You might be unable to send events directly to the standard UDP Multiline port 517 or any
unused available ports when you collect UDP Multiline Syslog events in IBM®
QRadar®. If this error occurs,
then you must redirect events from port 514 to the default port 517 or your chosen alternative port
by using IPTables. You must configure IPtables on your QRadar
Console or for each QRadar
Event Collector that receives
UDP Multiline Syslog events from an SunOne LDAP server. Then, you must complete the configuration
for each SunOne LDAP server IP address that you want to receive logs from.
Before you begin
Important: Complete this configuration method when you can't send UDP Multiline Syslog
events directly to the chosen UDP Multiline port on QRadar from your SunOne LDAP
server. Also, you must complete this configuration when you are restricted to send only to the
standard syslog port 514.
Procedure
-
Using SSH, log in to QRadar as the root user.
Login: root
Password: password
-
Type the following command to edit the IPtables file:
vi /opt/qradar/conf/iptables-nat.post
The IPtables NAT configuration file is displayed.
-
Type the following command to instruct QRadar to redirect syslog events
from UDP port 514 to UDP port 517:
-A PREROUTING -p udp --dport 514 -j REDIRECT --to-port <new-port> -s <IP address>
Where:
IP address is the IP address of your SunOne LDAP server.
New port is the port number that is configured in the UDP Multiline protocol
for SunOne LDAP.
You must include a redirect for each SunOne LDAP IP address that sends events to your QRadar
Console or Event Collector. Example:
-A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 517 -s <IP_address>
-
Save your IPtables NAT configuration.
You are now ready to configure IPtables on your QRadar
Console or Event Collector to accept events
from your SunOne LDAP servers.
-
Type the following command to edit the IPtables file:
vi /opt/qradar/conf/iptables.post
The IPtables configuration file is displayed.
-
Type the following command to instruct QRadar to allow communication from
your SunOne LDAP servers:
-I QChain 1 -m udp -p udp --src <IP_address> --dport <New port> -j ACCEPT
Where:
IP address is the IP address of your SunOne LDAP server.
New port is the port number that is configured in the UDP Multiline protocol
for SunOne LDAP.
You must include a redirect for each SunOne LDAP IP address that sends events to your QRadar
Console or Event Collector. Example:
-I QChain 1 -m udp -p udp --src <IP_address> --dport 517 -j ACCEPT
-
Type the following command to update IPtables in QRadar:
./opt/qradar/bin/iptables_update.pl
Example
If you need to configure another QRadar
Console or Event Collector that receives
syslog events from an SunOne LDAP server, repeat these steps.
What to do next
Configure your SunOne LDAP server to forward events to QRadar.