To configure QRadar® log
integration by using the command line, you must add the auxiliary
object class and then set values for the QRadar log management attributes. QRadar log integration enables
management of the server audit logs for IBM® Security
Directory Server activities.
Procedure
- Add the auxiliary object class
ibm-slapdQRadarConfig
for QRadar configuration attributes
to cn=Audit,cn=Log Management,cn=Configuration
. Run
the following command: #idsldapmodify -h host_name -p portnumber -D cn=RDN_value -w password \
-f file_name
Where the contents of file_name are:
dn: cn=Audit, cn=Log Management, cn=Configuration
changetype: modify
add: objectclass
objectclass: ibm-slapdQRadarConfig
- Set the attribute values for QRadar integration. Run the following command:
#idsldapmodify -h host_name -p portnumber -D cn=RDN_value -w password \
-f file_name
Where the contents of file_name are:
dn: cn= specific_log_name ,cn=Log Management, cn=configuration
changetype: modify
add:ibm-slapdLogEventQRadarEnabled
ibm-slapdLogEventQRadarEnabled: true
-
add:ibm-slapdLogEventQRadarHostName
ibm-slapdLogEventQRadarHostName: host_name_of_qradar_instance
-
add: ibm-slapdLogEventQRadarPort
ibm-slapdLogEventQRadarPort: port_of_qradar_instance
-
add: ibm-slapdLogEventQRadarMapFilesLocation
ibm-slapdLogEventQRadarMapFilesLocation: directory_location_of_qradar_mapfiles
- Run the following command to start an instance:
ibmslapd -I <instance_name> -n
- You can start log management locally or remotely. To start
log management locally, run the following command:
idslogmgmt -I <instance_name>
- Run the following commands to start, get status, and stop
log management remotely:
ibmdirctl -D <adminDN> -w <password> -h <host_name> \
-p <administration server port number> startlogmgmt
ibmdirctl -D <adminDN> -w <password> -h <host_name> \
-p <administration server port number> statuslogmgmt
ibmdirctl -D <adminDN> -w <password> -h <host_name> \
-p <administration server port number> stoplogmgmt