Juniper Secure Analytics
Log Sources Users Guide
Release
2014.1
Modified: 2017-01-04
Copyright © 2017, Juniper Networks, Inc.
Juniper Networks, Inc.1133 InnovationWaySunnyvale, California 94089USA408-745-2000www.juniper.net
Copyright © 2017, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Juniper Secure Analytics Log Sources Users GuideCopyright © 2017, Juniper Networks, Inc.All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.
ENDUSER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.
Copyright © 2017, Juniper Networks, Inc.ii
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Part 1 Juniper Secure Analytics Log Sources
Chapter 1 Installing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Installing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 Managing Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Log Sources Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Viewing the Status of a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Adding a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Editing Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Enabling or Disabling a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Adding Bulk Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Editing Bulk Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Deleting a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Chapter 3 Managing Protocol Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Protocol Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configuring the Syslog Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configuring the JDBC Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configuring the JDBC SiteProtector Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Configuring the Sophos Enterprise Console JDBC Protocol . . . . . . . . . . . . . . . . . . 31
Configuring the Juniper Networks NSM Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Configuring the OPSEC/LEA Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Configuring the SDEE Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Configuring the SNMPv1 Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Configuring the SNMPv2 Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configuring the SNMPv3 Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Configuring the Sourcefire Defense Center Estreamer Protocol . . . . . . . . . . . . . . . 51
Configuring the Log File Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Configuring the Microsoft Security Event Log Protocol . . . . . . . . . . . . . . . . . . . . . 59
Configuring the Microsoft Security Event Log Custom Protocol . . . . . . . . . . . . . . 62
Configuring the Microsoft DHCP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Configuring the Microsoft Exchange Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Configuring the Microsoft IIS protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
iiiCopyright © 2017, Juniper Networks, Inc.
Configuring the SMB Tail Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Configuring the EMC VMware Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Configuring the Oracle Database Listener Protocol . . . . . . . . . . . . . . . . . . . . . . . . 79
Configuring the Cisco NSEL Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Configuring the PCAP Syslog Combination Protocol . . . . . . . . . . . . . . . . . . . . . . . 84
Configuring the Forwarded Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Configuring the TLS Syslog Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Configuring the Juniper Security Binary Log Collector Protocol . . . . . . . . . . . . . . . 92
Configuring the UDPMultiline Syslog Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Configuring the TCP Multiline Syslog Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring the VMware vCloud Director Protocol . . . . . . . . . . . . . . . . . . . . . . . . 100
Configuring the IBM® Tivoli® Endpoint Manager SOAP Protocol . . . . . . . . . . . . 102
Chapter 4 Grouping Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Grouping Log Source Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Viewing Log Source Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Assigning a Log Source to a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Creating a Log Source Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Editing a Log Source Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Copying a Log Source to Another Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Removing a Log Source From a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Chapter 5 Adding Log Source Parsing Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Log Source Parsing Order Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Adding a Log Source Parsing Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Chapter 6 Managing Log Source Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Log Source Extensions Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Viewing the Status of a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Adding a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Editing a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Copying a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Enabling or Disabling a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Deleting a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Part 2 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Copyright © 2017, Juniper Networks, Inc.iv
Juniper Secure Analytics Log Sources Users Guide
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Part 1 Juniper Secure Analytics Log Sources
Chapter 2 Managing Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Table 3: Console Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Table 4: Log Source Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Table 5: Bulk Log Source Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Table 6: Bulk Edit Log Source Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 3 Managing Protocol Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Table 7: Syslog Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Table 8: JDBC Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Table 9: JDBC - SiteProtector Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . 27
Table 10: Sophos Enterprise Console JDBC Protocol Parameters . . . . . . . . . . . . . 32
Table 11: Juniper Networks NSM Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . 36
Table 12: OPSEC/LEA Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Table 13: SDEE Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Table 14: SNMPv1 Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Table 15: SNMPv2 Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Table 16: SNMPv3 Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Table 17: Sourcefire Defense Center Estreamer Protocol Parameters . . . . . . . . . . 52
Table 18: Log File Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Table 19: Microsoft Security Event Log Protocol Parameters . . . . . . . . . . . . . . . . 60
Table 20: Microsoft Security Event Log Protocol Parameters . . . . . . . . . . . . . . . . 63
Table 21: Microsoft DHCP Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Table 22: Microsoft Exchange Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . 68
Table 23: Microsoft IIS Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Table 24: SMB Tail Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Table 25: EMC VMware Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Table 26: Oracle Database Listener Protocol Parameters . . . . . . . . . . . . . . . . . . . 79
Table 27: Cisco NSEL Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Table 28: PCAP Syslog Combination Protocol Parameters . . . . . . . . . . . . . . . . . . 84
Table 29: Forwarded Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Table 30: TLS Syslog Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Table 31: Juniper Security Binary Log Collector Protocol Parameters . . . . . . . . . . 92
Table 32: UDP Multiline Syslog Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . 94
Table 33: TCP Multiline Syslog Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . 97
Table 34: VMware vCloud Director Protocol Parameters . . . . . . . . . . . . . . . . . . . 100
vCopyright © 2017, Juniper Networks, Inc.
