Configuring IPtables for UDP Multiline Syslog events

To collect UDP Multiline Syslog events in IBM QRadar, if you are unable to send the events directly to the standard UDP Multiline port of 517 or any other available port that is not already in use by QRadar, then you must redirect events from port 514 to the default port 517 or your chosen alternate port by using IPTables as outlined below. You must configure IPtables on your QRadar Console or for each QRadar Event Collector that receives UDP Multiline Syslog events from an Open LDAP server, and then complete the configuration for each Open LDAP server IP address that you want to receive logs from.

Before you begin

Important: Complete this configuration method only if you can't send UDP Multiline Syslog events directly to the chosen UDP Multiline port on QRadar from your Open LDAP server, and you are restricted to only sending to the standard syslog port 514.

Procedure

  1. Using SSH, log in to QRadar as the root user.

    Login: <root>

    Password: <password>

  2. Type the following command to edit the IPtables file:

    vi /opt/qradar/conf/iptables-nat.post

    The IPtables NAT configuration file is displayed.

  3. Type the following command to instruct QRadar to redirect syslog events from UDP port 514 to UDP port 517: 
    -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port <new-port> -s <IP address>

    Where:

    <IP address> is the IP address of your Open LDAP server.

    <New port> is the port number that is configured in the UDP Multiline protocol for Open LDAP.

    You must include a redirect for each Open LDAP IP address that sends events to your QRadar Console or Event Collector. Example:

    -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 517 -s <IP_address>
  4. Save your IPtables NAT configuration.

    You are now ready to configure IPtables on your QRadar Console or Event Collector to accept events from your Open LDAP servers.

  5. Type the following command to edit the IPtables file:

    vi /opt/qradar/conf/iptables.post

    The IPtables configuration file is displayed.

  6. Type the following command to instruct QRadar to allow communication from your Open LDAP servers: 
    -I QChain 1 -m udp -p udp --src <IP_address> --dport <New port> -j ACCEPT

    Where:

    <IP address> is the IP address of your Open LDAP server.

    <New port> is the port number that is configured in the UDP Multiline protocol for Open LDAP.

    You must include a redirect for each Open LDAP IP address that sends events to your QRadar Console or Event Collector. Example:

    -I QChain 1 -m udp -p udp --src <IP_address> --dport 517 -j ACCEPT
  7. Type the following command to update IPtables in QRadar:

    ./opt/qradar/bin/iptables_update.pl

Example

If you need to configure another QRadar Console or Event Collector that receives syslog events from an Open LDAP server, repeat these steps.

What to do next

Configure your Open LDAP server to forward events to QRadar.