UDP multiline syslog protocol configuration options

To create a single-line syslog event from a multiline event, configure a log source to use the UDP multiline protocol. The UDP multiline syslog protocol uses a regular expression to identify and reassemble the multiline syslog messages into single event payload.

The UDP multiline syslog protocol is an inbound/passive protocol. The original multiline event must contain a value that repeats on each line in order for a regular expression to capture that value and identify and reassemble the individual syslog messages that make up the multiline event. For example, this multiline event contains a repeated value, 2467222, in the conn field. This field value is captured so that all syslog messages that contain conn=2467222 are combined into a single event.
15:08:56 <IP_address> slapd[517]: conn=2467222 op=2 SEARCH RESULT tag=101
15:08:56 <IP_address> slapd[517]: conn=2467222 op=2 SRCH base="dc=xxx"
15:08:56 <IP_address> slapd[517]: conn=2467222 op=2 SRCH attr=gidNumber
15:08:56 <IP_address> slapd[517]: conn=2467222 op=1 SRCH base="dc=xxx"
The following table describes the protocol-specific parameters for the UDP multiline syslog protocol:
Table 1. UDP multiline syslog protocol parameters
Parameter Description
Protocol Configuration UDP Multiline Syslog
Log Source Identifier

Type a unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured UDP multiline syslog log source, ensure that you give each one a unique name.

Listen Port

The default port number that is used by QRadar to accept incoming UDP Multiline Syslog events is 517. You can use a different port in the range 1 - 65535.

To edit a saved configuration to use a new port number, complete the following steps:

  1. In the Listen Port field, type the new port number for receiving UDP Multiline Syslog events.
  2. Click Save.
  3. Click Deploy Changes to make this change effective.

The port update is complete and event collection starts on the new port number.

Message ID Pattern The regular expression (regex) required to filter the event payload messages. The UDP multiline event messages must contain a common identifying value that repeats on each line of the event message.
Event Formatter

The event formatter that formats incoming payloads that are detected by the listener. Select No Formatting to leave the payload untouched. Select Cisco ACS Multiline to format the payload into a single-line event.

In ACS syslog header, there are total_seg and seg_num fields. These two fields are used to rearrange ACS multiline events into a single-line event with correct order when you select the Cisco ACS Multiline option.

Show Advanced Options

The default is No. Select Yes if you want to configure advanced options.

Use Custom Source Name

Select the check box if you want to customize the source name with regex.

Source Name Regex

Use the Source Name Regex and Source Name Formatting String parameters if you want to customize how QRadar determines the source of the events that are processed by this UDP Multiline Syslog configuration.

For Source Name Regex, enter a regex to capture one or more identifying values from event payloads that are handled by this protocol. These values are used with the Source Name Formatting String to set a source or origin value for each event. This source value is used to route the event to a log source with a matching Log Source Identifier value when the Use As A Gateway Log Source option is enabled.

Source Name Formatting String
You can use a combination of one or more of the following inputs to form a source value for event payloads that are processed by this protocol:
  • One or more capture groups from the Source Name Regex. To refer to a capture group, use \x notation where x is the index of a capture group from the Source Name Regex.
  • The IP address from which the event data originated. To refer to the packet IP, use the token $PIP$.
  • Literal text characters. The entire Source Name Formatting String can be user-provided text.

For example, CiscoACS\1\2$PIP$, where \1\2 means first and second capture groups from the Source Name Regex value, and $PIP$ is the packet IP.

Use As A Gateway Log Source

If this check box is clear, incoming events are sent to the log source with the Log Source Identifier matching the IP that they originated from.

When checked, this log source serves as a single entry point or gateway for multiline events from many sources to enter QRadar and be processed in the same way, without the need to configure a UDP Multiline Syslog log source for each source. Events with an RFC3164- or RFC5424-compliant syslog header are identified as originating from the IP or host name in their header, unless the Source Name Formatting String parameter is in use, in which case that format string is evaluated for each event. Any such events are routed through QRadar based on this captured value.

If one or more log sources exist with a corresponding Log Source Identifier, they are given the event based on configured Parsing Order. If they do not accept the event, or if no log sources exist with a matching Log Source Identifier, the events are analyzed for autodetection.

Flatten Multiline Events Into Single Line

Shows an event in one single line or multiple lines. If this check box is selected, all newline and carriage return characters are removed from the event.

Retain Entire Lines During Event Aggregation

Choose this option to either discard or keep the part of the events that comes before Message ID Pattern when the protocol concatenates events with same ID pattern together.

Time Limit The number of seconds to wait for additional matching payloads before the event is pushed into the event pipeline. The default is 10 seconds.
Enabled

Select this check box to enable the log source.

Credibility

Select the credibility of the log source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

Target Event Collector

Select the Event Collector in your deployment that should host the UDP Multiline Syslog listener.

Coalescing Events

Select this check box to enable the log source to coalesce (bundle) events.

By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in QRadar. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Store Event Payload

Select this check box to enable the log source to store event payload information.

By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in QRadar. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.