Table 35: IBM Tivoli Endpoint Manager SOAP Protocol Parameters . . . . . . . . . . 102
Chapter 6 Managing Log Source Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Table 36: Log Source Extension Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Copyright © 2017, Juniper Networks, Inc.vi
Juniper Secure Analytics Log Sources Users Guide
About the Documentation
• Documentation and Release Notes on page vii
• Documentation Conventions on page vii
• Documentation Feedback on page ix
• Requesting Technical Support on page x
Documentation and Release Notes
To obtain the most current version of all Juniper Networks®technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Documentation Conventions
Table 1 on page viii defines notice icons used in this guide.
viiCopyright © 2017, Juniper Networks, Inc.
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page viii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, type theconfigure command:
user@host> configure
Represents text that you type.Bold text like this
user@host> show chassis alarms
No alarms currently active
Represents output that appears on theterminal screen.
Fixed-width text like this
• A policy term is a named structurethat defines match conditions andactions.
• Junos OS CLI User Guide
• RFC 1997,BGPCommunities Attribute
• Introduces or emphasizes importantnew terms.
• Identifies guide names.
• Identifies RFC and Internet draft titles.
Italic text like this
Configure themachine’s domain name:
[edit]root@# set system domain-namedomain-name
Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.
Italic text like this
Copyright © 2017, Juniper Networks, Inc.viii
Juniper Secure Analytics Log Sources Users Guide
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.
• Theconsoleport is labeledCONSOLE.
Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.
Text like this
stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)
broadcast | multicast
(string1 | string2 | string3)
Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.
| (pipe symbol)
rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.
# (pound sign)
community namemembers [community-ids ]
Encloses a variable for which you cansubstitute one or more values.
[ ] (square brackets)
[edit]routing-options {static {route default {nexthop address;retain;
}}
}
Identifies a level in the configurationhierarchy.
Indention and braces ( { } )
Identifies a leaf statement at aconfiguration hierarchy level.
; (semicolon)
GUI Conventions
• In the Logical Interfaces box, selectAll Interfaces.
• To cancel the configuration, clickCancel.
Representsgraphicaluser interface(GUI)items you click or select.
Bold text like this
In the configuration editor hierarchy,select Protocols>Ospf.
Separates levels in a hierarchy of menuselections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
• Online feedback rating system—On any page of the Juniper Networks TechLibrary site
athttp://www.juniper.net/techpubs/index.html, simply click the stars to rate thecontent,
and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.
ixCopyright © 2017, Juniper Networks, Inc.
About the Documentation
• E-mail—Sendyourcommentsto [email protected]. Includethedocument
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the JuniperNetworksTechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides youwith the
following features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Search for known bugs: http://www2.juniper.net/kb/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
• Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Casewith JTAC
You can open a case with JTAC on theWeb or by telephone.
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
Copyright © 2017, Juniper Networks, Inc.x
Juniper Secure Analytics Log Sources Users Guide
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
xiCopyright © 2017, Juniper Networks, Inc.
About the Documentation
Copyright © 2017, Juniper Networks, Inc.xii
Juniper Secure Analytics Log Sources Users Guide
PART 1
Juniper Secure Analytics Log Sources
• Installing Protocols on page 3
• Managing Log Sources on page 5
• Managing Protocol Configuration on page 19
• Grouping Log Sources on page 107
• Adding Log Source Parsing Order on page 113
• Managing Log Source Extensions on page 115
1Copyright © 2017, Juniper Networks, Inc.
Copyright © 2017, Juniper Networks, Inc.2
Juniper Secure Analytics Log Sources Users Guide
CHAPTER 1
Installing Protocols
This chapter describes about the following sections:
• Installing Protocols on page 3
Installing Protocols
You can download and install a Juniper Secure Analytics (JSA) protocol.
To install JSA protocols:
1. Download the protocol file from Juniper Customer Support:
http://www.juniper.net/support/downloads
2. Copy the protocol file to your JSA console.
3. Using SSH, log in to the JSA host as the root user.
4. Navigate to the directory that includes the downloaded file.
5. Extract the contents of the file if they are compressed.
6. Type the following command:
rpm -Uvh <filename>
Where <filename> is the name of the downloaded file. For example:
PROTOCOL-WinCollectMicrosoftIAS-7.2-605867.noarch.rpm.
7. Log in to JSA.
https://<IP Address>
Where <IP Address> is the IP address of the JSA console or Event Collector.
8. On the Admin tab, click Deploy Changes.
The installation is complete.
RelatedDocumentation
• Log Sources Management on page 6
• Adding a Log Source on page 7
3Copyright © 2017, Juniper Networks, Inc.
Copyright © 2017, Juniper Networks, Inc.4
Juniper Secure Analytics Log Sources Users Guide
CHAPTER 2
Managing Log Sources
This chapter describes about the following sections:
• Log Sources Overview on page 6
• Viewing the Status of a Log Source on page 6
• Adding a Log Source on page 7
• Editing Log Source on page 9
• Enabling or Disabling a Log Source on page 11
• Adding Bulk Log Sources on page 12
• Editing Bulk Log Sources on page 15
• Deleting a Log Source on page 17
5Copyright © 2017, Juniper Networks, Inc.
Log Sources Overview
Administrators canmanage log sources from the Admin tab. Log sources are a list of
external appliances that provide events to Juniper Secure Analytics (JSA).
References to JSA apply to all products capable of collecting log source information.
Products that support log sources include Log Analytics.
Log sources provide JSA the ability to collect, understand, and properly categorize events
fromexternal sources. A log source is a generic term for any external source that provides
event information to JSA. A log source can be any type of network appliances, operating
system, database, or security product that generates events for JSA. For example, a
firewall or intrusion detection systemsmight provide security-based events where
switches or routers might provide network-based events. JSA can read and interpret
events frommore than 300 log sources. Each log source in JSA contains a device support
module (DSM). The DSM software contains the event patterns that are required to
identify and parse events for a log source. Updated event patterns to parse new events
and update your system are provided through weekly auto updates.
Log sources can be createdmanually by an administrator or automatically discovered
by JSA. Auto discovery means that JSA can detect and create a log source from events
withoutmanual configuration.Many log sources canbeautomatically discoveredby JSA.
Before you configure a log source, youmust review and understand how the device,
appliance, or software sends events to JSA. To review step-by-step configuration
instructions for devices and the associated log source, see the Juniper Secure Analytics
Administration Guide.
To manage log sources in JSA, perform the following tasks:
• “Viewing the Status of a Log Source” on page 6.
• “Adding a Log Source” on page 7.
• “Editing Log Source” on page 9.
• “Adding Bulk Log Sources” on page 12.
• “Editing Bulk Log Sources” on page 15.
• “Enabling or Disabling a Log Source” on page 11.
• “Deleting a Log Source” on page 17.
Viewing the Status of a Log Source
You can view the status of a log source to determine if your device is sending events to
Juniper Secure Analytics.
To view the status of a log source:
1. Click the Admin tab.
Copyright © 2017, Juniper Networks, Inc.6
Juniper Secure Analytics Log Sources Users Guide
2. Click the Log Sources icon.
3. Review the Status column to determine the status of your log sources.
For example, log sources that do not send an event within 720minutes display an errorin the Status column. Log sources that display N/A are log sources that have been bulkadded.
RelatedDocumentation
Log Sources Management on page 6•
• Adding a Log Source on page 7.
• Editing Log Source on page 9.
• Adding Bulk Log Sources on page 12.
• Editing Bulk Log Sources on page 15.
• Enabling or Disabling a Log Source on page 11.
• Deleting a Log Source on page 17.
Adding a Log Source
Administrators can add a log source to receive event from your network devices or
appliances. Before a log source is manually added, the administrator can determine if
the device supports automatic discovery.
Table 3 describes the parameters of the log source fields.
Table 3: Console Settings
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select the type of log source to add.Log Source Type
From the list, select the protocol configuration for the log source.
The protocol defines how Juniper Secure Analytics attempts to communicate with the log source.Protocols can either listen for events or they can initiate communication to a log source to collectevents. The protocol options that are available for each log source is determined by the Log SourceType.
The Juniper Secure Analytics provides step-by-step instructions to configure each log source.
Protocol Configuration
Type an IPv4 address or hostname to identify the log source that created the events.
If your network contains multiple devices that are attached to amanagement console, you shouldspecify the IP address of the individual device that created the event. A unique identifier for each,such as an IP address, prevents event searches from identifying the management console as thesource for all of the events.
Log Source Identifier
7Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Managing Log Sources
Table 3: Console Settings (continued)
DescriptionParameter
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is not countedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingeventsor adjustedasa response touser createdevent rules. Thecredibility of events from log sourcescontributes to the calculation of the offensemagnitude and can increase or decrease themagnitudevalue of an offense.
Credibility
Select the target for the log source.When a log source actively collects events from a remote source,this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettingsconfigurationon theAdmin tab.Administrators canuse this checkbox tooverride thedefaultbehavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettingsconfigurationon theAdmin tab.Administrators canuse this checkbox tooverride thedefaultbehavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The logsource languagehelps thesystemparseevents fromexternal appliancesoroperating systemsthat can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions, which can override or repair the event parsing of a devicesupport module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
ExtensionUseCondition
Copyright © 2017, Juniper Networks, Inc.8
Juniper Secure Analytics Log Sources Users Guide
Table 3: Console Settings (continued)
DescriptionParameter
Select one or more groups for the log source.Groups
To add a log source:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source. The Juniper Secure Analytics provides
step-by-step instructions to configure each log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Log Sources Management on page 6•
• Viewing the Status of a Log Source on page 6.
• Editing Log Source on page 9.
• Adding Bulk Log Sources on page 12.
• Editing Bulk Log Sources on page 15.
• Enabling or Disabling a Log Source on page 11.
• Deleting a Log Source on page 17.
Editing Log Source
You can edit a log source to update the configuration parameters for a network device,
appliance, or software. The Log Source Type and Protocol Configuration parameters
cannot be edited.
Table 4 on page 9 describes the editable parameters of the log source fields:
Table 4: Log Source Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
9Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Managing Log Sources
Table 4: Log Source Parameters (continued)
DescriptionParameter
Type an IPv4 address or hostname to identify the log source that created the events.
If your network contains multiple devices that are attached to amanagement console, you shouldspecify the IP address of the individual device that created the event. A unique identifier for each,such as an IP address, prevents event searches from identifying the management console as thesource for all of the events.
Log Source Identifier
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is not countedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjustedasa response touser createdevent rules. The credibility of events from log sourcescontributes to the calculation of the offensemagnitude and can increase or decrease themagnitudevalue of an offense.
Credibility
Select the target for the log source.When a log source actively collects events from a remote source,this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configurationon theAdmin tab.Administrators canuse this checkbox tooverride thedefaultbehavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configurationon theAdmin tab.Administrators canuse this checkbox tooverride thedefaultbehavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source languagehelps the systemparseevents fromexternal appliancesoroperating systemsthat can create events in multiple languages.
Log Source Language
Copyright © 2017, Juniper Networks, Inc.10
Juniper Secure Analytics Log Sources Users Guide
Table 4: Log Source Parameters (continued)
DescriptionParameter
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions, which can override or repair the event parsing of a devicesupport module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension UseCondition
Select one or more groups for the log source.Groups
To edit a log source:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Select a log source.
4. Click Edit.
5. Configure the parameters for your log source. The JSA provides step-by-step
instructions to configure each log source.
6. Click Save to update your log source configuration.
The log source is updated. Deploy changes is not required to edit a log source.
RelatedDocumentation
Log Sources Management on page 6•
• Viewing the Status of a Log Source on page 6.
• Adding a Log Source on page 7.
• Adding Bulk Log Sources on page 12.
• Editing Bulk Log Sources on page 15.
• Enabling or Disabling a Log Source on page 11.
• Deleting a Log Source on page 17.
Enabling or Disabling a Log Source
Administrators can enable or disable log source to start or stop event collection. Bulk
log sources cannot be enabled or disabled.
You can enable or disable a log source.
11Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Managing Log Sources
To enable or disable a log source
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Select the log source to enable or disable.
4. Click Enable/Disable.
When a log source is enabled, the Enabled column indicates true or the column indicates
false when disabled. Disabled log sources do not count against the log source limit
assigned to the license. If an administrator cannot enable a log source, the systemmight
have exceeded the log source license limit. Administrators can review the system
notifications to determine if the number of log sources exceeds the license limit. When
thisoccurs, administrators candisable lowpriority logsources. If extra logsourcecapacity
is required, contact your sales representative.
RelatedDocumentation
Log Sources Management on page 6•
• Viewing the Status of a Log Source on page 6.
• Adding a Log Source on page 7
• Editing Log Source on page 9.
• Adding Bulk Log Sources on page 12.
• Editing Bulk Log Sources on page 15.
• Deleting a Log Source on page 17.
Adding Bulk Log Sources
JuniperSecureAnalytics supports theability toaddupto500Windows-basedorUniversal
DSM log sources in bulk. Bulk log sources share a common configuration and only differ
by the IP address.
Table 5 describes the default parameters of the log source configuration. These
parameters might differ based on the Log Source Type selected:
Table 5: Bulk Log Source Parameters
DescriptionParameter
Type a unique name of the log source.
When you add a bulk log source, a log source group is created with the name you input into this field.
Bulk Log SourceName
From the list, select a log source type for yourWindows based log source or Universal DSM log source.Log Source Type
Copyright © 2017, Juniper Networks, Inc.12
Juniper Secure Analytics Log Sources Users Guide
Table 5: Bulk Log Source Parameters (continued)
DescriptionParameter
From the list, select the protocol configuration for the log source.
The protocol defines how the system attempts to communicate with the log source. Protocols caneither listen for events or they can initiate communication toa log source to collect events. Theprotocoloptions that are available for each log source is determined by the Log Source Type.
The Juniper Secure Analytics provides step-by-step instructions to configure each log source.
ProtocolConfiguration
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is not countedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is5.
Credibility is a representation of the integrity or validity of events that are created by a log source. Thecredibility value that is assigned to a log source can increase or decrease based on incoming events oradjustedasa response touser createdevent rules. Thecredibility of events from log sources contributesto the calculation of the offense magnitude and can increase or decrease the magnitude value of anoffense.
Credibility
Select the target for the log source. When a log source actively collects events from a remote source,this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, insteadof theconsoleappliance.Distributingevent across target event collectors can improveperformance in distributed deployments.
Target EventCollector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occursmultiple times within a shorttime interval. Coalesced events provide administrators a way to view and determine the frequencywith which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override the defaultbehavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override the defaultbehavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the systemparse events from external appliances or operating systemsthat can create events in multiple languages.
Log Source Language
13Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Managing Log Sources
Table 5: Bulk Log Source Parameters (continued)
DescriptionParameter
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions,which can override or repair the event parsing of a device supportmodule (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension UseCondition
Select this option to specify the location of a text file that contains a list of IP addresses or host namesto bulk add.
The text file must contain one IP address or host name per line. Extra characters after an IP addressor host names longer than 255 characters can result in a value being bypassed from the text file. Thefile upload lists a summary of all IP address or host names that were added as the bulk log source.
File Upload
Select this option to search a domain for hosts to add as bulk log sources. To search a domain youmust add the domain, username, andpassword before polling the domain for hosts to add. ClickQueryDomain to search for IP addresses or host name to the list.
• Domain Controller—Type the IP address of the domain controller.
• Full Domain Name—Type a valid domain name for your network.
Domain Query
Select this option to manually add an individual IP address or host names to the host list. Click AddHost to add an IP address or host name to the list.
Manual
Clear any values from the Add check box to exclude host names or IP addresses from the list of bulklog sources.
Add
To add a bulk log source:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. From the Actions list, select Bulk Add.
4. Configure the parameters for the log source. The Juniper Secure Analytics provides
step-by-step instructions to configure each log source.
5. Click Save.
6. Click Continue to add the log sources.
7. On the Admin tab, click Deploy Changes.
The log sources are bulk added and a group is created for your bulk log sources.
RelatedDocumentation
Log Sources Management on page 6•
• Viewing the Status of a Log Source on page 6.
Copyright © 2017, Juniper Networks, Inc.14
Juniper Secure Analytics Log Sources Users Guide
• Adding a Log Source on page 7
• Editing Log Source on page 9.
• Enabling or Disabling a Log Source on page 11.
• Editing Bulk Log Sources on page 15.
• Deleting a Log Source on page 17.
Editing Bulk Log Sources
Administrators can edit a log source in bulk to update the configuration parameters for
Windows-based log sources or Universal DSM log sources that were bulk added. The
Log Source Type and Protocol Configuration parameters cannot be edited in bulk.
Table 6 on page 15 describes the default parameters of the log source configuration.
These parameters might differ based on the Log Source Type selected:
Table 6: Bulk Edit Log Source Parameters
DescriptionParameter
Type a unique name of the log source.
When you add a bulk log source, a log source group is created with the name you input into this field.
Bulk Log SourceName
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is not countedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is5.
Credibility is a representation of the integrity or validity of events that are created by a log source. Thecredibility value that is assigned to a log source can increase or decrease based on incoming events oradjustedasa response touser createdevent rules. Thecredibility of events from log sources contributesto the calculation of the offense magnitude and can increase or decrease the magnitude value of anoffense.
Credibility
Select the target for the log source. When a log source actively collects events from a remote source,this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, insteadof theconsoleappliance.Distributingeventacross targeteventcollectors can improveperformance in distributed deployments.
Target EventCollector
15Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Managing Log Sources
Table 6: Bulk Edit Log Source Parameters (continued)
DescriptionParameter
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within a shorttime interval. Coalesced events provide administrators away to viewanddetermine the frequencywithwhich a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override the defaultbehavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override the defaultbehavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operating systemsthat can create events in multiple languages.
LogSourceLanguage
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions, which can override or repair the event parsing of a device supportmodule (DSM).
LogSourceExtension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension UseCondition
Select this option to specify the location of a text file that contains a list of IP addresses or host namesto bulk add.
The text file must contain one IP address or host name per line. Extra characters after an IP address orhost names longer than 255 characters can result in a value being bypassed from the text file. The fileupload lists a summary of all IP address or host names that were added as the bulk log source.
File Upload
Select this option to search a domain for hosts to add as bulk log sources. To search a domain youmust add the domain, username, and password before polling the domain for hosts to add. ClickQueryDomain to search for IP addresses or host name to the list.
• Domain Controller—Type the IP address of the domain controller.
• Full Domain Name—Type a valid domain name for your network.
Domain Query
Select this option to manually add an individual IP address or host names to the host list. Click AddHost to add an IP address or host name to the list.
Manual
Clear any values from the Add check box to exclude host names or IP addresses from the list of bulklog sources.
Add
Copyright © 2017, Juniper Networks, Inc.16
Juniper Secure Analytics Log Sources Users Guide
To edit a bulk log source:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Select a log source.
4. From the Actions list, select Bulk Edit.
5. Configure theparameters for the logsource.The JSAprovidesstep-by-step instructions
to configure each log source.
6. Click Save to update your log source configuration.
7. Click Continue to add the log sources.
8. Optional. On the Admin tab, click Deploy Changes if you added a new IP address or
host name to your bulk log source.
The bulk log source is updated.
