UDP multiline syslog connector configuration options

To create a single-line syslog event from a multiline event, configure a data source to use the UDP multiline connector. The UDP multiline syslog connector uses a regular expression to identify and reassemble the multiline syslog messages into single event payload.

The UDP multiline syslog connector is a passive inbound connector. The original multiline event must contain a value that repeats on each line in order for a regular expression to capture that value and identify and reassemble the individual syslog messages that make up the multiline event. For example, this multiline event contains a repeated value, 2467222, in the conn field. This field value is captured so that all syslog messages that contain conn=2467222 are combined into a single event.
15:08:56 <IP_address> slapd[517]: conn=2467222 op=2 SEARCH RESULT tag=101
15:08:56 <IP_address> slapd[517]: conn=2467222 op=2 SRCH base="dc=xxx"
15:08:56 <IP_address> slapd[517]: conn=2467222 op=2 SRCH attr=gidNumber
15:08:56 <IP_address> slapd[517]: conn=2467222 op=1 SRCH base="dc=xxx"
The following table describes the connector-specific parameters for the UDP multiline syslog connector:
Table 1. UDP multiline syslog connector parameters
Parameter Description
Connector type UDP Multiline Syslog
Log Source Identifier

Type a unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured UDP multiline syslog log source, ensure that you give each one a unique name.
Listen Port

The default port number that is used by the QRadar® product to accept incoming UDP Multiline Syslog events is 517. You can use a different port in the range 1 - 65535.

To edit a saved configuration to use a new port number, complete the following steps:

  1. In the Listen Port field, type the new port number for receiving UDP Multiline Syslog events.
  2. Click Save.
  3. Click Deploy Changes to make this change effective.

The port update is complete and event collection starts on the new port number.
Message ID Pattern The regular expression (regex) required to filter the event payload messages. The UDP multiline event messages must contain a common identifying value that repeats on each line of the event message.
Event Formatter

The event formatter that formats incoming payloads that are detected by the listener. Select No Formatting to leave the payload untouched. Select Cisco ACS Multiline to format the payload into a single-line event.

In ACS syslog header, there are total_seg and seg_num fields. These two fields are used to rearrange ACS multiline events into a single-line event with correct order when you select the Cisco ACS Multiline option.
Show Advanced Options

The default is No. Select Yes if you want to configure advanced options.
Use Custom Source Name

Select the checkbox if you want to customize the source name with regex.
Source Name Regex

Use the Source Name Regex and Source Name Formatting String parameters to customize how the QRadar product determines the source of the events that this UDP Multiline Syslog configuration processes.

For Source Name Regex, enter a regex to capture one or more identifying values from event payloads that are handled by this connector. These values are used with the Source Name Formatting String to set a source or origin value for each event. This source value is used to route the event to a data source with a matching Data source identifier value when the Use As A Gateway Log Source option is enabled.
Source Name Formatting String
You can use a combination of one or more of the following inputs to form a source value for event payloads that are processed by this connector:
  • One or more capture groups from the Source Name Regex. To refer to a capture group, use \x notation where x is the index of a capture group from the Source Name Regex.
  • The IP address from which the event data originated. To refer to the packet IP, use the token $PIP$.
  • Literal text characters. The entire Source Name Formatting String can be user-provided text.

For example, CiscoACS\1\2$PIP$, where \1\2 means first and second capture groups from the Source Name Regex value, and $PIP$ is the packet IP.
Use As A Gateway Log Source

If this checkbox is clear, incoming events are sent to the data source with the Data source identifier matching the IP that they originated from.

When checked, this log source serves as a single entry point or gateway for multiline events from many sources to enter the QRadar product and be processed in the same way, without the need to configure a UDP Multiline Syslog data source for each source. Events with an RFC3164- or RFC5424-compliant syslog header are identified as originating from the IP or host name in their header, unless the Source Name Formatting String parameter is in use, in which case that format string is evaluated for each event. Any such events are routed through the QRadar product based on this captured value.

If one or more data sources exist with a corresponding Data source identifier, they are given the event based on configured Parsing Order. If they do not accept the event, or if no data sources exist with a matching Data source identifier, the events are analyzed for autodetection.
Flatten Multiline Events Into Single Line

Shows an event in one single line or multiple lines. If this checkbox is selected, all newline and carriage return characters are removed from the event.
Retain Entire Lines During Event Aggregation

Choose this option to either discard or keep the part of the events that comes before Message ID Pattern when the connector concatenates events with same ID pattern together.
Time Limit The number of seconds to wait for other matching payloads before the event is pushed into the event pipeline. The default is 10 seconds.
Enabled

Select this checkbox to enable the data source.
Credibility

Select the credibility of the data source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.
Target Event Collector

Select the Event Collector in your deployment that hosts the UDP Multiline Syslog listener.
Coalescing Events

Select this checkbox to enable the data source to coalesce (bundle) events.

By default, automatically discovered data sources inherit the value of the Coalescing Events list from the System Settings in the QRadar product. When you create a data source or edit an existing configuration, you can override the default value by configuring this option for each data source.
Store Event Payload

Select this checkbox to enable the data source to store event payload information.

By default, automatically discovered data sources inherit the value of the Store Event Payload list from the System Settings in the QRadar product. When you create a data source or edit an existing configuration, you can override the default value by configuring this option for each data source.