Some ports must be open in the Linux® firewall so
that IBM®
Disconnected Log Collector can receive incoming log
sources and communicate with IBM
QRadar®. Enable port forwarding
so that you can use Disconnected Log
Collector without
needing root privileges.
About this task
Ports 1 - 1023 are privileged and require a process to be running with root
privileges. Because Disconnected Log
Collector does not
run as root, you must forward any privileged log source listening port to a
non-privileged port. Non-privileged ports are 1024 or greater.
For example, syslog log sources use port 514. For Disconnected Log
Collector to be able to receive the log
messages, you must forward port 514 to a non-privileged port, such as port 1514.
Procedure
-
Log in to the Disconnected Log
Collector computer
or VM as the root user.
-
Open ports by typing the following commands:
firewall-cmd --zone=public --add-port=514/udp --permanent
firewall-cmd --zone=public --add-port=514/tcp --permanent
You might have to open other ports for each new log source that you add to your
configuration.
-
Forward ports by typing the following commands:
firewall-cmd --zone=public --add-forward-port=port=514:proto=tcp:toport=1514 --permanent
firewall-cmd --zone=public --add-forward-port=port=514:proto=udp:toport=1514 --permanent
Important: The default syslog log source target port for forwarding is 1514. If you
specify a different target port in the dlc.xml configuration file, you must
substitute it in the port forwarding commands. The target port number must be 1024 or
greater.
-
Reload the firewall by typing the following command:
- Verify that the ports are added by typing the following command: