juniper secure analytics log sources users guide ·...

Juniper Secure Analytics

Log Sources Users Guide

Release

2014.1

Modified: 2017-01-04

Copyright © 2017, Juniper Networks, Inc.

Juniper Networks, Inc.1133 InnovationWaySunnyvale, California 94089USA408-745-2000www.juniper.net

Copyright © 2017, Juniper Networks, Inc. All rights reserved.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Juniper Secure Analytics Log Sources Users GuideCopyright © 2017, Juniper Networks, Inc.All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.

Copyright © 2017, Juniper Networks, Inc.ii

http://www.juniper.net/support/eula.html

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Part 1 Juniper Secure Analytics Log Sources

Chapter 1 Installing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Installing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 Managing Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Log Sources Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Viewing the Status of a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Adding a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Editing Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Enabling or Disabling a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Adding Bulk Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Editing Bulk Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Deleting a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 3 Managing Protocol Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Protocol Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Configuring the Syslog Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Configuring the JDBC Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Configuring the JDBC SiteProtector Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Configuring the Sophos Enterprise Console JDBC Protocol . . . . . . . . . . . . . . . . . . 31

Configuring the Juniper Networks NSM Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Configuring the OPSEC/LEA Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Configuring the SDEE Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Configuring the SNMPv1 Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Configuring the SNMPv2 Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Configuring the SNMPv3 Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Configuring the Sourcefire Defense Center Estreamer Protocol . . . . . . . . . . . . . . . 51

Configuring the Log File Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Configuring the Microsoft Security Event Log Protocol . . . . . . . . . . . . . . . . . . . . . 59

Configuring the Microsoft Security Event Log Custom Protocol . . . . . . . . . . . . . . 62

Configuring the Microsoft DHCP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Configuring the Microsoft Exchange Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Configuring the Microsoft IIS protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

iiiCopyright © 2017, Juniper Networks, Inc.

Configuring the SMB Tail Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Configuring the EMC VMware Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Configuring the Oracle Database Listener Protocol . . . . . . . . . . . . . . . . . . . . . . . . 79

Configuring the Cisco NSEL Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Configuring the PCAP Syslog Combination Protocol . . . . . . . . . . . . . . . . . . . . . . . 84

Configuring the Forwarded Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Configuring the TLS Syslog Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Configuring the Juniper Security Binary Log Collector Protocol . . . . . . . . . . . . . . . 92

Configuring the UDPMultiline Syslog Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Configuring the TCP Multiline Syslog Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Configuring the VMware vCloud Director Protocol . . . . . . . . . . . . . . . . . . . . . . . . 100

Configuring the IBM® Tivoli® Endpoint Manager SOAP Protocol . . . . . . . . . . . . 102

Chapter 4 Grouping Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Grouping Log Source Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Viewing Log Source Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Assigning a Log Source to a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Creating a Log Source Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Editing a Log Source Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Copying a Log Source to Another Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Removing a Log Source From a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Chapter 5 Adding Log Source Parsing Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Log Source Parsing Order Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Adding a Log Source Parsing Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Chapter 6 Managing Log Source Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Log Source Extensions Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Viewing the Status of a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Adding a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Editing a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Copying a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Enabling or Disabling a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Deleting a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Part 2 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Copyright © 2017, Juniper Networks, Inc.iv

Juniper Secure Analytics Log Sources Users Guide

List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Part 1 Juniper Secure Analytics Log Sources

Chapter 2 Managing Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Table 3: Console Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Table 4: Log Source Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Table 5: Bulk Log Source Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Table 6: Bulk Edit Log Source Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 3 Managing Protocol Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Table 7: Syslog Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Table 8: JDBC Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Table 9: JDBC - SiteProtector Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . 27

Table 10: Sophos Enterprise Console JDBC Protocol Parameters . . . . . . . . . . . . . 32

Table 11: Juniper Networks NSM Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . 36

Table 12: OPSEC/LEA Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Table 13: SDEE Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Table 14: SNMPv1 Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44



Table 17: Sourcefire Defense Center Estreamer Protocol Parameters . . . . . . . . . . 52

Table 18: Log File Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Table 19: Microsoft Security Event Log Protocol Parameters . . . . . . . . . . . . . . . . 60

Table 20: Microsoft Security Event Log Protocol Parameters . . . . . . . . . . . . . . . . 63

Table 21: Microsoft DHCP Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Table 22: Microsoft Exchange Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . 68

Table 23: Microsoft IIS Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Table 24: SMB Tail Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Table 25: EMC VMware Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Table 26: Oracle Database Listener Protocol Parameters . . . . . . . . . . . . . . . . . . . 79

Table 27: Cisco NSEL Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Table 28: PCAP Syslog Combination Protocol Parameters . . . . . . . . . . . . . . . . . . 84

Table 29: Forwarded Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Table 30: TLS Syslog Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Table 31: Juniper Security Binary Log Collector Protocol Parameters . . . . . . . . . . 92

Table 32: UDP Multiline Syslog Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . 94

Table 33: TCP Multiline Syslog Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . 97

Table 34: VMware vCloud Director Protocol Parameters . . . . . . . . . . . . . . . . . . . 100

vCopyright © 2017, Juniper Networks, Inc.

Table 35: IBM Tivoli Endpoint Manager SOAP Protocol Parameters . . . . . . . . . . 102

Chapter 6 Managing Log Source Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Table 36: Log Source Extension Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Copyright © 2017, Juniper Networks, Inc.vi


About the Documentation

• Documentation and Release Notes on page vii

• Documentation Conventions on page vii

• Documentation Feedback on page ix

• Requesting Technical Support on page x

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation,

see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the

documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore the

nuances of network architecture, deployment, and administration. The current list can

be viewed at http://www.juniper.net/books.

Documentation Conventions

Table 1 on page viii defines notice icons used in this guide.

viiCopyright © 2017, Juniper Networks, Inc.

http://www.juniper.net/techpubs/

http://www.juniper.net/books

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Indicates helpful information.Tip

Alerts you to a recommended use or implementation.Best practice

Table 2 on page viii defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type theconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

• A policy term is a named structurethat defines match conditions andactions.

• Junos OS CLI User Guide

• RFC 1997,BGPCommunities Attribute

• Introduces or emphasizes importantnew terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure themachine’s domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

Copyright © 2017, Juniper Networks, Inc.viii


Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.

• Theconsoleport is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.

Text like this

stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Encloses a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identifies a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

• In the Logical Interfaces box, selectAll Interfaces.

• To cancel the configuration, clickCancel.

Representsgraphicaluser interface(GUI)items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of menuselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can provide feedback by using either of the following

methods:

• Online feedback rating system—On any page of the Juniper Networks TechLibrary site

athttp://www.juniper.net/techpubs/index.html, simply click the stars to rate thecontent,

and use the pop-up form to provide us with information about your experience.

Alternately, you can use the online feedback form at

http://www.juniper.net/techpubs/feedback/.

ixCopyright © 2017, Juniper Networks, Inc.


http://www.juniper.net/techpubs/index.html

http://www.juniper.net/techpubs/feedback/

• E-mail—Sendyourcommentsto [email protected]. Includethedocument

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or Partner Support Service

support contract, or are covered under warranty, and need post-sales technical support,

you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

Copyright © 2017, Juniper Networks, Inc.x


mailto:[email protected]?subject=

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

http://www.juniper.net/support/warranty/

http://www.juniper.net/customers/support/

http://www2.juniper.net/kb/

http://www.juniper.net/techpubs/

http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

http://kb.juniper.net/InfoCenter/

http://www.juniper.net/company/communities/

http://www.juniper.net/cm/

https://tools.juniper.net/SerialNumberEntitlementSearch/

http://www.juniper.net/cm/

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

xiCopyright © 2017, Juniper Networks, Inc.


http://www.juniper.net/support/requesting-support.html

PART 1

Juniper Secure Analytics Log Sources

• Installing Protocols on page 3

• Managing Log Sources on page 5

• Managing Protocol Configuration on page 19

• Grouping Log Sources on page 107

• Adding Log Source Parsing Order on page 113

• Managing Log Source Extensions on page 115

1Copyright © 2017, Juniper Networks, Inc.

CHAPTER 1

Installing Protocols

This chapter describes about the following sections:

• Installing Protocols on page 3

Installing Protocols

You can download and install a Juniper Secure Analytics (JSA) protocol.

To install JSA protocols:

1. Download the protocol file from Juniper Customer Support:

http://www.juniper.net/support/downloads

2. Copy the protocol file to your JSA console.

3. Using SSH, log in to the JSA host as the root user.

4. Navigate to the directory that includes the downloaded file.

5. Extract the contents of the file if they are compressed.

6. Type the following command:

rpm -Uvh <filename>

Where <filename> is the name of the downloaded file. For example:

PROTOCOL-WinCollectMicrosoftIAS-7.2-605867.noarch.rpm.

7. Log in to JSA.

https://<IP Address>

Where <IP Address> is the IP address of the JSA console or Event Collector.

8. On the Admin tab, click Deploy Changes.

The installation is complete.

RelatedDocumentation

• Log Sources Management on page 6

• Adding a Log Source on page 7


http://www.juniper.net/support/downloads

CHAPTER 2

Managing Log Sources


• Log Sources Overview on page 6

• Viewing the Status of a Log Source on page 6


• Editing Log Source on page 9

• Enabling or Disabling a Log Source on page 11

• Adding Bulk Log Sources on page 12

• Editing Bulk Log Sources on page 15

• Deleting a Log Source on page 17


Log Sources Overview

Administrators canmanage log sources from the Admin tab. Log sources are a list of

external appliances that provide events to Juniper Secure Analytics (JSA).

References to JSA apply to all products capable of collecting log source information.

Products that support log sources include Log Analytics.

Log sources provide JSA the ability to collect, understand, and properly categorize events

fromexternal sources. A log source is a generic term for any external source that provides

event information to JSA. A log source can be any type of network appliances, operating

system, database, or security product that generates events for JSA. For example, a

firewall or intrusion detection systemsmight provide security-based events where

switches or routers might provide network-based events. JSA can read and interpret

events frommore than 300 log sources. Each log source in JSA contains a device support

module (DSM). The DSM software contains the event patterns that are required to

identify and parse events for a log source. Updated event patterns to parse new events

and update your system are provided through weekly auto updates.

Log sources can be createdmanually by an administrator or automatically discovered

by JSA. Auto discovery means that JSA can detect and create a log source from events

withoutmanual configuration.Many log sources canbeautomatically discoveredby JSA.

Before you configure a log source, youmust review and understand how the device,

appliance, or software sends events to JSA. To review step-by-step configuration

instructions for devices and the associated log source, see the Juniper Secure Analytics

Administration Guide.

To manage log sources in JSA, perform the following tasks:

• “Viewing the Status of a Log Source” on page 6.

• “Adding a Log Source” on page 7.

• “Editing Log Source” on page 9.

• “Adding Bulk Log Sources” on page 12.

• “Editing Bulk Log Sources” on page 15.

• “Enabling or Disabling a Log Source” on page 11.

• “Deleting a Log Source” on page 17.

Viewing the Status of a Log Source

You can view the status of a log source to determine if your device is sending events to

Juniper Secure Analytics.

To view the status of a log source:

1. Click the Admin tab.



2. Click the Log Sources icon.

3. Review the Status column to determine the status of your log sources.

For example, log sources that do not send an event within 720minutes display an errorin the Status column. Log sources that display N/A are log sources that have been bulkadded.


Log Sources Management on page 6•

• Adding a Log Source on page 7.

• Editing Log Source on page 9.

• Adding Bulk Log Sources on page 12.

• Editing Bulk Log Sources on page 15.

• Enabling or Disabling a Log Source on page 11.

• Deleting a Log Source on page 17.

Adding a Log Source

Administrators can add a log source to receive event from your network devices or

appliances. Before a log source is manually added, the administrator can determine if

the device supports automatic discovery.

Table 3 describes the parameters of the log source fields.

Table 3: Console Settings

DescriptionParameter

Type a unique name of the log source.Log Source Name

Optional. Type a description for the log source.Log Source Description

From the list, select the type of log source to add.Log Source Type

From the list, select the protocol configuration for the log source.

The protocol defines how Juniper Secure Analytics attempts to communicate with the log source.Protocols can either listen for events or they can initiate communication to a log source to collectevents. The protocol options that are available for each log source is determined by the Log SourceType.

The Juniper Secure Analytics provides step-by-step instructions to configure each log source.

Protocol Configuration

Type an IPv4 address or hostname to identify the log source that created the events.

If your network contains multiple devices that are attached to amanagement console, you shouldspecify the IP address of the individual device that created the event. A unique identifier for each,such as an IP address, prevents event searches from identifying the management console as thesource for all of the events.

Log Source Identifier


Chapter 2: Managing Log Sources

Table 3: Console Settings (continued)


Select this check box to enable the log source.

When this check box is clear, the log source does not collect events and the log source is not countedin the license limit.

Enabled

Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.

Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingeventsor adjustedasa response touser createdevent rules. Thecredibility of events from log sourcescontributes to the calculation of the offensemagnitude and can increase or decrease themagnitudevalue of an offense.

Credibility

Select the target for the log source.When a log source actively collects events from a remote source,this field defines which appliance polls for the events.

The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.

Target Event Collector

Select this check box to enable the log source to coalesce (bundle) events.

Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.

When this check box is clear, events are viewed individually and events are not bundled.

New and automatically discovered log sources inherit the value of this check box from the SystemSettingsconfigurationon theAdmin tab.Administrators canuse this checkbox tooverride thedefaultbehavior of the system settings for an individual log source.

Coalescing Events

Select this check box to enable the log source to store the payload information from an event.

New and automatically discovered log sources inherit the value of this check box from the SystemSettingsconfigurationon theAdmin tab.Administrators canuse this checkbox tooverride thedefaultbehavior of the system settings for an individual log source.

Store Event Payload

Select the language of the events that are generated by the log source.

The logsource languagehelps thesystemparseevents fromexternal appliancesoroperating systemsthat can create events in multiple languages.

Log Source Language

Optional. Select the name of the extension to apply to the log source.

This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions, which can override or repair the event parsing of a devicesupport module (DSM).

Log Source Extension

From the list box, select the use condition for the log source extension. The options include:

• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.

• Parsing override—Select this option when the log source is unable to correctly parse events.

