UDP Multiline Syslog log source parameters for Open LDAP
If QRadar does not automatically detect the log source, add a Open LDAP log source on the QRadar Console by using the UDP Multiline Syslog protocol.
When using the UDP Multiline Syslog protocol, there are specific parameters that you must use.
| Parameter | Value |
|---|---|
| Log Source type | Open LDAP Software |
| Protocol Configuration | UDP Multiline Syslog |
| Log Source Identifier | |
| Listen Port |
Type the port number that is used by QRadar to accept incoming UDP Multiline Syslog events. The valid port range is 1 - 65536. The default UDP Multiline Syslog listen port is 517. If you do not see the Listen Port field, you must restart Tomcat on QRadar. To edit the Listen Port number: Update IPtables on your QRadar Console or Event Collector with the new UDP Multiline Syslog port number. For more information, see Configuring IPtables for UDP Multiline Syslog events.
The port update is complete and event collection starts on the new port number. |
| Message ID Pattern |
Type the regular expression (regex) that is needed to filter the event payload messages. All matching events are included when processing Open LDAP events. The following regular expression is suggested for Open LDAP events:
For example, Open LDAP starts connection messages with the word conn, followed by the rest of the event payload. Use of this parameter requires knowledge of regular expressions (regex). For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/ |
For a complete list of UDP Multiline Syslog protocol parameters and their values, see UDP multiline syslog protocol configuration options.