RelatedDocumentation
Log Sources Management on page 6•
• Viewing the Status of a Log Source on page 6.
• Adding a Log Source on page 7
• Editing Log Source on page 9.
• Enabling or Disabling a Log Source on page 11.
• Adding Bulk Log Sources on page 12.
• Deleting a Log Source on page 17.
Deleting a Log Source
Administrators can delete a log source. Bulk log sources cannot be enabled or disabled.
Administrators can delete unwanted log sources to stop event collection for an external
device.
To delete a log source:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Select the log source to enable or disable.
4. Click Delete.
The log source is enabled or disabled.
The event data for log sources is still available on your system. However, the data can
bemore difficult to locate when you attempt to search as the indexes to the log source
is deleted. If you want to retain the log source index reference, you can disable a log
17Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Managing Log Sources
source instead of deleting the log source from your system. This enables you to continue
to search for events by log source or log source group.
RelatedDocumentation
• Log Sources Management on page 6
• Viewing the Status of a Log Source on page 6.
• Adding a Log Source on page 7
• Editing Log Source on page 9.
• Enabling or Disabling a Log Source on page 11.
• Adding Bulk Log Sources on page 12.
• Editing Bulk Log Sources on page 15.
Copyright © 2017, Juniper Networks, Inc.18
Juniper Secure Analytics Log Sources Users Guide
CHAPTER 3
Managing Protocol Configuration
This chapter describes about the following sections:
• Protocol Configuration Overview on page 20
• Configuring the Syslog Protocol on page 20
• Configuring the JDBC Protocol on page 23
• Configuring the JDBC SiteProtector Protocol on page 27
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31
• Configuring the Juniper Networks NSM Protocol on page 36
• Configuring the OPSEC/LEA Protocol on page 38
• Configuring the SDEE Protocol on page 41
• Configuring the SNMPv1 Protocol on page 44
• Configuring the SNMPv2 Protocol on page 46
• Configuring the SNMPv3 Protocol on page 49
• Configuring the Sourcefire Defense Center Estreamer Protocol on page 51
• Configuring the Log File Protocol on page 54
• Configuring the Microsoft Security Event Log Protocol on page 59
• Configuring the Microsoft Security Event Log Custom Protocol on page 62
• Configuring the Microsoft DHCP Protocol on page 65
• Configuring the Microsoft Exchange Protocol on page 68
• Configuring the Microsoft IIS protocol on page 71
• Configuring the SMB Tail Protocol on page 74
• Configuring the EMC VMware Protocol on page 77
• Configuring the Oracle Database Listener Protocol on page 79
• Configuring the Cisco NSEL Protocol on page 82
• Configuring the PCAP Syslog Combination Protocol on page 84
• Configuring the Forwarded Protocol on page 86
• Configuring the TLS Syslog Protocol on page 89
• Configuring the Juniper Security Binary Log Collector Protocol on page 92
• Configuring the UDPMultiline Syslog Protocol on page 94
19Copyright © 2017, Juniper Networks, Inc.
• Configuring the TCPMultiline Syslog Protocol on page 97
• Configuring the VMware vCloud Director Protocol on page 100
• Configuring the IBM® Tivoli® Endpoint Manager SOAP Protocol on page 102
Protocol Configuration Overview
Log source protocols provide Juniper Secure Analytics (JSA) the ability to receive or
actively collect log source events from external sources. Passive protocols actively listen
for events on specific ports and active protocols leverage APIs or other communication
methods to reach out to external systems to poll and retrieve events.
Before you configure a log source, youmust review and understand how the device,
appliance, or software sends events to JSA. For detailed protocol information and
step-by-stepconfiguration instructions formanydevices, see the Juniper SecureAnalytics
Administartion Guide.
To review protocol configuration parameters for your log source, select the protocol for
the device:
RelatedDocumentation
Configuring the Syslog Protocol on page 20.•
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
Configuring the Syslog Protocol
TheSyslogprotocol is themostcommonformofeventcollection. JuniperSecureAnalytics
(JSA) can passively listen for Syslog events on TCP or UDP port 514.
Table 7 on page 20 describes the parameters of the Syslog protocol.
Table 7: Syslog Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select the type of log source to add.Log Source Type
Copyright © 2017, Juniper Networks, Inc.20
Juniper Secure Analytics Log Sources Users Guide
Table 7: Syslog Protocol Parameters (continued)
DescriptionParameter
From the list, select Syslog.
The protocol defines how JSA attempts to communicate with the log source. Protocols can eitherlisten for events or they can initiate communication to a log source to collect events. The protocoloptions that are available for each log source is determined by the Log Source Type.
The JSA provides step-by-step instructions to configure each log source.
Protocol Configuration
Type an IPv4 address or host name to identify the log source that created the events.
If the network containsmultiple devices that are attached to amanagement console, administratorscan specify the IP address of the individual device that created the event. A unique identifier for each,such as an IP address, prevents event searches from identifying the management console as thesource for all of the events.