ExtensionUseCondition



Table 3: Console Settings (continued)


Select one or more groups for the log source.Groups

To add a log source:



3. Click Add.

4. Configure the parameters for your log source. The Juniper Secure Analytics provides

step-by-step instructions to configure each log source.

5. Click Save.




• Viewing the Status of a Log Source on page 6.






Editing Log Source

You can edit a log source to update the configuration parameters for a network device,

appliance, or software. The Log Source Type and Protocol Configuration parameters

cannot be edited.

Table 4 on page 9 describes the editable parameters of the log source fields:

Table 4: Log Source Parameters






Table 4: Log Source Parameters (continued)



If your network contains multiple devices that are attached to amanagement console, you shouldspecify the IP address of the individual device that created the event. A unique identifier for each,such as an IP address, prevents event searches from identifying the management console as thesource for all of the events.




Enabled


Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjustedasa response touser createdevent rules. The credibility of events from log sourcescontributes to the calculation of the offensemagnitude and can increase or decrease themagnitudevalue of an offense.

Credibility

Select the target for the log source.When a log source actively collects events from a remote source,this field defines which appliance polls for the events.






New and automatically discovered log sources inherit the value of this check box from the SystemSettings configurationon theAdmin tab.Administrators canuse this checkbox tooverride thedefaultbehavior of the system settings for an individual log source.

Coalescing Events



Store Event Payload


The log source languagehelps the systemparseevents fromexternal appliancesoroperating systemsthat can create events in multiple languages.

Log Source Language



Table 4: Log Source Parameters (continued)








Extension UseCondition


To edit a log source:



3. Select a log source.

4. Click Edit.

5. Configure the parameters for your log source. The JSA provides step-by-step

instructions to configure each log source.

6. Click Save to update your log source configuration.

The log source is updated. Deploy changes is not required to edit a log source.




• Adding a Log Source on page 7.





Enabling or Disabling a Log Source

Administrators can enable or disable log source to start or stop event collection. Bulk

log sources cannot be enabled or disabled.

You can enable or disable a log source.



To enable or disable a log source



3. Select the log source to enable or disable.

4. Click Enable/Disable.

When a log source is enabled, the Enabled column indicates true or the column indicates

false when disabled. Disabled log sources do not count against the log source limit

assigned to the license. If an administrator cannot enable a log source, the systemmight

have exceeded the log source license limit. Administrators can review the system

notifications to determine if the number of log sources exceeds the license limit. When

thisoccurs, administrators candisable lowpriority logsources. If extra logsourcecapacity

is required, contact your sales representative.









Adding Bulk Log Sources

JuniperSecureAnalytics supports theability toaddupto500Windows-basedorUniversal

DSM log sources in bulk. Bulk log sources share a common configuration and only differ

by the IP address.

Table 5 describes the default parameters of the log source configuration. These

parameters might differ based on the Log Source Type selected:

Table 5: Bulk Log Source Parameters


Type a unique name of the log source.

When you add a bulk log source, a log source group is created with the name you input into this field.

Bulk Log SourceName

From the list, select a log source type for yourWindows based log source or Universal DSM log source.Log Source Type



Table 5: Bulk Log Source Parameters (continued)


From the list, select the protocol configuration for the log source.

The protocol defines how the system attempts to communicate with the log source. Protocols caneither listen for events or they can initiate communication toa log source to collect events. Theprotocoloptions that are available for each log source is determined by the Log Source Type.

The Juniper Secure Analytics provides step-by-step instructions to configure each log source.

ProtocolConfiguration



Enabled

Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is5.

Credibility is a representation of the integrity or validity of events that are created by a log source. Thecredibility value that is assigned to a log source can increase or decrease based on incoming events oradjustedasa response touser createdevent rules. Thecredibility of events from log sources contributesto the calculation of the offense magnitude and can increase or decrease the magnitude value of anoffense.

Credibility

Select the target for the log source. When a log source actively collects events from a remote source,this field defines which appliance polls for the events.

The target event collector enables administrators to poll and process events on the target eventcollector, insteadof theconsoleappliance.Distributingevent across target event collectors can improveperformance in distributed deployments.

Target EventCollector


Coalescing events increase the event count when the same event occursmultiple times within a shorttime interval. Coalesced events provide administrators a way to view and determine the frequencywith which a single event type occurs on the Log Activity tab.


New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override the defaultbehavior of the system settings for an individual log source.

Coalescing Events



Store Event Payload


The log source language helps the systemparse events from external appliances or operating systemsthat can create events in multiple languages.

Log Source Language



Table 5: Bulk Log Source Parameters (continued)



This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions,which can override or repair the event parsing of a device supportmodule (DSM).






Select this option to specify the location of a text file that contains a list of IP addresses or host namesto bulk add.

The text file must contain one IP address or host name per line. Extra characters after an IP addressor host names longer than 255 characters can result in a value being bypassed from the text file. Thefile upload lists a summary of all IP address or host names that were added as the bulk log source.

File Upload

Select this option to search a domain for hosts to add as bulk log sources. To search a domain youmust add the domain, username, andpassword before polling the domain for hosts to add. ClickQueryDomain to search for IP addresses or host name to the list.

• Domain Controller—Type the IP address of the domain controller.

• Full Domain Name—Type a valid domain name for your network.

Domain Query

Select this option to manually add an individual IP address or host names to the host list. Click AddHost to add an IP address or host name to the list.

Manual

Clear any values from the Add check box to exclude host names or IP addresses from the list of bulklog sources.

Add

To add a bulk log source:



3. From the Actions list, select Bulk Add.

4. Configure the parameters for the log source. The Juniper Secure Analytics provides

step-by-step instructions to configure each log source.

5. Click Save.

6. Click Continue to add the log sources.


The log sources are bulk added and a group is created for your bulk log sources.











Editing Bulk Log Sources

Administrators can edit a log source in bulk to update the configuration parameters for

Windows-based log sources or Universal DSM log sources that were bulk added. The

Log Source Type and Protocol Configuration parameters cannot be edited in bulk.

Table 6 on page 15 describes the default parameters of the log source configuration.

These parameters might differ based on the Log Source Type selected:

Table 6: Bulk Edit Log Source Parameters


Type a unique name of the log source.

When you add a bulk log source, a log source group is created with the name you input into this field.

Bulk Log SourceName



Enabled

Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is5.

Credibility is a representation of the integrity or validity of events that are created by a log source. Thecredibility value that is assigned to a log source can increase or decrease based on incoming events oradjustedasa response touser createdevent rules. Thecredibility of events from log sources contributesto the calculation of the offense magnitude and can increase or decrease the magnitude value of anoffense.

Credibility

Select the target for the log source. When a log source actively collects events from a remote source,this field defines which appliance polls for the events.

The target event collector enables administrators to poll and process events on the target eventcollector, insteadof theconsoleappliance.Distributingeventacross targeteventcollectors can improveperformance in distributed deployments.

Target EventCollector



Table 6: Bulk Edit Log Source Parameters (continued)



Coalescing events increase the event count when the same event occurs multiple times within a shorttime interval. Coalesced events provide administrators away to viewanddetermine the frequencywithwhich a single event type occurs on the Log Activity tab.



Coalescing Events



Store Event Payload


The log source language helps the system parse events from external appliances or operating systemsthat can create events in multiple languages.

LogSourceLanguage


This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions, which can override or repair the event parsing of a device supportmodule (DSM).

LogSourceExtension





Select this option to specify the location of a text file that contains a list of IP addresses or host namesto bulk add.

The text file must contain one IP address or host name per line. Extra characters after an IP address orhost names longer than 255 characters can result in a value being bypassed from the text file. The fileupload lists a summary of all IP address or host names that were added as the bulk log source.

File Upload

Select this option to search a domain for hosts to add as bulk log sources. To search a domain youmust add the domain, username, and password before polling the domain for hosts to add. ClickQueryDomain to search for IP addresses or host name to the list.

• Domain Controller—Type the IP address of the domain controller.

• Full Domain Name—Type a valid domain name for your network.

Domain Query

Select this option to manually add an individual IP address or host names to the host list. Click AddHost to add an IP address or host name to the list.

Manual

Clear any values from the Add check box to exclude host names or IP addresses from the list of bulklog sources.

Add



To edit a bulk log source:



3. Select a log source.

4. From the Actions list, select Bulk Edit.

5. Configure theparameters for the logsource.The JSAprovidesstep-by-step instructions

to configure each log source.

6. Click Save to update your log source configuration.

7. Click Continue to add the log sources.

8. Optional. On the Admin tab, click Deploy Changes if you added a new IP address or

host name to your bulk log source.

The bulk log source is updated.









Deleting a Log Source

Administrators can delete a log source. Bulk log sources cannot be enabled or disabled.

Administrators can delete unwanted log sources to stop event collection for an external

device.

To delete a log source:



3. Select the log source to enable or disable.

4. Click Delete.

The log source is enabled or disabled.

The event data for log sources is still available on your system. However, the data can

bemore difficult to locate when you attempt to search as the indexes to the log source

is deleted. If you want to retain the log source index reference, you can disable a log



source instead of deleting the log source from your system. This enables you to continue

to search for events by log source or log source group.


• Log Sources Management on page 6









CHAPTER 3

Managing Protocol Configuration


• Protocol Configuration Overview on page 20

• Configuring the Syslog Protocol on page 20

• Configuring the JDBC Protocol on page 23

• Configuring the JDBC SiteProtector Protocol on page 27

• Configuring the Sophos Enterprise Console JDBC Protocol on page 31

• Configuring the Juniper Networks NSM Protocol on page 36

• Configuring the OPSEC/LEA Protocol on page 38

• Configuring the SDEE Protocol on page 41

• Configuring the SNMPv1 Protocol on page 44



• Configuring the Sourcefire Defense Center Estreamer Protocol on page 51

• Configuring the Log File Protocol on page 54

• Configuring the Microsoft Security Event Log Protocol on page 59

• Configuring the Microsoft Security Event Log Custom Protocol on page 62

• Configuring the Microsoft DHCP Protocol on page 65

• Configuring the Microsoft Exchange Protocol on page 68

• Configuring the Microsoft IIS protocol on page 71

• Configuring the SMB Tail Protocol on page 74

• Configuring the EMC VMware Protocol on page 77

• Configuring the Oracle Database Listener Protocol on page 79

• Configuring the Cisco NSEL Protocol on page 82

• Configuring the PCAP Syslog Combination Protocol on page 84

• Configuring the Forwarded Protocol on page 86

• Configuring the TLS Syslog Protocol on page 89

• Configuring the Juniper Security Binary Log Collector Protocol on page 92

• Configuring the UDPMultiline Syslog Protocol on page 94


• Configuring the TCPMultiline Syslog Protocol on page 97

• Configuring the VMware vCloud Director Protocol on page 100

• Configuring the IBM® Tivoli® Endpoint Manager SOAP Protocol on page 102

Protocol Configuration Overview

Log source protocols provide Juniper Secure Analytics (JSA) the ability to receive or

actively collect log source events from external sources. Passive protocols actively listen

for events on specific ports and active protocols leverage APIs or other communication

methods to reach out to external systems to poll and retrieve events.

Before you configure a log source, youmust review and understand how the device,

appliance, or software sends events to JSA. For detailed protocol information and

step-by-stepconfiguration instructions formanydevices, see the Juniper SecureAnalytics

Administartion Guide.

To review protocol configuration parameters for your log source, select the protocol for

the device:


Configuring the Syslog Protocol on page 20.•

• Configuring the JDBC Protocol on page 23.

• Configuring the JDBC - SiteProtector Protocol on page 27.

• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.

• Configuring the Juniper Networks NSM Protocol on page 36.

• Configuring the OPSEC/LEA Protocol on page 38.

Configuring the Syslog Protocol

TheSyslogprotocol is themostcommonformofeventcollection. JuniperSecureAnalytics

(JSA) can passively listen for Syslog events on TCP or UDP port 514.

Table 7 on page 20 describes the parameters of the Syslog protocol.

Table 7: Syslog Protocol Parameters







Table 7: Syslog Protocol Parameters (continued)


From the list, select Syslog.

The protocol defines how JSA attempts to communicate with the log source. Protocols can eitherlisten for events or they can initiate communication to a log source to collect events. The protocoloptions that are available for each log source is determined by the Log Source Type.

The JSA provides step-by-step instructions to configure each log source.

Protocol Configuration

Type an IPv4 address or host name to identify the log source that created the events.

If the network containsmultiple devices that are attached to amanagement console, administratorscan specify the IP address of the individual device that created the event. A unique identifier for each,such as an IP address, prevents event searches from identifying the management console as thesource for all of the events.




Enabled


Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingeventsoradjustedasa response touser createdevent rules. Thecredibility of events from logsourcescontributes to the calculation of the offensemagnitude and can increase or decrease themagnitudevalue of an offense.

Credibility

Select the target for the log source.When a log source actively collects events froma remote source,this field defines which appliance polls for the events.






New and automatically discovered log sources inherit the value of this check box from the SystemSettingsconfigurationon theAdmin tab.Administratorscanuse this checkbox tooverride thedefaultbehavior of the system settings for an individual log source.

Coalescing Events


New and automatically discovered log sources inherit the value of this check box from the SystemSettingsconfigurationon theAdmin tab.Administratorscanuse this checkbox tooverride thedefaultbehavior of the system settings for an individual log source.

Store Event Payload


Chapter 3: Managing Protocol Configuration

Table 7: Syslog Protocol Parameters (continued)



The logsource languagehelps thesystemparseevents fromexternal appliancesoroperating systemsthat can create events in multiple languages.

Log Source Language









To configure the syslog protocol:



3. Click Add.



5. Click Save.



Protocol Configuration Overview on page 20.•






• Configuring the SDEE Protocol on page 41.

• Configuring the SNMPv1 Protocol on page 44.




Configuring the JDBC Protocol

Logsourcesconfiguredwith the JavaDatabaseConnectivity (JDBC)protocol can remotely

poll databases for events.

The JDBC protocol enables Juniper Secure Analytics (JSA) to collect information from

tables or views that contain event data from several database types.

Table 8 on page 23 describes the parameters of the JDBC protocol.

Table 8: JDBC Protocol Parameters





From the list, select JDBC.Protocol Configuration

Type the log source identifer in one of the following formats:

• database@hostname

• table name|database@hostname

The databasenamemust match the value of the Database Name parameter. The database nameis a required parameter.

The hostname is the hostname or IP address for the device that hosts the database. Thehostnamemust match the parameter in the IP or Hostnamefield. The hostname is a required parameter.

Optional. The table name is the name of the table or view on the database which contains theevent records. If you define the name of a table or view, youmust include a pipe ( | ) character as aseparator. The name of the view or table must match the Table Name field.


From the list box, select the type of database that contains the events.Database Type

Type the nameof the database towhich the protocol can connect. The database namemustmatchthe database name specified in the Log Source Identifier field.

Database Name

Type the IP address or hostname of the database server.IP or Hostname



Table 8: JDBC Protocol Parameters (continued)


Type the port number used by the database server. The default displayed depends on the selectedDatabase Type. The valid range is 0 to 65536. The defaults include:

• MSDE–1433

• Postgres–5432

• MySQL–3306

• Sybase–1521

• Oracle–1521

• Informix–9088

The JDBC port must match the listen port configured on the remote database. The databasemustpermit incoming TCP connections.

If a Database Instance is used with the MSDE database type, administrators must leave the Portparameter blank in the log source configuration.

Port

Type the database username. The username can be up to 255 alphanumeric characters in lengthand can include underscore (_) characters.

To track access to database access for audit purposes, administrators can create a create a specificuser on the database for JSA.

Username

Type the database password. The password can be up to 255 characters in length.Password

Confirm the password to access the database.Confirm Password

Type a domain for the database.

Adomainmustbeconfigured forMSDEdatabases thatarewithinaWindowsdomain. If yournetworkdoes not use a domain, leave this field blank.

Authentication Domain

Type the database instance, if required. MSDE databases can includemultiple SQL server instanceson one server.

When a non-standard port is used for the database or administrators have blocked access to port1434 for SQL database resolution, the Database Instance parametermust be blank in the log sourceconfiguration.

Database Instance

Optional. Select a predefineddatabase query for the log source. If a predefinedquery is not availablefor the log source type, administrators can select none.

Predefined Query

Type the name of the table or view that includes the event records.

The table name can include the following special characters: dollar sign ( $ ), number sign ( # ),underscore ( _ ), en dash ( - ), and period( . ).

Table Name

Type the list of fields to includewhen the table is polled for events. Administrators can use a commaseparated list or type * to select all fields from the table or view.

If a comma-separated list is defined, the list must contain the field defined in the Compare Field.

Select List





Type a numeric value or timestamp field from the table or view that can identify new events addedbetween queries to the table.

This fieldenables theprotocol to identify events thatwerepreviouslypolledby theprotocol toensurethat duplicate events are not created.

Compare Field

Select this check box to use prepared statements.

Preparedstatementsenable the JDBCprotocol source tosetup theSQLstatement, andthenexecutetheSQLstatementnumerous timeswithdifferentparameters. For securityandperformance reasons,most JDBC protocol configurations can use prepared statements.

Clear this checkbox touseanalternativemethodofquerying thatdonotuseprecompiledstatements.

Use PreparedStatements

Optional. Configure a start date and time for when the protocol can start to poll the database.

If a start time isnotdefined, theprotocol attempts topoll for eventsafter the logsourceconfigurationis saved and deployed.

Start Date and Time

Type the polling interval, which is the amount of time between queries to the database. The defaultpolling interval is 10 seconds.

Administrators can define a longer polling interval by appending H for hours or M for minutes to thenumeric value. Themaximum polling interval is 1 week in any time format. Numeric values withoutan H or M designator poll in seconds.

Polling Interval

Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. Thedefault value is 20000 EPS.

EPS Throttle

If MSDE is configured as the database type, administrators can select this check box to use analternative method to a TCP/IP port connection.

Named pipe connections for MSDE databases require the username and password field to use aWindows authentication username and password and not the database username and password.The log source configuration must use the default named pipe on the MSDE database.

Use Named PipeCommunication

If theUseNamedPipeCommunicationcheckbox, theDatabaseClusterNameparameter isdisplayed.

If you use your SQL server in a cluster environment, define the cluster name to ensure that namedpipe communications function properly.

Database Cluster Name

Select the Use NTLMv2 check box to force MSDE connections to use the NTLMv2 protocol whencommunicatingwithSQLservers that requireNTLMv2authentication. Thedefault valueof thecheckbox is selected.

The Use NTLMv2 check box does not interrupt communications for MSDE connections that do notrequire NTLMv2 authentication.

Use NTLMv2

Select this check box to enable SSL encryption for the JDBC protocol.Use SSL

Select this check box to enable the log source


Enabled





Select the credibility of the log source. The range is 0 (lowest) – 10 (highest). The default credibilityis 5.


Credibility








Coalescing Events



Store Event Payload


The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.

Log Source Language











To configure the JDBC protocol:



3. Click Add.



5. Click Save.




• Configuring the Syslog Protocol on page 20.





Configuring the JDBC SiteProtector Protocol

Logsourcesconfiguredwith the JavaDatabaseConnectivity (JDBC)SiteProtectorprotocol

can remotely poll IBM Proventia Management SiteProtector databases for events.

The JDBC - SiteProtector protocol combines information from the SensorData1 and

SensorDataAVP1 tables in the creation of the log source payload. The SensorData1 and

SensorDataAVP1 tables are located in the IBM Proventia Management SiteProtector

database. Themaximumnumber of rows that the JDBC - SiteProtector protocol can poll

in a single query is 30,000 rows.

Table 9 on page 27 describes the parameters of the JDBC protocol.

Table 9: JDBC - SiteProtector Protocol Parameters





From the list, select JDBC - SiteProtector.Protocol Configuration



Table 9: JDBC - SiteProtector Protocol Parameters (continued)


Type the log source identifer in one of the following formats:



The database namemust match the value of the Database Name parameter. The databasename is a required parameter.

The hostname is the hostname or IP address for the device that hosts the database. Thehostnamemust match the parameter in theIP or Hostnamefield. The hostname is a requiredparameter.

Optional. The table name is the name of the table or view on the database that contains theevent records. If you define the name of a table or view, youmust include a pipe (|) character asa separator. The name of the view or table must match the Table Name field.


From the list box, selectMSDE as the type of database to use for the event source.Database Type

Type RealSecureDB the name of the database to which the protocol can connect.Database Name

Type the IP address or hostname of the database server.IP or Hostname

Type the port number used by the database server. The default displayed depends on the selectedDatabase Type. The valid range is 0 to 65536. The defaults include:

• MSDE–1433

• Postgres–5432

• MySQL–3306

• Sybase–1521

• Oracle–1521

• Informix–9088

The JDBC SiteProtector configuration port must match the listener port of the database. Thedatabasemust have incoming TCP connections enabled.

If you define a Database Instance whenwith MSDE as the database type, youmust leave the Portparameter blank in your log source configuration.

Port

Type the database username. The username can be up to 255 alphanumeric characters in lengthand can include underscores (_).

If you want to track access to a database by the JDBC protocol, you can create a specific use foryour JSA system.

Username

Type the database password. The password can be up to 255 characters in length.Password


If you select MSDE and the database is configured for Windows, youmust define aWindowsdomain.

If your network does not use a domain, leave this field blank.






If you select MSDE and you havemultiple SQL server instances on one server, define the instanceto which you want to connect.

If you use a non-standard port in your database configuration, or have blocked access to port 1434for SQL database resolution, youmust leave the Database Instance parameter blank in yourconfiguration

Database Instance

From the list, select a predefined database query for your log source. Predefined database queriesare only available for special log source connections.

Predefined Query

Type SensorData1.Table Name

Type SensorDataAVP.AVP View Name

Type SensorDataResponse.Response View Name

Type * to include all fields from the table or view.Select List

TypeSensorDataRowID to identify new events added between queries to the tableCompare Field


Preparedstatementsallowthe JDBCprotocol source tosetup theSQLstatement, and thenexecutethe SQL statement numerous times with different parameters. For security and performancereasons, we recommend that you use prepared statements.

Clear this check box to use an alternative method of querying that does not use pre-compiledstatements.

Use Prepared Statements

Select this check box to collect audit events from IBM SiteProtector.

By default, this check box is clear.

Include Audit Events

Optional. Configure a start date and time for when the protocol can start to poll the database.Start Date and Time

Type the polling interval, which is the amount of time between queries to the event table. Thedefault polling interval is 10 seconds.

Administrators can define a longer polling interval by appending H for hours or M for minutes tothe numeric value. Themaximum polling interval is 1 week in any time format. Numeric valueswithout an H or M designator poll in seconds.

Polling Interval


EPS Throttle

If you select MSDE as the database type, select the check box to use an alternative method to aTCP/IP port connection.

When administrators use a Named Pipe connection, the username and passwordmust be theappropriateWindows authentication username and password and not the database usernameand password. The log source configuration must use the default named pipe.






If theUseNamedPipeCommunicationcheckbox is selected, theDatabaseClusterNameparameteris displayed.

Type the cluster name to ensure that named pipe communications function properly.


Select the Use NTLMv2 check box to force MSDE connections to use the NTLMv2 protocol whencommunicating with SQL servers that require NTLMv2 authentication. The default value of thecheck box is selected.

TheUseNTLMv2 check box does not interrupt communications forMSDE connections that do notrequire NTLMv2 authentication.

Use NTLMv2

Select this check box to enable SSL encryption for the JDBC protocol.Use SSL


When this check box is clear, the log source does not collect events and the log source is notcounted in the license limit.

Enabled


Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offensemagnitude and can increase or decrease themagnitude value of an offense.

Credibility

Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.






New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.

Coalescing Events



Store Event Payload







Log Source Language


This parameter is available after a log source extension is uploaded. Log source extensions areXMLfiles thatcontain regular expressions,whichcanoverrideor repair theeventparsingofadevicesupport module (DSM).





Extension Use Condition


To configure the JDBC siteprotector protocol:



3. Click Add.



5. Click Save.










Configuring the Sophos Enterprise Console JDBC Protocol

SophosEnterpriseconsole JDBCprotocol canpollSophosEnterpriseconsoles forevents.

The Sophos Enterprise console JDBC protocol combines payload information from

application control logs, device control logs, data control logs, tamper protection logs,



and firewall logs in the vEvents Common Data table to provide events to Juniper Secure

Analytics (JSA). If the Sophos Enterprise console does not have the Sophos Reporting

Interface, administrators can use the standard JDBC protocol to collect antivirus events.

Detailed configuration steps for Sophos Enterprise consoles are provided in the JSA.

Table 10 on page 32 describes the parameters of the Sophos Enterprise console JDBC

protocol.

Table 10: Sophos Enterprise Console JDBC Protocol Parameters





From the list, select Sophos Enterprise console JDBC.Protocol Configuration

Type the log source identifier in one of the following formats:



Thedatabase namemustmatch the value of the DatabaseNameparameter. The database nameis a required parameter.

Thehostname is thehost nameor IPaddress for thedevice that hosts thedatabase. Thehostnamemust match the parameter in the IP or Hostname field. The host name is a required parameter.

Optional. The table name is the nameof the table or view on the database that contains the eventrecords. If you define the name of a table or view, youmust include a pipe ( | ) character as aseparator. The name of the view or table must match the Table Name field.


From the list box, selectMSDE.Database Type

Type the name of the Sophos database.

The database namemust match the database name that is specified in the Log Source Identifierfield.

Database Name

Type the IP address or host name of the database server.IP or Hostname

Type the port number that is used by the database server. The default port for MSDE in SophosEnterprise console is 1168. The JDBC configuration port mustmatch the listener port of the Sophosdatabase. The Sophos databasemust have incoming TCP connections enabled to communicatewith JSA.

If a Database Instance is used with the MSDE database type, administrators must leave the Portparameter blank in the log source configuration.

Port

Type the database user name. The user name can be up to 255 alphanumeric characters in lengthand can include underscore (_) characters.

Username



Table 10: Sophos Enterprise Console JDBC Protocol Parameters (continued)


Type the database password that is required to access the database on the database.Password


Type a domain for the database.

A domain must be configured for MSDE databases that are within aWindows domain. If yournetwork does not use a domain, leave this field blank.


Type the database instance, if required.MSDEdatabases can includemultiple SQL server instanceson one server.

When a non-standard port is used for the database or administrators block access to port 1434 forSQL database resolution, the Database Instance parameter must be blank.

Database Instance

Type vEventsCommonData as the name of the table or view that includes the event records.

The table name can include the following special characters: dollar sign ( $ ), number sign ( # ),underscore ( _ ), en dash ( - ), and period( . ).

Table Name

Type * for all fields from the table or view.Select List

Type InsertedAt to identify new events added between queries to the database table.Compare Field


Prepared statements enable the protocol source to setup the SQL statement, and then executethe SQL statement numerous times with different parameters. For security and performancereasons, most configurations can use prepared statements.

Clear this check box to use an alternative method of querying that do not use precompiledstatements.

Use PreparedStatements

Optional. Configure a start date and time for when the protocol can start to poll the database.

If a start time is notdefined, theprotocol attempts topoll for eventsafter the log sourceconfigurationis saved and deployed.

Start Date and Time

Type the polling interval, which is the amount of time between queries to the database. The defaultpolling interval is 10 seconds.

Administrators can define a longer polling interval by appending H for hours or M forminutes to thenumeric value. Themaximum polling interval is 1 week in any time format. Numeric values withoutan H or M designator poll in seconds.

Polling Interval


EPS Throttle





If MSDE is configured as the database type, administrators can select this check box to use analternative method to a TCP/IP port connection.

Named pipe connections for MSDE databases require the username and password field to use aWindows authentication username and password and not the database username and password.The log source configuration must use the default named pipe on the MSDE database.


If the Use Named Pipe Communication check box, the Database Cluster Name parameter isdisplayed.

If you use your SQL server in a cluster environment, define the cluster name to ensure that namedpipe communications function properly.


Select the Use NTLMv2 check box to force MSDE connections to use the NTLMv2 protocol whencommunicating with SQL servers that require NTLMv2 authentication. The default value of thecheck box is selected.

The Use NTLMv2 check box does not interrupt communications for MSDE connections that do notrequire NTLMv2 authentication.

Use NTLMv2

Select this check box to enable SSL encryption for the protocol.Use SSL


When this checkbox is clear, the log sourcedoesnot collect eventsand the log source is not countedin the license limit.

Enabled


Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decrease themagnitude value of an offense.

Credibility

Select the target for the log source.Whena log sourceactively collects events froma remote source,this field defines which appliance polls for the events.







Coalescing Events







Store Event Payload



Log Source Language









• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.




To configure the sophos enterprise console JDBC protocol:



3. Click Add.



5. Click Save.












Configuring the Juniper Networks NSMProtocol

The Juniper Networks Network and Security Manager Protocol (NSM protocol) can poll

Sophos Enterprise consoles for events.

The Juniper Networks Network and Security Manager protocol can accept Juniper

Networks NSM and Juniper Networks Secure Service Gateway (SSG) logs. Detailed

configuration steps are provided in the Juniper Secure Analytics (JSA).

Table 11: Juniper Networks NSMProtocol Parameters




From the list, select Juniper Networks Network and Security Manager.Log Source Type

From the list, select Juniper NSM.Protocol Configuration

Type an IP address, host name, or unique name to identify the log source.Log Source Identifier

Type the IP address or host name of the Juniper Networks NSM server.IP

Type the inbound port to which the Juniper Networks NSM sends events.

The valid range is 0 to 65536. The default is 514.

Inbound Port

Type the port to which traffic is forwarded. The default is 516.Redirect Listen Port

Select this check box to use the Juniper NSMmanagement server IP address instead of the logsource IP address. By default, the check box is selected.

Use NSM Address for LogSource



Enabled

Select the credibility of the log source. The range is0 (lowest) - 10 (highest). Thedefault credibilityis 5.

Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decreasethe magnitude value of an offense.

Credibility



Table 11: Juniper Networks NSMProtocol Parameters (continued)






Coalescing events increase the event count when the same event occurs multiple times withina short time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.


Newandautomatically discovered log sources inherit the valueof this checkbox fromtheSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.

Coalescing Events



Store Event Payload



Log Source Language


This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions, which can override or repair the event parsing of adevice support module (DSM).







To configure the juniper networks NSM protocol:



3. Click Add.





5. Click Save.










Configuring the OPSEC/LEA Protocol

The OPSEC/LEA protocol is a protocol that continuously polls for event data on 18184.

Detailed configuration steps for each log source type is provided in the Juniper Secure

Analytics (JSA).

Table 12: OPSEC/LEA Protocol Parameters




From the list, select a log source type.Log Source Type

From the list, selectOPSEC/LEA.Protocol Configuration

Type an IP address, host name, or unique name to identifythe log source.

Log

Type the IP address or host name of the Juniper NetworksNSM server.

Server IP

Type the port used for OPSEC/LEA communication. Thevalid range is 0 to 65536.

Administrators must verify that JSA can communicate onport 18184 to communicate with the OPSEC/LEA protocol.

Server Port

Select this check box if you want to use the LEA server’s IPaddress instead of the managed device’s IP address for alog source.

By default, the check box is selected.

Use Server IP for Log Source



Table 12: OPSEC/LEA Protocol Parameters (continued)


Type the interval, in seconds, during which the number ofsyslog events are recorded in the qradar.log file.

The valid range is 4 to 2,147,483,648.

Statistics Report Interval

From the list box, select the authentication type you wantto use for this LEA configuration. The type selectedmustmatch the authentication method used by the server. Theoptions include sslca, sslca_clear, or clear.

Authentication Type

Type the Secure Internal Communications (SIC) name ofthe OPSEC

OPSEC Application Object SIC

ApplicationObject. The SIC name is the distinguished name(DN) of the application, for example:CN=LEA,o=fwconsole..7psasx. The name can be up to 255characters in length and is case sensitive.

Attribute (SIC Name)

Type the SIC name of the server, for example:cn=cp_mgmt,o=fwconsole..7psasx. The namecanbeupto 255 characters in length and is case sensitive.

Log Source SIC Attribute (Entity SIC Name)

Select this check box to define a certificate for this LEAconfiguration.

JSAattempts to retrieve thecertificatewith theseparameterswhen the certificate is required.

Specify Certificate

Type the directory path of the certificate youwant to use forthis configuration. This option only appears if SpecifyCertificate is selected.

Certificate Filename

Type the IPaddressof the server that contains thecertificate.Certificate Authority IP

Type the password to use to request the certificate.Pull Certificate Password

Type the name of the application that makes the certificaterequest.

OPSEC Application


When this check box is clear, the log source does not collectevents and the log source does not count against the logsource limit in the license.

Enabled





Select thecredibility of the log source. The range is0 (lowest)- 10 (highest). The default credibility is 5.

Credibility is a representation of the integrity or validity ofevents createdbya log source. The credibility valueassignedto a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules.The credibility of events from log sources contributes to thecalculation of the offense magnitude and can increase ordecrease the magnitude value of an offense.

Credibility

Select the target for the log source. When a log sourceactively collects events from a remote source, this fielddefines which appliance polls for the events.

The target event collector enablesadministrators topoll andprocess events on the target event collector, instead of theconsole appliance. Distributing event across target eventcollectors can improve performance in distributeddeployments.


Select this check box to enable the log source to coalesce(bundle) events.

Coalescing events increase the event count when the sameevent occurs multiple times within a short time interval.Coalesced events provide administrators a way to view anddetermine the frequency with which a single event typeoccurs on the Log Activity tab.

When this check box is clear, events are viewed individuallyand events are not bundled.

New and automatically discovered log sources inherit thevalue of this check box from the System Settingsconfiguration on the Admin tab. Administrators can use thischeck box to override the default behavior of the systemsettings for an individual log source.

Coalescing Events

Select this check box to enable the log source to store thepayload information from an event.

New and automatically discovered log sources inherit thevalue of this check box from the System Settingsconfiguration on the Admin tab. Administrators can use thischeck box to override the default behavior of the systemsettings for an individual log source.

Store Event Payload

Select the language of the events that are generated by thelog source.

The log source languagehelps the systemparse events fromexternal appliances or operating systems that can createevents in multiple languages.

Log Source Language





Optional. Select the name of the extension to apply to thelog source.

This parameter is available after a log source extension isuploaded. Log source extensions are XML files that containregular expressions, which can override or repair the eventparsing of a device support module (DSM).


From the list box, select the use condition for the log sourceextension. The options include:

• Parsingenhancement—Select thisoptionwhenmost fieldsparse correctly for the log source.

• Parsing override—Select this option when the log sourceis unable to correctly parse events.



To configure the OPSEC/LEA protocol:



3. Click Add.



5. Click Save.










Configuring the SDEE Protocol

The Security Device Event Exchange (SDEE) protocol enables Juniper Secure Analytics

(JSA) to use subscriptions to collect events from appliances that use SDEE servers.

Detailed configuration steps for each log source type is provided in the JSA.



Table 13: SDEE Protocol Parameters





From the list, select SDEE.Protocol Configuration

Type an IP address, host name, or name to identify the SDEE event source.

IP addresses or host names are suggested as they identify a unique value for the event source.


Type an HTTP or HTTPS URL required to access the log source.

For example, https://www.mysdeeserver.com/cgi-bin/sdee-server. The options include:

• Administrators with SDEE/CIDEE (Cisco IDS v5.x and above), the URLmust end with/cgi-bin/sdee-server.

• Administrators with RDEP (Cisco IDS v4.x), the URLmust end with /cgibin/ event-server.

URL

Type the username required to access the URL.Username

Type the password required to access the URL.Password

Type themaximum number of events to retrieve per query.

The valid range is 0 to 501 and the default is 100.

Events / Query

Select this check box to force a new SDEE subscription.

When the check box is selected, the protocol forces the server to drop the least active connectionand accept a new SDEE subscription connection for the log source.

Clearing the check box continues with any existing SDEE subscription.

Force Subscription

Select a check box for each severity level the log source can subscribe to and collect with the logsource.

• Informational

• Low

• Medium

• High

Severity Filter

Select a check box for each severity level the log source can subscribe to and collect with the logsource.

• Alerts

• Status

• Errors

Event Filter



Table 13: SDEE Protocol Parameters (continued)

Type the time interval to indicate the frequency with which the subscription can collect events.The time interval is defined in seconds.

Event Collection Interval

Type a time interval to indicate how long the subscription must wait before another subscriptionis attempted. The wait time interval is defined in seconds.

Connection Retry OnFailure

Type the interval to indicate the length of the event block.

When a collection request ismade and no newevents are available, the protocol enables an eventblock. The block prevents another event request from beingmade to a remote device that did nothave any new events. This timeout is intended to conserve system resources.

The time interval is defined in seconds.

MaximumWait To BlockFor Events


When this check box is clear, the log source does not collect events and the log source does notcount against the log source limit in the license.

Enabled


Credibility is a representation of the integrity or validity of events created by a log source. Thecredibility value assigned to a log source can increase or decrease based on incoming events oradjusted as a response to user created event rules. The credibility of events from log sourcescontributes to thecalculationof theoffensemagnitudeandcan increaseordecrease themagnitudevalue of an offense.

Credibility







Newand automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.

Coalescing Events



Store Event Payload



Log Source Language



Table 13: SDEE Protocol Parameters (continued)









To configure the SDEE protocol:



3. Click Add.



5. Click Save.











Configuring the SNMPv1 Protocol

The SNMPv1 protocol provides log sources the ability to receive SNMPv1 events.

Table 14 on page 44 describes the parameters of the SNMPv1 protocol.

Table 14: SNMPv1 Protocol Parameters





Table 14: SNMPv1 Protocol Parameters (continued)




From the list, select SNMPv1.Protocol Configuration


If the network contains devices that are attached to amanagement console, administrators canspecify the IP address of the individual device that created the event. A unique identifier for each,such as an IP address, prevents event searches from identifying the management console as thesource for all of the events.




Enabled



Credibility








Coalescing Events


New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab.

Administrators can use this check box to override the default behavior of the system settings foran individual log source.

Store Event Payload







Log Source Language









To configure the SNMPv1 protocol:



3. Click Add.



5. Click Save.






















If the network contains devices that are attached to amanagement console, administrators canspecify the IP address of the individual device that created the event. A unique identifier for each,such as an IP address, prevents searches from identifying the management console as the sourcefor all of the events.


Type the SNMP community name required to access the system containing SNMP events. Thedefault is Public.

Community

This options allows the SNMP event payload to be constructed using namevalue pairs instead ofthe standard event payload format.

Including OIDs in the event payload is required for processing SNMPv2 or SNMPv3 events whenyou select specific log sources from the Log Source Types list. For more information, see the JSA.

Include OIDs in EventPayload


When this checkbox is clear, the logsourcedoesnotcollecteventsand the logsource isnotcountedin the license limit.

Enabled



Credibility











New and automatically discovered log sources inherit the value of this check box from the Xconfiguration on the Admin tab. Administrators can use this check box to override the defaultbehavior of the system settings for an individual log source.

Coalescing Events


New and automatically discovered log sources inherit the value of this check box from the Xconfiguration on the Admin tab.

Administrators can use this check box to override the default behavior of the system settings foran individual log source.

Store Event Payload



Log Source Language


This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions,which canoverride or repair the event parsing of adevicesupport module (DSM).










3. Click Add.

4. Configure the parameters for your log source. The Juniper Secure Analytics Configuring

DSMs Guide provides step-by-step instructions to configure each log source.

5. Click Save.
























From the list, select the algorithm you want to use to authenticate SNMP traps. The optionsinclude:

• MD5

• SHA

Authentication Protocol

Type the password you want to use to authenticate SNMP.

The password can be up to 64 characters in length.

NOTE: Your authentication passwordmust include aminimum of 8 characters.

Authentication Password

Fromthe list box, select theprotocol youwant touse todecryptSNMPtraps.Thedefault isAES256.Decryption Protocol

Type the password used to decrypt SNMP traps. The password can be up to 64 characters inlength.

Decryption Password





Type the user access for this protocol. The default is AdminUser.

The username can be up to 255 characters in length.

User

This options allows the SNMP event payload to be constructed using namevalue pairs instead ofthe standard event payload format.

Including OIDs in the event payload is required for processing SNMPv2 or SNMPv3 events whenyou select specific log sources from the Log Source Types list. For more information, see the JSA.

Include OIDs in EventPayload



Enabled



Credibility







Newand automatically discovered log sources inherit the value of this check box from theSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.

Coalescing Events



Store Event Payload



Log Source Language
















3. Click Add.



5. Click Save.










Configuring the Sourcefire Defense Center Estreamer Protocol

The Sourcefire Defense Center Estreamer protocol enables Juniper Secure Analytics

(JSA) to receivestreamingeventdata fromaSourcefireDefenseCenterEstreamer (Event

Streamer) service.

Event files are streamed to JSA to be processed after the Sourcefire Defense Center DSM

is configured. Detailed configuration steps for Sourcefire Defense Center is provided in

the JSA.



Table 17: Sourcefire Defense Center Estreamer Protocol Parameters





From the list, select Sourcefire Defense Center Estreamer.Protocol Configuration

Type an IP address, host name, or name to identify the Sourcefire Defense Center event source.



Type the IP address or hostname of the Sourcefire Defense Center device.Server Address

Type theport number JSAuses to receiveSourcefireDefenseCenter Estreamer events. Thedefaultis 8302.

Server Port

Type the directory path and file name for the keystore private key and associated certificate.

By default, the import script creates the keystore file in the following directory:/opt/qradar/conf/estreamer.keystore.

Keystore Filename

Type the directory path and file name for the truststore files.

The truststore file contain the certificates trusted by the client.

By default, the import script creates the truststore file in the following directory:/opt/qradar/conf/estreamer.truststore.

Truststore Filename



Enabled



Credibility






Table 17: Sourcefire Defense Center Estreamer Protocol Parameters (continued)






Coalescing Events



Store Event Payload



Log Source Language


This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions,whichcanoverrideor repair theeventparsingofadevicesupport module (DSM).







