Opening required ports in the Linux firewall

Some ports must be open in the Linux® firewall so that IBM Disconnected Log Collector can receive incoming log sources and communicate with IBM QRadar. Enable port forwarding so that you can use Disconnected Log Collector without needing root privileges.

About this task

Ports 1 - 1023 are privileged and require a process to be running with root privileges. Because Disconnected Log Collector does not run as root, you must forward any privileged log source listening port to a non-privileged port. Non-privileged ports are 1024 or greater.

For example, syslog log sources use port 514. For Disconnected Log Collector to be able to receive the log messages, you must forward port 514 to a non-privileged port, such as port 1514.

Procedure

  1. Log in to the Disconnected Log Collector computer or VM as the root user.
  2. Open ports by typing the following commands: 
    firewall-cmd --zone=public --add-port=514/udp --permanent
firewall-cmd --zone=public --add-port=514/tcp --permanent
    You might have to open other ports for each new log source that you add to your configuration.
  3. Forward ports by typing the following commands: 
    firewall-cmd --zone=public --add-forward-port=port=514:proto=tcp:toport=1514 --permanent
firewall-cmd --zone=public --add-forward-port=port=514:proto=udp:toport=1514 --permanent
    Important: The default syslog log source target port for forwarding is 1514. If you specify a different target port in the dlc.xml configuration file, you must substitute it in the port forwarding commands. The target port number must be 1024 or greater.
  4. Reload the firewall by typing the following command: 
    firewall-cmd --reload
  5. Verify that the ports are added by typing the following command: 
    firewall-cmd --list-all
    Note: Ubuntu uses ufw tool to manage the firewall. The installation script completes the following steps to set the firewall:
    1. The script enables the ufw tool and adds the following rules:
      ufw allow 514/udp
ufw allow 514/tcp
ufw allow 22/tcp
ufw allow 1514/tcp
ufw allow 1514/udp
    2. The script adds the following lines to the /etc/ufw/before.rules file so that the events sent to port 514 is forwarded to port 1514.
      
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 514 -j REDIRECT --to-port 1514
-A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 1514
-A OUTPUT -o lo -p udp --dport 514 -j REDIRECT --to-port 1514
-A OUTPUT -o lo -p tcp --dport 514 -j REDIRECT --to-port 1514