Log Source Identifier
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is not countedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingeventsoradjustedasa response touser createdevent rules. Thecredibility of events from logsourcescontributes to the calculation of the offensemagnitude and can increase or decrease themagnitudevalue of an offense.
Credibility
Select the target for the log source.When a log source actively collects events froma remote source,this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettingsconfigurationon theAdmin tab.Administratorscanuse this checkbox tooverride thedefaultbehavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettingsconfigurationon theAdmin tab.Administratorscanuse this checkbox tooverride thedefaultbehavior of the system settings for an individual log source.
Store Event Payload
21Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 7: Syslog Protocol Parameters (continued)
DescriptionParameter
Select the language of the events that are generated by the log source.
The logsource languagehelps thesystemparseevents fromexternal appliancesoroperating systemsthat can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions, which can override or repair the event parsing of a devicesupport module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
ExtensionUseCondition
Select one or more groups for the log source.Groups
To configure the syslog protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source. The JSA provides step-by-step
instructions to configure each log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
• Configuring the SDEE Protocol on page 41.
• Configuring the SNMPv1 Protocol on page 44.
• Configuring the SNMPv2 Protocol on page 46.
Copyright © 2017, Juniper Networks, Inc.22
Juniper Secure Analytics Log Sources Users Guide
Configuring the JDBC Protocol
Logsourcesconfiguredwith the JavaDatabaseConnectivity (JDBC)protocol can remotely
poll databases for events.
The JDBC protocol enables Juniper Secure Analytics (JSA) to collect information from
tables or views that contain event data from several database types.
Table 8 on page 23 describes the parameters of the JDBC protocol.
Table 8: JDBC Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select the type of log source to add.Log Source Type
From the list, select JDBC.Protocol Configuration
Type the log source identifer in one of the following formats:
• database@hostname
• table name|database@hostname
The databasenamemust match the value of the Database Name parameter. The database nameis a required parameter.
The hostname is the hostname or IP address for the device that hosts the database. Thehostnamemust match the parameter in the IP or Hostnamefield. The hostname is a required parameter.
Optional. The table name is the name of the table or view on the database which contains theevent records. If you define the name of a table or view, youmust include a pipe ( | ) character as aseparator. The name of the view or table must match the Table Name field.
Log Source Identifier
From the list box, select the type of database that contains the events.Database Type
Type the nameof the database towhich the protocol can connect. The database namemustmatchthe database name specified in the Log Source Identifier field.
Database Name
Type the IP address or hostname of the database server.IP or Hostname
23Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 8: JDBC Protocol Parameters (continued)
DescriptionParameter
Type the port number used by the database server. The default displayed depends on the selectedDatabase Type. The valid range is 0 to 65536. The defaults include:
• MSDE–1433
• Postgres–5432
• MySQL–3306
• Sybase–1521
• Oracle–1521
• Informix–9088
The JDBC port must match the listen port configured on the remote database. The databasemustpermit incoming TCP connections.
If a Database Instance is used with the MSDE database type, administrators must leave the Portparameter blank in the log source configuration.
Port
Type the database username. The username can be up to 255 alphanumeric characters in lengthand can include underscore (_) characters.
To track access to database access for audit purposes, administrators can create a create a specificuser on the database for JSA.
Username
Type the database password. The password can be up to 255 characters in length.Password
Confirm the password to access the database.Confirm Password
Type a domain for the database.
Adomainmustbeconfigured forMSDEdatabases thatarewithinaWindowsdomain. If yournetworkdoes not use a domain, leave this field blank.
Authentication Domain
Type the database instance, if required. MSDE databases can includemultiple SQL server instanceson one server.
When a non-standard port is used for the database or administrators have blocked access to port1434 for SQL database resolution, the Database Instance parametermust be blank in the log sourceconfiguration.
Database Instance
Optional. Select a predefineddatabase query for the log source. If a predefinedquery is not availablefor the log source type, administrators can select none.
Predefined Query
Type the name of the table or view that includes the event records.
The table name can include the following special characters: dollar sign ( $ ), number sign ( # ),underscore ( _ ), en dash ( - ), and period( . ).
Table Name
Type the list of fields to includewhen the table is polled for events. Administrators can use a commaseparated list or type * to select all fields from the table or view.
If a comma-separated list is defined, the list must contain the field defined in the Compare Field.
Select List
Copyright © 2017, Juniper Networks, Inc.24
Juniper Secure Analytics Log Sources Users Guide
Table 8: JDBC Protocol Parameters (continued)
DescriptionParameter
Type a numeric value or timestamp field from the table or view that can identify new events addedbetween queries to the table.
This fieldenables theprotocol to identify events thatwerepreviouslypolledby theprotocol toensurethat duplicate events are not created.
Compare Field
Select this check box to use prepared statements.
Preparedstatementsenable the JDBCprotocol source tosetup theSQLstatement, andthenexecutetheSQLstatementnumerous timeswithdifferentparameters. For securityandperformance reasons,most JDBC protocol configurations can use prepared statements.