To configure the sourcefire defense center estreamer protocol:



3. Click Add.



5. Click Save.













Configuring the Log File Protocol

The log file protocol retrieves event files that are stored from hosts to process events

stored in remote locations.

The log file protocol is intended for systems thatwritedaily event logs. It is not appropriate

to use the log file protocol for devices that appended information to their event files.

Log files are retrieved one at a time to be processed. The log file protocol canmanage

plain text, compressed files, or file archives. Archives must contain plain-text files that

can be processed one line at a time. When the log file protocol downloads an event file,

the information received in the file updates the Log Activity tab. If more information is

written to the file after the download is complete, the appended information is not

processed.

Table 18: Log File Protocol Parameters



Optional. Type a description for the log source.LogSourceDescription


From the list, select Log File.Protocol Configuration


If the remote source contains multiple devices, such as a file repository, administrators must specifythe IP address of the device that created the event.

Unique identifiers ensure that events are associated to the correct device in the network, instead ofidentifying the event for the management console or file repository.




Table 18: Log File Protocol Parameters (continued)


From the list box, select theprotocol to usewhen retrieving log files froma remove server. Theoptionsinclude:

• SFTP—Secure file transfer protocol

• FTP—File transfer protocol

• SCP—Secure copy protocol

The default is SFTP.

The server that is specified in the Remote IP or Hostname field must have the SFTP subsystemenabled to retrieve log files with SCP or SFTP.

Service Type

Type the IP address or host name of the device that contains the event log files.Remote IP orHostname

Type the port that is used to communicate with the remote host. The valid range is 1 – 65535. Theoptions include:

• FTP – TCP Port 21

• SFTP – TCP Port 22

• SCP – TCP Port 22

If the remote host uses a non-standard port number, administrators must adjust the port value toretrieve events.

Remote Port

Type the user name necessary to log in to the host that contains the event files.Remote User

Type the password necessary to log in to the host.Remote Password

Confirm the password necessary to log in to the host.Confirm Password

Type the path to the SSH key, if the system is configured to use key authentication.

When an SSH key file is used, the Remote Password field is ignored.

SSH Key File

Type the directory location on the remote host fromwhich the files are retrieved. The directory pathis relative to the user account that is used to log in.

NOTE: For FTP only. If the log files are in the remote user’s home directory, you can leave the remotedirectory blank. A blank remote directory field supports systems where a change in the workingdirectory (CWD) command is restricted.

Remote Directory

Select this check box to enable the file pattern to search sub folders. By default, the check box isclear.

This option is ignored for SCP file transfers.

Recursive

Type the regular expression (regex) required to identify the files to download from the remote host.All files that match the regular expression are included in the download.

This field applies to the SFTP or FTP file transfers.

FTP File Pattern

For SCP file transfers, type the name of the file on the remote host.SCP Remote File





From the list box, select the transfer mode for the log source:

• Binary—Select this option for log sources that require binary data files or compressed archive files.

• ASCII—Select ASCII for log sources that require an ASCII FTP file transfer.

Administrators must selectNONE in the Processor field and LINEBYLINE in the Event Generatorfield for ASCII transfers over FTP.

FTP Transfer Mode

Type the time of day for the log source to start the file import.

This parameter functions with the Recurrence value to establish when and how often the RemoteDirectory is scanned for files.

Start Time

Type a time interval to determine how frequently the remote directory is scanned for new event logfiles. Theminimum value is 15 minutes.

The time interval can include values in hours (H),minutes (M), or days (D). For example, a recurrenceof 2H scans the remote directory every 2 hours.

Recurrence

Select this check box to start the log file import immediately after the administrators saves the logsource.

After the first file import, the log file protocol follows the start time and recurrence schedule that isdefined by the administrator.

When selected, this check box clears the list of previously downloaded and processed files.

Run On Save

Type the number of Events Per Second (EPS) that the protocol cannot exceed.

The valid range is 100 – 5000.

EPS Throttle

If the files on the remote host are stored in an archive format, select the processor that is required toun-compress the event log.

Processor

Select this check box to track files that were processed by the log source.

This option prevents duplicate events from files that are processed a second time.

This check box applies to FTP and SFTP file transfers.

Ignore PreviouslyProcessed File(s)

Select this check box to define the local directory on the Target Event Collector to store event logsbefore they are processed.

Administrators can leave this check box clear for more configurations.

Change LocalDirectory?

Type the local directory on the Target Event Collector. This option is used with the Change LocalDirectory field.

The directory must exist before the log file protocol attempts to retrieve events.

Local Directory





From the Event Generator list box, select one of the following options:

• LineByLine—Each line of the file is processed as a single event. For example, if a file has 10 lines oftext, 10 separate events are created.

• HPTandem—The file is processed as a HPTandemNonStop binary audit log. Each record in thelog file (whether primary or secondary) is converted into text and processed as a single event.HPTandem audit logs use the following file name pattern: [aA]\d{7}.

• WebSphere Application Server—Processes event logs for WebSphere Application Server. Theremote directory must define the file path that is configured in the DSM.

• W3C—Processes log files fromsources that use thew3c format. The header of the log file identifiesthe order and data that is contained in each line of the file.

• Fair Warning—Processes log files from Fair Warning devices that protect patient identity andmedical information. The remote directory must define the file path to the event logs that aregenerated by the Fair Warning device.

• DPI Subscriber Data—The file is processed as a DPI statistic log produced by a Juniper NetworksMX router. The header of the file identifies the order and data that is contained in each line of thefile. Each line in the file after the header is formatted to a tab-delimited name=value pair event.

• SAP Audit Logs—Process files for SAP Audit Logs to keep a record of security-related events inSAP systems. Each line of the file is formatted to be processed.

• Oracle BEAWebLogic—Processes files for Oracle BEAWebLogic application log files. Each line ofthe file is formatted to be processed.

• Juniper SBR—Processes event log files from Juniper Steel-belted RADIUS. Each line of the file isformatted to be processed.

• ID-Linked Multiline—Processes multiline event logs that contain a common value at the start ofeach line in a multiline event message. This option uses regular expressions to identify andreassemble the multiline event in to single event payload.

Event Generator

From the list box, select the character encoding that is used by the events in your log file.File Encoding

Type the character that is used to separate folders for your operating system. The default value is /.

Most configurations can use the default value in Folder Separator field.

This field is intended for operating systems that use a different character to define separate folders.For example, periods that separate folders onmainframe systems.

Folder Separator



Enabled


Credibility is a representationof the integrity or validity of events createdbya log source. Thecredibilityvalue assigned to a log source can increase or decrease based on incoming events or adjusted as aresponse to user created event rules. The credibility of events from log sources contributes to thecalculationof theoffensemagnitudeandcan increaseordecrease themagnitudevalueofanoffense.

Credibility





Select the Event Collector to use as the target for the log source. When a log source actively collectsevents from a remote source, this field defines which appliance polls for the events.

This enables administrators to poll and process events on the target event collector, instead of theconsole appliance. This can improve performance in distributed deployments.

When an administrator verifies firewall ports between JSA and the remote database, the firewallmust allow communication between the target event collector and the remote database.



Coalescing events increase the event countwhen the sameevent occursmultiple timeswithin a shorttime interval. Coalesced events provide administrators a way to view and determine the frequencywith which a single event type occurs on the Log Activity tab.

When this check box is clear, the events are displayed individually and the information is not bundled.

New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on theAdmin tab. Administrators can use this check box to override thedefaultbehavior of the system settings for an individual log source.

Coalescing Events


New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on theAdmin tab. Administrators can use this check box to override thedefaultbehavior of the system settings for an individual log source.

Store Event Payload

Select the language of the events generated by the log source.

The log source languagehelps the systemparseevents fromexternal appliancesor operating systemsthat can create events in multiple languages.

Log Source Language


This parameter is only available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions, which can override or repair the event parsing patternsdefined by a device support module (DSM).







To configure the log file protocol:



3. Click Add.





5. Click Save.










Configuring theMicrosoft Security Event Log Protocol

The Microsoft Security Event Log protocol provides remote agentlessWindows event

log collection for Windows with the Microsoft Windows Management Instrumentation

(WMI) API.

TheWMI API is a Microsoft technology that is used to communicate and exchange

information between operating systems. This API requires that firewall configurations

accept incoming external communications on port 135 and any dynamic ports that are

required forDCOM.The following log source limitationsapplywhenadministratorsdeploy

the Microsoft Security Event Log Protocol in your environment:

• Systems that exceed 50 events per second (eps) can exceed the capabilities of this

protocol. WinCollect can be used for systems that exceed 50 eps.

• A Juniper Secure Analytics (JSA) all-in-one installation can support up to 250 log

sources with the Microsoft Security Event Log protocol.

• Dedicated Event Collectors can support up to 500 log sources with the Microsoft

Security Event Log protocol.

The Microsoft Security Event Log protocol is not suggested for remote servers that are

accessedover network links. For example, systemswith high round-trip delay times, such

as satellite or slowWAN networks. Round-trip delay can be confirmed by examining

request and response time between a server ping. Network delays that are created by

slow connections decrease the EPS throughput available to those remote servers. In

addition, event collection from busy servers or Domain Controllers rely on low round-trip

delay times to keepupwith incoming events. If it is not possible to decrease your network

round-trip delay time, administrators can useWinCollect to processWindows events.

The Microsoft Security Event Log supports the following software versions with the

Microsoft Windows Management Instrumentation (WMI) API:



• Microsoft Windows 2000

• Microsoft Windows Server 2003

• Microsoft Windows Server 2008 (all versions)

• Microsoft Windows XP

• Microsoft Windows Vista


Table 19: Microsoft Security Event Log Protocol Parameters





From the list, selectWindows Security Event Log.Protocol Configuration

Type the IP address or host name of theWindows host

The log source identifier must be unique for the log source type.


Optional. Type the domain that is required for the server.Domain

Type the user name that is required to access theWindows host.Username

Type the password that is required to access theWindows hostPassword

Confirm the password that is required to access the server.Confirm Password

Select a check boxes for each log type to monitor. At least one check boxmust be selected.

• Security

• System

• Application

• DNS Server

• File Replication Service

• Directory Service

Standard Log Types

Select a check boxes for each event type to monitor. At least one check boxmust be selected.

• Informational

• Warning

• Error

• Success Audit

• Failure Audit

Event Types



Table 19: Microsoft Security Event Log Protocol Parameters (continued)




Enabled



Credibility


This enables administrators to poll and process events on the target event collector, instead ofthe console appliance. This can improve performance in distributed deployments.




When this check box is clear, the events are displayed individually and the information is notbundled.

Newandautomatically discovered log sources inherit the valueof this checkbox from theSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.

Coalescing Events


Newandautomatically discovered log sources inherit the valueof this checkbox from theSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.

Store Event Payload



Log Source Language


This parameter is only available after you upload a log source extension to JSA. Log sourceextensions are XML files that contain regular expressions, which can override or repair the eventparsing patterns defined by a device support module (DSM).











To configure the microsoft security event log protocol:



3. Click Add.

4. Configure the parameters for your log source.

5. Click Save.










Configuring theMicrosoft Security Event Log CustomProtocol

The Microsoft Security Event Log protocol provides remote agentlessWindows event

log collection for customized event logs with the Microsoft (WMI) API.

TheWMI API is a Microsoft technology that is used to communicate and exchange

information between operating systems. This API requires that firewall configurations

accept incoming external communications on port 135 and any dynamic ports that are

required forDCOM.The following log source limitationsapplywhenadministratorsdeploy

the Microsoft Security Event Log Custom protocol in your environment:

• Systems that exceed 50 events per second (eps) can exceed the capabilities of this

protocol. Win Collect can be used for systems that exceed 50 eps.

• A Juniper Secure Analytics (JSA) all-in-one installation can support up to 250 log

sources with the Microsoft Security Event Log Custom protocol.

• Dedicated Event Collectors can support up to 500 log sources with the Microsoft

Security Event Log Custom protocol.

The Microsoft Security Event Log protocol is not suggested for remote servers that are

accessedover network links. For example, systemswith high round-trip delay times, such



as satellite or slowWAN networks. Round-trip delay can be confirmed by examining

request and response time between a server ping. Network delays that are created by

slow connections decrease the EPS throughput available to those remote servers. In

addition, event collection from busy servers or Domain Controllers rely on low round-trip

delay times to keepupwith incoming events. If it is not possible to decrease your network

round-trip delay time, administrators can useWin Collect to processWindows events.

The Microsoft Security Event Log supports the following software versions with the

Microsoft Windows Management Instrumentation (WMI) API:


• Microsoft Windows Server 2003

• Microsoft Windows Server 2008 (all versions)

• Microsoft Windows XP

• Microsoft Windows Vista


Table 20: Microsoft Security Event Log Protocol Parameters





From the list, selectWindows Security Event Log.Protocol Configuration

Type the IP address or host name of theWindows host.



Optional. Type the domain that is required for the server.Domain

Type the user name that is required to access theWindows host.Username

Type the password that is required to access theWindows hostPassword

Confirm the password that is required to access the server.Confirm Password

Type the name of the custom event log.Monitored Event Logs





Select a check boxes for each event type to monitor. At least one check boxmust be selected:

• Informational

• Warning

• Error

• Success Audit

• Failure Audit

Event Types



Enabled

Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The defaultcredibility is 5.

Credibility is a representation of the integrity or validity of events that are created by a logsource. The credibility value that is assigned to a log source can increase or decrease based onincoming events or adjusted as a response to user created event rules. The credibility of eventsfrom log sources contributes to the calculation of the offense magnitude and can increase ordecrease the magnitude value of an offense.

Credibility


This option enables administrators to poll and process events on the target event collector,instead of the console appliance. This can improve performance in distributed deployments.



New and automatically discovered log sources inherit the value of this check box from theSystem Settings configuration on the Admin tab. Administrators can use this check box tooverride the default behavior of the system settings for an individual log source.

Store Event Payload



Log Source Language


This parameter is only available after you upload a log source extension to JSA. Log sourceextensions areXML files that contain regular expressions,which canoverride or repair the eventparsing patterns defined by a device support module (DSM).



• Parsingenhancement—Select this optionwhenmost fieldsparse correctly for your log source.






