Configuring IPtables for UDP Multiline Syslog events

You might be unable to send events directly to the standard UDP Multiline port 517 or any unused available ports when you collect UDP Multiline Syslog events in IBM® QRadar®. If this error occurs, then you must redirect events from port 514 to the default port 517 or your chosen alternative port by using IPTables. You must configure IPtables on your QRadar Console or for each QRadar Event Collector that receives UDP Multiline Syslog events from an SunOne LDAP server. Then, you must complete the configuration for each SunOne LDAP server IP address that you want to receive logs from.

Before you begin

Important: Complete this configuration method when you can't send UDP Multiline Syslog events directly to the chosen UDP Multiline port on QRadar from your SunOne LDAP server. Also, you must complete this configuration when you are restricted to send only to the standard syslog port 514.

Procedure

  1. Using SSH, log in to QRadar as the root user.

    Login: root

    Password: password

  2. Type the following command to edit the IPtables file:

    vi /opt/qradar/conf/iptables-nat.post

    The IPtables NAT configuration file is displayed.

  3. Type the following command to instruct QRadar to redirect syslog events from UDP port 514 to UDP port 517: 
    -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port <new-port> -s <IP address>

    Where:

    IP address is the IP address of your SunOne LDAP server.

    New port is the port number that is configured in the UDP Multiline protocol for SunOne LDAP.

    You must include a redirect for each SunOne LDAP IP address that sends events to your QRadar Console or Event Collector. Example:

    -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 517 -s <IP_address>
  4. Save your IPtables NAT configuration.

    You are now ready to configure IPtables on your QRadar Console or Event Collector to accept events from your SunOne LDAP servers.

  5. Type the following command to edit the IPtables file:

    vi /opt/qradar/conf/iptables.post

    The IPtables configuration file is displayed.

  6. Type the following command to instruct QRadar to allow communication from your SunOne LDAP servers: 
    -I QChain 1 -m udp -p udp --src <IP_address> --dport <New port> -j ACCEPT

    Where:

    IP address is the IP address of your SunOne LDAP server.

    New port is the port number that is configured in the UDP Multiline protocol for SunOne LDAP.

    You must include a redirect for each SunOne LDAP IP address that sends events to your QRadar Console or Event Collector. Example:

    -I QChain 1 -m udp -p udp --src <IP_address> --dport 517 -j ACCEPT
  7. Type the following command to update IPtables in QRadar:

    ./opt/qradar/bin/iptables_update.pl

Example

If you need to configure another QRadar Console or Event Collector that receives syslog events from an SunOne LDAP server, repeat these steps.

What to do next

Configure your SunOne LDAP server to forward events to QRadar.