UDP multiline syslog connector configuration options
To create a single-line syslog event from a multiline event, configure a data source to use the UDP multiline connector. The UDP multiline syslog connector uses a regular expression to identify and reassemble the multiline syslog messages into single event payload.
2467222, in the
connfield. This field value is captured so that all syslog messages that contain
conn=2467222are combined into a single event.
15:08:56 <IP_address> slapd: conn=2467222 op=2 SEARCH RESULT tag=101 15:08:56 <IP_address> slapd: conn=2467222 op=2 SRCH base="dc=xxx" 15:08:56 <IP_address> slapd: conn=2467222 op=2 SRCH attr=gidNumber 15:08:56 <IP_address> slapd: conn=2467222 op=1 SRCH base="dc=xxx"
|Connector type||UDP Multiline Syslog|
|Log Source Identifier||
Type a unique name for the log source.
The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured UDP multiline syslog log source, ensure that you give each one a unique name.
The default port number that is used by the QRadar® product to accept incoming UDP Multiline Syslog events is 517. You can use a different port in the range 1 - 65535.
To edit a saved configuration to use a new port number, complete the following steps:
The port update is complete and event collection starts on the new port number.
|Message ID Pattern||The regular expression (regex) required to filter the event payload messages. The UDP multiline event messages must contain a common identifying value that repeats on each line of the event message.|
The event formatter that formats incoming payloads that are detected by the listener. Select No Formatting to leave the payload untouched. Select Cisco ACS Multiline to format the payload into a single-line event.
In ACS syslog header, there are
|Show Advanced Options||
The default is No. Select Yes if you want to configure advanced options.
|Use Custom Source Name||
Select the checkbox if you want to customize the source name with regex.
|Source Name Regex||
Use the Source Name Regex and Source Name Formatting String parameters to customize how the QRadar product determines the source of the events that this UDP Multiline Syslog configuration processes.
For Source Name Regex, enter a regex to capture one or more identifying values from event payloads that are handled by this connector. These values are used with the Source Name Formatting String to set a source or origin value for each event. This source value is used to route the event to a data source with a matching Data source identifier value when the Use As A Gateway Log Source option is enabled.
|Source Name Formatting String||
You can use a combination of one or more of the following inputs to form a source value for event payloads that are processed by this connector:
|Use As A Gateway Log Source||
If this checkbox is clear, incoming events are sent to the data source with the Data source identifier matching the IP that they originated from.
When checked, this log source serves as a single entry point or gateway for multiline events from many sources to enter the QRadar product and be processed in the same way, without the need to configure a UDP Multiline Syslog data source for each source. Events with an RFC3164- or RFC5424-compliant syslog header are identified as originating from the IP or host name in their header, unless the Source Name Formatting String parameter is in use, in which case that format string is evaluated for each event. Any such events are routed through the QRadar product based on this captured value.
If one or more data sources exist with a corresponding Data source identifier, they are given the event based on configured Parsing Order. If they do not accept the event, or if no data sources exist with a matching Data source identifier, the events are analyzed for autodetection.
|Flatten Multiline Events Into Single Line||
Shows an event in one single line or multiple lines. If this checkbox is selected, all newline and carriage return characters are removed from the event.
|Retain Entire Lines During Event Aggregation||
Choose this option to either discard or keep the part of the events that comes before Message ID Pattern when the connector concatenates events with same ID pattern together.
|Time Limit||The number of seconds to wait for other matching payloads before the event is pushed into the event pipeline. The default is 10 seconds.|
Select this checkbox to enable the data source.
Select the credibility of the data source. The range is 0 - 10.
The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.
|Target Event Collector||
Select the Event Collector in your deployment that hosts the UDP Multiline Syslog listener.
Select this checkbox to enable the data source to coalesce (bundle) events.
By default, automatically discovered data sources inherit the value of the Coalescing Events list from the System Settings in the QRadar product. When you create a data source or edit an existing configuration, you can override the default value by configuring this option for each data source.
|Store Event Payload||
Select this checkbox to enable the data source to store event payload information.
By default, automatically discovered data sources inherit the value of the Store Event Payload list from the System Settings in the QRadar product. When you create a data source or edit an existing configuration, you can override the default value by configuring this option for each data source.