To configure the microsoft security event log custom protocol:



3. Click Add.


5. Click Save.










Configuring theMicrosoft DHCP Protocol

The Microsoft DHCP protocol supports a single connection to a Microsoft DHCP server

to remotely collect events.

The Microsoft authentication protocol NTLMv2 is not supported by the Microsoft DHCP

protocol.

Folder paths that contain an administrative share (C$), require NetBIOS privileges on

the administrative share (C$) to read the log files. Local or domain administrators have

sufficient privileges to access log files on administrative shares.

Fields for the Microsoft DHCP protocol that support file paths allow administrators to

define a drive letter with the path information. For example, the field can contain

c$\LogFiles\ for an administrative share, or LogFiles\ for a public share folder path, but

not c:\LogFiles.

Detailed configuration steps for Microsoft DHCP are provided in the Juniper Secure

Analytics (JSA).

Table 21: Microsoft DHCP Protocol Parameters






Table 21: Microsoft DHCP Protocol Parameters (continued)



From the list, selectMicrosoft DHCP.Protocol Configuration

Type an IP address, host name, or name to identify the Microsoft DHCP server.



Optional. Type the domain that is required to access the Microsoft DHCP server.Domain

Type the user name that is required to access the Microsoft DHCP server.Username

Type the password that is required to access the Microsoft DHCP server.Password

Confirm the password that is required to access Microsoft DHCP server.Confirm Password

Type the directory path to access the DHCP log files.

The default is \WINDOWS\system32\dhcp\.

Folder Path

Type the regular expression (regex) to identify and download the event logs.

The log files must contain a three-character abbreviation for a day of the week.

The available file patterns are:

• IPv4 file pattern - DhcpSrvLog-(?:Sun|Mon|Tue|Wed|Thu| Fri| Sat)\.log.

• IPv6 file pattern - DhcpV6SrvLog-(?:Sun|Mon|Tue|Wed|Thu| Fri|Sat) \.log.

All files that match the file pattern are processed.

File Pattern

Select this check box if you want the file pattern to search sub folders. By default, the check boxis selected.

Recursive

Type the polling interval, which is the number of seconds between queries to the log files to checkfor new data.

Theminimum polling interval is 10 seconds, with a maximum polling interval of 3,600 seconds.

Polling Interval (seconds)

Type themaximum number of events the DHCP protocol can forward per second.

Theminimum value is 100 EPS and themaximum value is 20,000 EPS.

Throttle Events/Second



Enabled



Table 21: Microsoft DHCP Protocol Parameters (continued)


Select the credibility of the log source. The range is0 (lowest)– 10 (highest). Thedefault credibilityis 5.


Credibility


This optionenablesadministrators topoll andprocess eventson the target event collector, insteadof the console appliance. This can improve performance in distributed deployments.






Coalescing Events



Store Event Payload



Log Source Language











To configure the microsoft DHCP protocol:



3. Click Add.


5. Click Save.










Configuring theMicrosoft Exchange Protocol

TheMicrosoftWindows Exchange protocol supports SMTP,OWA, andmessage tracking

logs for Microsoft Exchange 2007 and 2010.

TheMicrosoft Exchangeprotocoldoesnot supportMicrosoft Exchange2003orMicrosoft

authentication protocol NTLMv2 Session.




Fields for the Microsoft Exchange protocol that support file paths allow administrators

to define a drive letter with the path information. For example, the field can contain

c$\LogFiles\ for an administrative share, or LogFiles\for a public share folder path, but

not c:\LogFiles.

Detailed configuration steps for Microsoft Exchange is provided in the Juniper Secure

Analytics (JSA).

Table 22: Microsoft Exchange Protocol Parameters






Table 22: Microsoft Exchange Protocol Parameters (continued)



From the list, selectMicrosoft Exchange.Protocol Configuration

Type an IP address, host name, or name to identify theWindows Exchange event source.



Optional. Type the domain that is required to access the Microsoft Exchange server.Domain

Type the user name that is required to access the Microsoft Exchange server.Username

Type the password that is required to access the Microsoft Exchange server.Password

Confirm the password that is required to access Microsoft Exchange server.Confirm Password

Type the directory path to access the SMTP log files.

The default isProgramFiles\Microsoft\ExchangeServer \TransportRoles\Logs\ProtocolLog\.

When the folder path is clear, SMTP event collection is disabled.

SMTP Log Folder Path

Type the directory path to access the OWA log files.

The default isWindows\system32\LogFiles\W3SVC1.

When the folder path is clear, OWA event collection is disabled.

OWA Log Folder Path

Type the directory path to access message tracking log files.

The default is Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking/.

Message tracking is available on Microsoft Exchange 2007 or 2010 servers assigned the HubTransport, Mailbox, or Edge Transport server role.

MSGTRK Log Folder Path

Type the regular expression (regex) to identify and download the event logs. The default is.*\.(?:log|LOG).

All files that match the regex pattern are processed.

File Pattern

Select this checkbox to force theprotocol to read the log file. Bydefault, the checkbox is selected.If the check box is clear, the log file is read only when JSA detects a change in the modified timeor file size.

Force File Read


Recursive

Type the polling interval, which is the number of seconds betweenqueries to the log files to checkfor new data.







Type themaximum number of events the Exchange protocol can forward per second.





Enabled



Credibility








Coalescing Events



Store Event Payload



Log Source Language













To configure the microsoft windows exchange protocol:



3. Click Add.


5. Click Save.










Configuring theMicrosoft IIS protocol

The Microsoft IIS protocol supports a single point of collection for w3c format log files

that are located on a Microsoft IIS web servers.

The Microsoft authentication protocol NTLMv2 is not supported by the Microsoft IIS

protocol.




Fields for theMicrosoft IIS protocol that support file paths allow administrators to define

a drive letter with the path information. For example, the field can contain c$\LogFiles\

for an administrative share, or LogFiles\ for a public share folder path, but not c:\LogFiles.



Detailed configuration steps forMicrosoft IIS are provided in the Juniper Secure Analytics

(JSA).

Table 23: Microsoft IIS Protocol Parameters





From the list, selectMicrosoft IIS.Protocol Configuration

Type an IP address, host name, or name to identify the Microsoft IIS server.



Optional. Type the domain that is required to access the Microsoft IIS server.Domain

Type the user name that is required to access the Microsoft IIS server.Username

Type the password that is required to access the Microsoft IIS server.Password

Confirm the password that is required to access Microsoft IIS server.Confirm Password

Type the directory path to access the IIS log files.

The default is \WINDOWS\system32\LogFiles\W3SVC1\.

Folder Path


The default file pattern is (?:u_)?ex.*\.(?:log|LOG).


File Pattern


Recursive

Type the polling interval, which is the number of seconds betweenqueries to the log files to checkfor new data.



Type themaximum number of events the IIS protocol can forward per second.





Enabled



Table 23: Microsoft IIS Protocol Parameters (continued)



Credibility is a representation of the integrity or validity of events created by a log source. Thecredibility value assigned to a log source can increase or decrease based on incoming events oradjusted as a response to user created event rules. The credibility of events from log sourcescontributes to the calculation of the offense magnitude and can increase or decrease themagnitude value of an offense.

Credibility








Coalescing Events



Store Event Payload



Log Source Language






Parsing override—Select this option when the log source is unable to correctly parse events.





To configure the microsoft IIS protocol:



3. Click Add.


5. Click Save.










Configuring the SMB Tail Protocol

The SMB Tail protocol enables administrators to remotely watch event a file in a remote

directory on a Samba share to determine when new lines are added to an event log to

retrieve the remote events.

Table 24: SMB Tail Protocol Parameters





From the list, select SMB Tail.Protocol Configuration

Type an IP address, hostname, or name to identify the SMB Tail event source.



Type the IP address or hostname of the samba server.Server Address

Optional. Type the domain required for the SMB (samba) server.Domain

Type the username required to access the remote server.Username



Table 24: SMB Tail Protocol Parameters (continued)


Type the password required to access the remote server.Password

Confirm the password required to access the server.Confirm Password

Type the directory path to access the log files.

For example, administrators can use c$\LogFiles\ for an administrative share, or LogFiles\ for apublic share folder path. However, c:\LogFiles is not a supported log folder path.

If a log folder path contains an administrative share (C$), users with NetBIOS access on theadministrative share (C$) have the privileges required to read the log files.

Local system or domain administrator privileges are also sufficient to access a log files that resideon an administrative share.

Log Folder Path


All matching files are included in the processing.

File Pattern

Select this check box to force the protocol to read the log file. By default, the check box is selected.If the check box is clear, the log file is read only when JSA detects a change in the modified timeor file size.

Force File Read


Recursive

Type the polling interval, which is the number of seconds between queries to the log files to checkfor new data.



Type themaximum number of events the SMB Tail protocol forwards per second.





Enabled

Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). Thedefault credibilityis 5.


Credibility



Table 24: SMB Tail Protocol Parameters (continued)


Select the Event Collector to use as the target for the log source. When a log source activelycollects events from a remote source, this field defines which appliance polls for the events.


When an administrator verifies firewall ports between JSA and the remote database, the firewallmust allow communication between the target event collector and the remote database.






Coalescing Events



Store Event Payload



Log Source Language









To configure the SMB tail protocol:



3. Click Add.




5. Click Save.










Configuring the EMCVMware Protocol

The EMC VMware protocol provides log sources the ability to receive event data from

the VMware web service for virtual environments.

Table 25 on page 77 describes the parameters of the EMC VMware protocol.

Table 25: EMC VMware Protocol Parameters





From the list, select EMCVMware.Protocol Configuration

Type the IP address or hostname for the log source. The value for this parameter must match theVMware IP.


Type the IP address of the VMware ESXi server.

For example, 1.1.1.1.

The VMware protocol appends the IP address of your VMware ESXi server with HTTPS before theprotocol requests event data.

VMware IP

Type the username required to access the VMware server.

If you want to configure a read-only account to use with the VMware protocol, you can create auser on your VMware with read-only permission.

User Name

Confirm the password that is required to remotely access the VMware Server.Password



Table 25: EMC VMware Protocol Parameters (continued)



Enabled



Credibility








Coalescing Events



Store Event Payload



Log Source Language











To confiugre the EMC VMware protocol:



3. Click Add.



5. Click Save.











Configuring the Oracle Database Listener Protocol

TheOracleDatabase Listener protocol source enables administrators to remotely collect

log files generated from an Oracle database server.

Before you configure the Oracle Database Listener protocol to monitor log files for

processing, youmust obtain the directory path to the Oracle database log files.

Detailed configuration steps forOracle areprovided in the JuniperSecureAnalytics (JSA).

Table 26: Oracle Database Listener Protocol Parameters





From the list, selectOracle Database Listener.Protocol Configuration

Type an IP address, host name, or name to identify the Oracle database server.





Table 26: Oracle Database Listener Protocol Parameters (continued)


Optional. Type the domain that is required to access the Oracle database server.Domain

Type the user name that is required to access the Oracle database server.Username

Type the password that is required to access the Oracle database server.Password

Confirm the password that is required to access Oracle database server.Confirm Password

Type the directory path to access the Oracle database log files.Log Folder Path


The default file pattern is listener\.log.


File Pattern


Recursive

Type thepolling interval,which is thenumber of secondsbetweenqueries to the log files to checkfor new data.



Type themaximum number of events the protocol can forward per second.





Enabled

Select thecredibility of the log source. The range is0 (lowest) - 10 (highest). Thedefault credibilityis 5.


Credibility


This option enables administrators to poll and process events on the target event collector,instead of the console appliance. This can improve performance in distributed deployments.




Table 26: Oracle Database Listener Protocol Parameters (continued)





Newandautomaticallydiscovered log sources inherit thevalueof this checkbox fromtheSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.

Coalescing Events


Newandautomaticallydiscovered log sources inherit thevalueof this checkbox fromtheSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.

Store Event Payload



Log Source Language









To configure the oracle database listener protocol:



3. Click Add.

4. Configure the parameters for the log source.

5. Click Save.












Configuring the Cisco NSEL Protocol

TheCiscoNetwork Security Event Logging (NSEL) protocol source allows Juniper Secure

Analytics (JSA) tomonitorNetFlowpacket flows fromaCiscoAdaptiveSecurityAppliance

(ASA).

To integrate Cisco ASA using NetFlowwith JSA, youmust manually create a log source

to receive NetFlow events. JSA does not automatically discover or create log sources for

syslog events from Cisco ASA using NetFlow and NSEL. For more information, see the

JSA.

Table 27 on page 82 describes the parameters of the Cisco NSEL protocol.

Table 27: Cisco NSEL Protocol Parameters





From the list, select Cisco NSEL.Protocol Configuration




Type the UDP port number used by Cisco ASA to forward NSEL events. The valid range of theCollector Port parameter is 1 – 65535.

JSA uses port 2055 for flow data on QFlow Collectors. Administrators must assign a different UDPport on the Cisco Adaptive Security Appliance for NetFlow using NSEL.

Collector Port


When this checkbox is clear, the log sourcedoesnot collect events and the log source is not countedin the license limit.

Enabled



Table 27: Cisco NSEL Protocol Parameters (continued)




Credibility

Select the target for the log source.Whena log source actively collects events froma remote source,this field defines which appliance polls for the events.







Coalescing Events



Store Event Payload



Log Source Language











To configure the cisco NSEL protocol:



3. Click Add.



5. Click Save.




• Configuring the TCPMultiline Syslog Protocol on page 97.

• Configuring the VMware vCloud Director Protocol on page 100.

• Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 102.

Configuring the PCAP Syslog Combination Protocol

The PCAP Syslog Combination protocol enables events to be collected from Juniper

Networks SRX Series appliances that forward packet capture (PCAP) data.

Administrators must determine the outgoing PCAP port configured on the Juniper

Networks SRX appliance before the log source can be configured. PCAP data cannot be

forwarded to port 514.

Detailed configuration steps are provided in the Juniper Secure Analytics (JSA).

Table 28: PCAP Syslog Combination Protocol Parameters





From the list, select PCAP Syslog Combination.Protocol Configuration

Type an IP address, host name, or name to identify the Juniper Networks SRX Series appliance.





