP log source on the QRadar Console by using the Log File protocol.
When using the Log File protocol, there are specific parameters that you must use.
Parameter | Value |
---|---|
Log Source name | Type a name for your log source. |
Log Source description | Type a description for the log source. |
Log Source type | Sun ONE LDAP |
Protocol Configuration | Log File |
Log Source Identifier |
Type an IP address, host name, or name to identify the event source. IP addresses or host names enable QRadar to identify a log file to a unique event source. For example, if your network contains multiple devices, such as a management console or a file repository, specify the IP address or host name of the device that created the event. This enables events to be identified at the device level in your network, instead of identifying the event for the management console or file repository. |
Service Type |
Type the TCP port on the remote host that is running the selected Service Type. The valid range
is 1 - 65535. The options include:
Important: If the host for your event files is using a non-standard port number for
FTP, SFTP, or SCP, you must adjust the port value.
|
Remote User |
Type the user name necessary to log in to the host that contains your event files. The user name can be up to 255 characters in length. |
Confirm Password | Confirm the password necessary to log in to the host. |
SSH Key File | If you select SCP or SFTP as the Service Type, this parameter enables you to define an SSH private key file. When you provide an SSH Key File, the Remote Password field is ignored. |
Remote Directory |
Type the directory location on the remote host from which the files are retrieved, relative to
the user account you are using to log in.
Important: For FTP only. If your log files are
in the remote user’s home directory, you can leave the remote directory blank. This is to
support operating systems where a change in the working directory (CWD) command is
restricted.
|
Recursive | Enable this check box to allow FTP or SFTP connections to recursively search sub folders of the remote directory for event data. Data that is collected from sub folders depends on matches to the regular expression in the FTP File Pattern. The Recursive option is not available for SCP connections. |
FTP File Pattern |
For example, if you want to list all files that start with the word log, followed by one or more digits and ending with tar.gz, use the following entry: log[0-9]+\.tar\.gz. Use of this parameter requires knowledge of regular expressions (regex). For more information about regular expressions, see the Oracle website (http://docs.oracle.com/javase/tutorial/essential/regex/) If you select SFTP or FTP as the Service Type, this option enables you to configure the regular expression (regex) that is required to filter the list of files that are specified in the Remote Directory. All matching files are included in the processing. |
FTP Transfer Mode |
From the list box, select the transfer mode that you want to apply to this log source:
Important: You must select NONE for the
Processor parameter and LINEBYLINE the
Event Generator parameter when you use ASCII as the FTP Transfer
Mode.
This option only appears if you select FTP as the Service Type. The FTP Transfer Mode parameter enables you to define the file transfer mode when you retrieve log files over FTP. |
SCP Remote File | If you select SCP as the Service Type you must type the file name of the remote file. |
Start Time | Type the time of day you want the processing to begin. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24-hour clock, in the following format: HH: MM. |
Recurrence | Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D). For example, 2H if you want the directory to be scanned every 2 hours. The default is 1H. |
Run On Save |
Select this check box if you want the log file protocol to run immediately after you click Save. After the Run On Save completes, the log file protocol follows your configured start time and recurrence schedule. Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File parameter. |
EPS Throttle |
The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The valid range is 100 to 5000. |
Processor | If the files on the remote host are stored in a zip, gzip, tar, or tar+gzip archive format, select the processor that allows the archives to be expanded and contents to be processed. |
Ignore Previously Processed File(s) |
This only applies to FTP and SFTP Service Types. Select this check box to track files that were processed and you do not want the files to be processed a second time. |
Change Local Directory? |
Select this check box to define the local directory on your QRadar that you want to use for storing downloaded files during processing. Most configurations can leave this check box clear. When you select the check box, the Local Directory field is displayed, which enables you to configure a local directory to use for temporarily storing files. |
Event Generator |
The ID-Linked Multiline format processes multiline event logs that contain a common value at the start of each line in a multiline event message. This option displays the Message ID Pattern field that uses regex to identify and reassemble the multiline event in to single event payload. Select ID-Linked Multiline to process to the retrieved event log as multiline events. |
Folder Separator |
Most configurations can use the default value in the Folder Separator field. This field is only used by operating systems that use an alternate character to define separate folders. For example, periods that separate folders on mainframe systems. Type the character that is used to separate folders for your operating system. The default value is /. |