Table 28: PCAP Syslog Combination Protocol Parameters (continued)


Specify the port number used by the Juniper Networks SRX Series appliance to forward incomingPCAP data.

The PCAP UDP port number must be configured from your Juniper SRX Series appliance.

If the outgoing PCAP port is edited on the Juniper Networks SRXSeries appliance, the administratormust edit the log source.

To edit the Incoming PCAP Port number, complete the following steps:

1. Type the new port number for receiving PCAP data

2. Click Save.

3. On the Admin tab, select Advanced > Deploy Full Configuration.

Attention: When administrators click Deploy Full Configuration, the system restarts all services,resulting in a gap in data collection for events and flows until the deployment completes.

Incoming PCAP Port


When this checkbox is clear, the log sourcedoes not collect events and the log source is not countedin the license limit.

Enabled



Credibility


This option enables administrators to poll and process events on the target event collector, insteadof the console appliance. This can improve performance in distributed deployments.




When this checkbox is clear, theeventsaredisplayed individually and the information isnotbundled.


Coalescing Events



Store Event Payload



Table 28: PCAP Syslog Combination Protocol Parameters (continued)




Log Source Language


This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions,which canoverrideor repair the event parsingpatternsdefinedby a device support module (DSM).







To configure the PCAP syslog combination protocol:



3. Click Add.


5. Click Save.







• Configuring the TLS Syslog Protocol on page 89.

• Configuring the Juniper Security Binary Log Collector Protocol on page 92.

• Configuring the UDPMultiline Syslog Protocol on page 94.

Configuring the Forwarded Protocol

The forwarded protocol enables administrators to receive events from another console

in your deployment.

The forwarded protocol is typically used in a scenario where administrators want to

forwardevents toanother JuniperSecureAnalytics (JSA)console. In this scenario, console



A is configured with an off-site target in the deployment editor, which points to console

B. Log sources that are automatically discovered are automatically added to console B.

Any log sources from console A that is not automatically discoveredmust be added to

console B as a log source with the forwarded protocol.

Table 29: Forwarded Protocol Parameters





From the list, select Forwarded.Protocol Configuration

Type an IP address or host name for the originating log source.

For example, the identifier is the IP address or host name of the log source in Network A.





Enabled



Table 29: Forwarded Protocol Parameters (continued)




Credibility


The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. This can improve performance in distributeddeployments.




When this checkbox is clear, theeventsaredisplayed individually and the information isnotbundled.


Coalescing Events



Store Event Payload



Log Source Language











To configure the forwarded protocol:



3. Click Add.


5. Click Save.










Configuring the TLS Syslog Protocol

TLS Syslog protocol enables log sources to receive encrypted syslog events from up to

50 network devices that support TLS Syslog event forwarding.

The log source creates a listen port for incoming TLS Syslog events and generate a

certificate file for the network devices. Up to 50 network appliances can forward events

to the port created for the log source.

Table 30: TLS Syslog Protocol Parameters





From the list, select TLS Syslog.Protocol Configuration

Type the IP address or host name of the network device forwarding encrypted syslog.Log Source Identifier



Table 30: TLS Syslog Protocol Parameters (continued)


Type the port number to accept incoming TLS Syslog events.

The default TLS listen port is 6514.

The port number that is specified as the listen port for TLS events can be used by up to 50 logsources. If multiple network devices are forwarding TLS syslog events, they can also use 6514 astheir default TLS syslog port.

To edit the port number, complete the following steps:

1. Type the new port number for the TLS syslog protocol.

2. Click Save.



TLS Listen Port


When this checkbox is clear, the log sourcedoes not collect events and the log source is not countedin the license limit.

Enabled



Credibility






When this checkbox is clear, theeventsaredisplayed individually and the information is notbundled.


Coalescing Events



Table 30: TLS Syslog Protocol Parameters (continued)




Store Event Payload



Log Source Language


This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions,which canoverride or repair the event parsingpatterns definedby a device support module (DSM).







To configure the TLS syslog protocol:



3. Click Add.


5. Click Save.


After the log source is saved, a syslog-tls certificate is created for log source device. The

certificate must be copied to any device on your network that is capable of forwarding

encrypted syslog. Additional network devices with a syslogtls certificate file and the TLS

listen port number can be automatically discovered as a TLS syslog log source in JSA.










Configuring the Juniper Security Binary Log Collector Protocol

The JuniperBinary LogCollector protocol canacceptaudit, system, firewall, and intrusion

prevention system (IPS) events in binary format.

Administratorsmust configure their Juniper appliances to streambinary formattedevents.

The port number that is used by Juniper to stream binary events is required before an

administrator can configure the log source.

Thebinary log format from Juniper SRXor J Series appliances are streamedwith theUDP

protocol. Youmust specify a unique port for streaming binary formatted events, the

standard syslog port (514) cannot be used for binary formatted events. The default port

that is assigned to receive streamingbinary events fromJuniper appliances is port 40798.

Table 31: Juniper Security Binary Log Collector Protocol Parameters





From the list, select Security Binary Log Collector.Protocol Configuration

Type an IP address or host name to identify the log source.

The identifier addressmust be the Juniper SRXor J Series appliance that generates thebinary eventstream.


Type the port number to accept incoming binary events.

The default listen port is 40798.


1. Type the new port number for the protocol.

2. Click Save.



Binary Collector Port

Type the path to the XML file used to decode the binary stream from your Juniper SRX or JuniperJ-Series appliance.

By default, the device support module (DSM) includes an XML file for decoding the binary stream.

The XML file is in the following directory: /opt/qradar/conf/ security_log.xml.

XML Template FileLocation



Table 31: Juniper Security Binary Log Collector Protocol Parameters (continued)



When this checkbox is clear, the logsourcedoesnotcollect eventsand the logsource isnot countedin the license limit.

Enabled



Credibility






When this checkbox is clear, theeventsaredisplayed individually and the information is notbundled.


Coalescing Events



Store Event Payload



Log Source Language


This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions, which can override or repair the event parsing patternsdefined by a device support module (DSM).








Table 31: Juniper Security Binary Log Collector Protocol Parameters (continued)



To configure the juniper security binary log collector protocol:



3. Click Add.


5. Click Save.








Configuring the UDPMultiline Syslog Protocol

The UDPmultiline syslog protocol uses a regular expression to identify and reassemble

the multiline syslog messages in to single event payload.

The UDPmultiline protocol enables administrators to add a log source that creates a

single-line syslog event from amultiline event. The original event must contain a value

that repeats that a regular expression can use identify and reassemble the multiline

event. An example event that contains a repeated value is provided as an example.

15:08:56 1.1.1.1 slapd[517]: conn=2467222 op=2 SEARCH RESULT tag=10115:08:56 1.1.1.1 slapd[517]: conn=2467222 op=2 SRCH base="dc=iso-n,dc=com"15:08:56 1.1.1.1 slapd[517]: conn=2467222 op=2 SRCH attr=gidNumber15:08:56 1.1.1.1 slapd[517]: conn=2467222 op=1 SRCH base="dc=iso-n,dc=com”

Table 32: UDPMultiline Syslog Protocol Parameters







Table 32: UDPMultiline Syslog Protocol Parameters (continued)


From the list, select UDPMultiline Syslog.Protocol Configuration


Type the port number to accept incoming UDPmultiline Syslog events.




2. Click Save.



Listen Port

Type the regular expression (regex) required to filter the event payloadmessages.

The UDPmultiline eventmessagesmust contain a common identifying value that repeats on eachline of the event message.

Message ID Pattern



Enabled



Credibility






Table 32: UDPMultiline Syslog Protocol Parameters (continued)




When this check box is clear, the events are listed individually and the information is not bundled.


Coalescing Events



Store Event Payload



Log Source Language


This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions, which can override or repair the event parsing patterns thatare defined by a device support module (DSM).







To configure the UDPmultiline syslog protocol:



3. Click Add.


5. Click Save.


After the log source is saved, a syslog-tls certificate is created for log source device. The

certificatemustbecopied toanydeviceonyour network configured to forwardencrypted

syslog. Additional network deviceswith a syslog-tls certificate file and theTLS listen port

number can be automatically discovered as a TLS syslog log source.









Configuring the TCPMultiline Syslog Protocol

The TCPmultiline syslog protocol uses regular expressions to identify the start and end

pattern of multiline events to create a single-line event.

The TCPmultiline protocol enables administrators to add a log source that creates a

single-line syslog event from amultiline event. An example multiline event is provided

as an example.

06/13/2012 08:15:15 PMLog Name=SecuritySource Name=Microsoft Windows security auditing.Event Code=5156Event Type=0Task Category=Filtering Platform ConnectionKeywords=Audit SuccessMessage=The Windows Filtering Platform permitted a connection.Process ID: 4Application Name: SystemDirection: InboundSource Address: 1.1.1.1Source Port: 80Destination Address: 1.1.1.12Destination Port:444

Table 33: TCPMultiline Syslog Protocol Parameters





From the list, select TCPMultiline Syslog.Protocol Configuration




Table 33: TCPMultiline Syslog Protocol Parameters (continued)


Type the port number to accept incoming TCPmultiline syslog events.




2. Click Save.



Listen Port

From the list, select one of the following options:

• No Formatting—Select this option when no extra formatting is required for the multiline events.

• WindowsMultiline—Select this option formultiline events are formatted specifically forWindows.

Event Formatter

Type the regular expression (regex) required to identify the start of a TCPmultiline event payload.

Syslog headers typically begin with a date or time stamp.

The protocol can create a single-line event that are based on solely an event start pattern, such asa time stamp.

When a start pattern is all that is available, the protocol captures all the information between eachstart value to create a valid event.

Event Start Pattern

Type the regular expression (regex) required to identify the last fieldof aTCPmultiline eventpayload.

If the syslogevent endswith the samevalue, administrators canusea regular expression todeterminethe end of an event.

The protocol can capture events based on solely on an event end pattern.

When an end pattern is all that is available, the protocol captures all the information between endstart value to create a valid event.

Event End Pattern



Enabled



Credibility



Table 33: TCPMultiline Syslog Protocol Parameters (continued)







When this checkbox is clear, the events aredisplayed individually and the information is not bundled.


Coalescing Events



Store Event Payload



Log Source Language


This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions, which can override or repair the event parsing patterns definedby a device support module (DSM).







To configure the TCPmultiline syslog protocol:



3. Click Add.




5. Click Save.









Configuring the VMware vCloud Director Protocol

The VMware vCloud Director protocol provides log sources the ability to use the VMware

API to collect events from the VMware vCloud Director virtual environments.

Table 34 on page 100 describes the parameters of the VMware vCloudDirector protocol.

Table 34: VMware vCloud Director Protocol Parameters





From the list, select VMware vCloud Director.Protocol Configuration

Type an IPv4 address or host name to identify the log source that created the events.Log Source Identifier

Type the URL configured on the VMware vCloud appliance to access the REST API.

The URLmust match the address that is configured as the VCD public REST API base URL on thevCloud Server.

For example, https://1.1.1.1.

vCloud URL

Type the user name that is required to remotely access the vCloud Server.

For example, console/user@organization.

To configure a read-only account to use with the vCloud Director protocol, administrators cancreate a user in the organization with console Access Only permission.

User Name

Confirm the password that is required to remotely access the vCloud Server.Password



https://1.1.1.1.

Table 34: VMware vCloud Director Protocol Parameters (continued)


Type a polling interval, which is the amount of time between queries to the vCloud Server for newevents.

The default polling interval is 10 seconds.

Polling Interval



Enabled



Credibility








Coalescing Events



Store Event Payload



Log Source Language


This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions,which canoverrideor repair the event parsingof adevicesupport module (DSM).




Table 34: VMware vCloud Director Protocol Parameters (continued)







To configure the VMware vCloud director protocol:



3. Click Add.



5. Click Save.









Configuring the IBM® Tivoli® Endpoint Manager SOAP Protocol

The IBM Tivoli Endpoint Manager SOAP protocol retrieves Log Extended Event Format

(LEEF) formatted events from IBM®Tivoli

®Endpoint Manager appliances.

This protocol requires IBMTivoli EndpointManager versionsV8.2.x or above and theWeb

Reports application for Tivoli Endpoint Manager.

The Tivoli Endpoint Manager SOAP protocol retrieves events in 30-second intervals over

HTTP or HTTPS. As events are retrieved the IBM Tivoli Endpoint Manager DSM parses

and categorizes the events.

Table 35: IBM Tivoli Endpoint Manager SOAP Protocol Parameters





Table 35: IBM Tivoli Endpoint Manager SOAP Protocol Parameters (continued)




From the list, select IBM Tivoli Endpoint Manager SOAP.Protocol Configuration


Select this check box to connect to your IBM Tivoli Endpoint Manager with HTTPS.

If a certificate is required to connect with HTTPS, administrators must copy any certificates thatare required to the following directory: /opt/qradar/conf/ trusted_certificates.

Certificates with the following file extensions: .crt, .cert, or.der are supported.

Administrators must copy certificates to the trusted certificates directory before the log source issaved and deployed.

Use HTTPS

Type the port number used to connect to the IBM Tivoli Endpoint Manager using the SOAP API.

By default, port 80 is the port number for communicating with IBM Tivoli Endpoint Manager.

If administrators use HTTPS, the port field must be updated appropriately.

Most configurations use port 443 for HTTPS communications.

SOAP Port

Type the username required to access IBM Tivoli Endpoint Manager.Username

Type the password required to access IBM Tivoli Endpoint Manager.Password

Confirm the password to access IBM Tivoli Endpoint Manager.Confirm Password


When this checkbox is clear, the logsourcedoesnotcollect eventsand the logsource isnot countedin the license limit.

Enabled



Credibility






Table 35: IBM Tivoli Endpoint Manager SOAP Protocol Parameters (continued)






Coalescing Events



Store Event Payload



Log Source Language


This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions,which canoverride or repair the event parsing of a devicesupport module (DSM).







To configure the IBM tivoli endpoint manager SOAP protocol:



3. Click Add.

4. Configure the parameters for the log source.

Administrators should copy certificates to the trusted certificates directory before the

log source is saved and deployed.

5. Click Save.





• Protocol Configuration Overview on page 20.








CHAPTER 4

Grouping Log Sources


• Grouping Log Source Overview on page 107

• Viewing Log Source Groups on page 108

• Assigning a Log Source to a Group on page 108

• Creating a Log Source Group on page 109

• Editing a Log Source Group on page 109

• Copying a Log Source to Another Group on page 110

• Removing a Log Source From a Group on page 110

Grouping Log Source Overview

Administrators can create log source groups to categorize their log sources by type,

location, or functionality.

Administrators can create andmanagemultiple levels of log source groups to help users

efficiently search for events. Log source groups are name associations to log sources

that administrators can create to categorize log sources. Each group can contain a

maximum of 1,000 log sources. Auto discovered log sources are assigned to a generic

log source group. Log source groups for bulk log sources are automatically createdwhen

administrators add bulk log sources.


Viewing Log Source Groups on page 108.•

• Assigning a Log Source to a Group on page 108.

• Creating a Log Source Group on page 109.

• Editing a Log Source Group on page 109 .

• Copying a Log Source to Another Group on page 110.

• Removing a Log Source From a Group on page 110 .


Viewing Log Source Groups

Administrators can sort the list of log sources to view log sources that are assigned to a

group.

To view the log source groups:



3. From the Search For list, select the log source group.

4. Click Go.

The log source list refreshes to show log sources associated to the group.


Grouping Log Source Overview on page 107•






Assigning a Log Source to a Group

Administrators can use the assign feature to move one or more log sources from one

group to another. The assign feature can also be used to quickly assign a log source to

multiple groups. Auto discovered log sources often require a new log source assignments

because all auto discovered log sources are categorized to a generic group.

To assign a log source to a group:


2. Click the Log Source icon.

3. Select one or more log sources to assign to a group.

4. Click Assign.

5. Select a group for the log source.

6. Click Assign Groups.

The log sources are reassigned to the group selected by the administrator.



• Viewing Log Source Groups on page 108.







Creating a Log Source Group

Administrators can create log source groups for users to organize the list of log sources

for users. A log source canbelong tomultiple groupsat the same timeandadministrators

can create multiple levels of log source groups.

To create a log source group:


2. Click the Log Source Groups icon.

3. Click NewGroup.

4. Click Go.

The log source list refreshes with a list of log sources based on the group you selected.








Editing a Log Source Group

Administrators can sort the list of log sources to view log sources that are assigned to a

group.

To edit a log source group:



3. From the Search For list, select the log source group.

4. Click Go.

The log source list refreshes to show log sources associated to the group.





Chapter 4: Grouping Log Sources


• Creating a Log Source Group on page 109 .



Copying a Log Source to Another Group

Administrators can copy log source groups to move log sources between groups.

To copy a log source to another group:



3. Select the name of a group to view a list of log sources.

4. Select the log source to copy to a new group.

5. Click Copy.

6. Select the new group for the log source. This selection can includemultiple groups.

7. Click Assign Groups.

The log source is reassigned to the groups selected by the administrator.






• Editing a Log Source Group on page 109.


Removing a Log Source From a Group

Administrators can remove log sources from groups when a group is no longer required.

To remove a log source from a group:



3. Select the name of a group to view a list of log sources.

4. Select the log source to remove from the group.



5. Click Remove.

6. ClickOK.

The log source is removed from the group.


• Grouping Log Source Overview on page 107




• Editing a Log Source Group on page 109.

• Copying a Log Source to Another Group on page 110 .


Chapter 4: Grouping Log Sources

CHAPTER 5

Adding Log Source Parsing Order


• Log Source Parsing Order Overview on page 113

• Adding a Log Source Parsing Order on page 113

Log Source Parsing Order Overview

Administrators can assign an order to prioritize the events parsed by the target event

collector assigned to the log source.

Administrators can order the importance of the log sources by defining the parsing order

for log sources that share a common IP address or host name. Defining the parsing order

for log sources ensures that certain log sources are parsed in a specific order, regardless

of changes to the logsourceconfiguration.Theparsingorder ensures systemperformance

is not affectedby changes to log source configurationbypreventing unnecessary parsing.

The parsing order ensures that low level event sources are not parsed for events above

more important log source.


Adding a Log Source Parsing Order on page 113•

Adding a Log Source Parsing Order

Administrators can assign an order to prioritize the events parsed by the target event

collector assigned to the log source.

To add a log source parsing order:


2. Click the Log Source Parsing Ordering icon.

3. Select a log source based on the IP address or host name.

4. Optional. From the Selected Event Collector list, select the Event Collector to define

the log source parsing order.

5. Optional. From the Log Source Host list, select a log source.


6. Prioritize the log source parsing order.

7. Click Save.


• Log Source Parsing Order Overview on page 113



CHAPTER 6

Managing Log Source Extensions


• Log Source Extensions Overview on page 115

• Viewing the Status of a Log Source Extension on page 116

• Adding a Log Source Extension on page 117

• Editing a Log Source Extension on page 118

• Copying a Log Source Extension on page 119

• Enabling or Disabling a Log Source Extension on page 121

• Deleting a Log Source Extension on page 121

Log Source Extensions Overview

Log source extensions can be created by administrators to extend or modify the parsing

routines of specific devices.

A log source extension is an XML file that includes all of the regular expression patterns

required to identify and categorize events from the event payload. Extension files can be

used to parse all events when a device support module (DSM) does not exist or an

administrator needs to correct a parsing issue for or override the default parsing for an

event from a DSM. An extension can provide event support when a DSM does not exist

to parse events for an appliance or security device in your network. The Log Activity tab

identifies log source events in three basic types:

To log the source extensions:

1. Log sources that properly parse the event. Events that a properly parse by the system

are assigned to the proper log source type and categorized correctly. In this case, no

intervention or extension is required.

2. Log sources that parse events, but include Unknown events. Unknown events are log

source events where the log source type is identified, but the payload information

cannot be understood by the DSM. The system is unable to determine an event

identifier from the available information to properly categorize the event. In this case,

the event can bemapped to a category from the Log Activity tab or a log source

extension can be written to repair the event parsing for unknown events.


3. Log sources that cannot identify the log source type andmark the event as a Stored

event. Stored events require administrators to update their DSM files or write a log

source extension toproperly parse the event. After the event parses, the administrator

can thenmap the events in the Log Activity tab.

Before a log source extension is added, the administrator must create the extension

document. The extension document is an XML document that can be created with any

commonword processing or text editing application. Multiple extension documents can

be created, uploaded, and associated to various log source types. The format of the

extension document must conform to a standard XML schema document (XSD). To

developanextensiondocument, knowledgeofandexperiencewithXMLcoding is required.


Viewing the Status of a Log Source Extension on page 116.•

• Adding a Log Source Extension on page 117.

• Editing a Log Source Extension on page 118.

• Copying a Log Source Extension on page 119.

• Enabling or Disabling a Log Source Extension on page 121.

• Deleting a Log Source Extension on page 121.

Viewing the Status of a Log Source Extension

Administrators can view a list of log source extensions, the description, status, and log

sources assigned to an extension.

Log Source Extension Parameters describes parameters in the user interface when an

administrator views the status of a log source extension:

Table 36: Log Source Extension Parameters


The name of the log source.

Administrators can click the name of the extension to download the xml file for the log sourceextension.

Extension Name

The description for the log source extension. The description must not exceed 255 characters.Description

A value of True indicates that the extension is enabled and the parsing patterns are active forthe log source. False indicates that the log source extension is currently disabled.

Enabled

The log source extension applies parsing from the extension XML file to all Log Source Typeslisted in this column. This includes auto discovered log sources thatmatch the Log Source Typespecified.

A value of None indicates that the extension is uploaded, but not associated to a log source.

Defaults for Log Source Type



To view the status of a log source extension:


2. Click the Log Source Extensions icon.

3. Review the status of your log source extensions.


Log Source Extensions Overview on page 115•






Adding a Log Source Extension

Administrators can enable or disable a log source extensions. Enabled log source

extensions are listed in the Status column as True. Disabled log source extension are

listed in the Status column as False.

The following table describes the parameters in a log source fields:

To add a log source extension:



3. Click Add.

4. Type a name for the log source extension.

5. Optional. Type a description for the log source extension.

6. From the Use Condition list, select one of the following options:

DescriptionOption

Select this option when the device support module (DSM) correctly parses most fields for thelog source.

The incorrectly parsed field values are enhanced with the new XML values. This is the defaultsetting.

Parsing Enhancement

Select this option when the device support module (DSM) is unable to parse correctly.

The log source extension completely overrides the failed parsing by the DSM and substitutesthe parsing with the new XML values.

Parsing Override


Chapter 6: Managing Log Source Extensions

7. From the Log Source Types list, select one of the following options:

DescriptionOption

Select this option when the device support module (DSM) correctly parses most fields for the logsource.

The incorrectly parsed field values are enhanced with the new XML values. This is the default setting.

Available

Select log sources to add or remove from the extension parsing. Administrators can add or removeextensions from a log source.

When a log source extension is Set to default for a log source, this indicates that any new log sourcesof the same Log Source Type use the assigned log source extension. This includes auto discoveredlog sources.

Set to default for

8. Click Browse to locate your log source extension XML document.

9. Click Upload. The contents of the log source extension is displayed to ensure the

proper extension file is uploaded. The extension file is evaluated against the XSD for

errors when the file is uploaded.

10. Click Save.

If the extension file does not contain any errors, the new log source extension is created

andenabled. It is possible touploada log sourceextensionwithoutapplying theextension

to a log source. Any change to the status of an extension is applied immediately and

managed hosts or consoles enforce the new event parsing parameters in the log source

extension.

On the Log Activity tab, the parsing patterns for events should be verified to ensure that

the parsing is applied correctly to your events. If the log source categorizes events as

Stored, then this indicates that the parsing pattern in the log source extension requires

adjustment. The administrator can review the extension file against log source events

to locate any event parsing issues.



• Viewing the Status of a Log Source Extension on page 116.





Editing a Log Source Extension

Log source extension files must be edited in an external editor. Administrators can edit

a log source extension to modify the name or upload a new extension file to replace an

existing log source extensions.



To edit a log source extension:



3. Click Edit.

4. Edit the name or any other configuration parameters.


6. Click Upload. The log source extension is uploaded and the contents are displayed.

Administrators can review or replace the extension before they save the changes.

7. Click Save.

The new log source extension is created and enabled. It is possible to upload a log source

extension without applying the extension to a log source. Any change to the status of an

extension is applied immediately to the log source andmanaged hosts or consoles

enforce the new event parsing parameters in the log source extension.













Copying a Log Source Extension

Administrators cancopya log sourceextensions. Enabled log sourceextensionsare listed

in the Status column as True. Disabled log source extension are listed in the Status

column as False.

The following table describes the parameters in a log source fields:

To copy a log source extension:



3. Select a log source extension.

4. Click Copy.



5. Type a name for the log source extension.

6. Optional. Type a description for the log source extension.

7. From the Use Condition list, select one of the following options:

DescriptionOption

Select this option when the device support module (DSM) correctly parses most fields for thelog source.

The incorrectly parsed field values are enhanced with the new XML values. This is the defaultsetting.

Parsing Enhancement

Select this option when the device support module (DSM) is unable to parse correctly.

The log source extension completely overrides the failed parsing by the DSM and substitutesthe parsing with the new XML values.

Parsing Override

8. From the Log Source Types list, select one of the following options:

DescriptionOption

Select this option when the device support module (DSM) correctly parses most fields for the logsource.

The incorrectly parsed field values are enhanced with the new XML values. This is the default setting.

Available

Select log sources to add or remove from the extension parsing. Administrators can add or removeextensions from a log source.

When a log source extension is Set to default for a log source, this indicates that any new log sourcesof the same Log Source Type use the assigned log source extension. This includes auto discoveredlog sources.

Set to default for


10. Click Upload. The contents of the log source extension is displayed to ensure the

proper extension file is uploaded. The extension file is evaluated against the XSD for

errors when the file is uploaded.

11. Click Save.

If the extension file does not contain any errors, the log source extension is copied to

another log source and enabled. Any change to the status of an extension is applied

immediately andmanaged hosts or consoles enforce the new event parsing parameters

in the log source extension.















Enabling or Disabling a Log Source Extension

Administrators can enable or disable a log source extensions. Enabled log source

extensions are listed in the Status column as True. Disabled log source extension are

listed in the Status column as False.

To enable or disable a log source extension:



3. From the list of log source extensions, select the log source extension that you want

to delete.

4. Click Enable/Disable.

The status column is updated with the current status of the log source extension. Any

change to the status of an extension is applied immediately to the log source and

managed hosts or consoles enforce the new event parsing parameters in the log source

extension.








Deleting a Log Source Extension

Administrators can delete a log source extension to remove any event parsing

enhancements or overrides for a log source. If an administrator deletes a log source

extension, the parsing changes are applied immediately to the incoming events for the

log source.



To delete a log source extension:



3. From the list of log source extensions, select the log source extension that you want

to delete.

4. Click Delete.

5. Click Yes to confirm the deletion of the extension.

Neweventsarewritten todiskbasedon thedefault patternsof thedevice supportmodule

(DSM) or another extension that might be applied to the log source.


• Log Source Extensions Overview on page 115








PART 2

Index

• Index on page 125


Index

Symbols#, comments in configuration statements.....................ix

( ), in syntax descriptions.......................................................ix

< >, in syntax descriptions.....................................................ix

[ ], in configuration statements...........................................ix

{ }, in configuration statements..........................................ix

| (pipe), in syntax descriptions............................................ix

Bbraces, in configuration statements..................................ix

brackets

angle, in syntax descriptions........................................ix

square, in configuration statements.........................ix

Ccomments, in configuration statements.........................ix

conventions

text and syntax................................................................viii

curly braces, in configuration statements.......................ix

customer support......................................................................x

contacting JTAC.................................................................x

Ddocumentation

comments on....................................................................ix

Ffont conventions.....................................................................viii

Mmanuals

comments on....................................................................ix

Pparentheses, in syntax descriptions..................................ix

Ssupport, technical See technical support

syntax conventions................................................................viii

Ttechnical support

contacting JTAC.................................................................x


juniper secure analytics log sources users guide ·...

Documents