Clear this checkbox touseanalternativemethodofquerying thatdonotuseprecompiledstatements.
Use PreparedStatements
Optional. Configure a start date and time for when the protocol can start to poll the database.
If a start time isnotdefined, theprotocol attempts topoll for eventsafter the logsourceconfigurationis saved and deployed.
Start Date and Time
Type the polling interval, which is the amount of time between queries to the database. The defaultpolling interval is 10 seconds.
Administrators can define a longer polling interval by appending H for hours or M for minutes to thenumeric value. Themaximum polling interval is 1 week in any time format. Numeric values withoutan H or M designator poll in seconds.
Polling Interval
Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. Thedefault value is 20000 EPS.
EPS Throttle
If MSDE is configured as the database type, administrators can select this check box to use analternative method to a TCP/IP port connection.
Named pipe connections for MSDE databases require the username and password field to use aWindows authentication username and password and not the database username and password.The log source configuration must use the default named pipe on the MSDE database.
Use Named PipeCommunication
If theUseNamedPipeCommunicationcheckbox, theDatabaseClusterNameparameter isdisplayed.
If you use your SQL server in a cluster environment, define the cluster name to ensure that namedpipe communications function properly.
Database Cluster Name
Select the Use NTLMv2 check box to force MSDE connections to use the NTLMv2 protocol whencommunicatingwithSQLservers that requireNTLMv2authentication. Thedefault valueof thecheckbox is selected.
The Use NTLMv2 check box does not interrupt communications for MSDE connections that do notrequire NTLMv2 authentication.
Use NTLMv2
Select this check box to enable SSL encryption for the JDBC protocol.Use SSL
Select this check box to enable the log source
When this check box is clear, the log source does not collect events and the log source is not countedin the license limit.
Enabled
25Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 8: JDBC Protocol Parameters (continued)
DescriptionParameter
Select the credibility of the log source. The range is 0 (lowest) – 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingeventsor adjustedasa response touser createdevent rules. Thecredibility of events from log sourcescontributes to the calculation of the offensemagnitude and can increase or decrease themagnitudevalue of an offense.
Credibility
Select the target for the log source.When a log source actively collects events froma remote source,this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configurationon theAdmin tab.Administrators canuse this checkbox tooverride thedefaultbehavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configurationon theAdmin tab.Administrators canuse this checkbox tooverride thedefaultbehavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions, which can override or repair the event parsing of a devicesupport module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
ExtensionUseCondition
Select one or more groups for the log source.Groups
Copyright © 2017, Juniper Networks, Inc.26
Juniper Secure Analytics Log Sources Users Guide
To configure the JDBC protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure theparameters for the logsource.The JSAprovidesstep-by-step instructions
to configure each log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
Configuring the JDBC SiteProtector Protocol
Logsourcesconfiguredwith the JavaDatabaseConnectivity (JDBC)SiteProtectorprotocol
can remotely poll IBM Proventia Management SiteProtector databases for events.
The JDBC - SiteProtector protocol combines information from the SensorData1 and
SensorDataAVP1 tables in the creation of the log source payload. The SensorData1 and
SensorDataAVP1 tables are located in the IBM Proventia Management SiteProtector
database. Themaximumnumber of rows that the JDBC - SiteProtector protocol can poll
in a single query is 30,000 rows.
Table 9 on page 27 describes the parameters of the JDBC protocol.
Table 9: JDBC - SiteProtector Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select the type of log source to add.Log Source Type
From the list, select JDBC - SiteProtector.Protocol Configuration
27Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 9: JDBC - SiteProtector Protocol Parameters (continued)
DescriptionParameter
Type the log source identifer in one of the following formats:
• database@hostname
• table name|database@hostname
The database namemust match the value of the Database Name parameter. The databasename is a required parameter.
The hostname is the hostname or IP address for the device that hosts the database. Thehostnamemust match the parameter in theIP or Hostnamefield. The hostname is a requiredparameter.
Optional. The table name is the name of the table or view on the database that contains theevent records. If you define the name of a table or view, youmust include a pipe (|) character asa separator. The name of the view or table must match the Table Name field.
Log Source Identifier
From the list box, selectMSDE as the type of database to use for the event source.Database Type
Type RealSecureDB the name of the database to which the protocol can connect.Database Name
Type the IP address or hostname of the database server.IP or Hostname
Type the port number used by the database server. The default displayed depends on the selectedDatabase Type. The valid range is 0 to 65536. The defaults include:
• MSDE–1433
• Postgres–5432
• MySQL–3306
• Sybase–1521
• Oracle–1521
• Informix–9088
The JDBC SiteProtector configuration port must match the listener port of the database. Thedatabasemust have incoming TCP connections enabled.
If you define a Database Instance whenwith MSDE as the database type, youmust leave the Portparameter blank in your log source configuration.
Port
Type the database username. The username can be up to 255 alphanumeric characters in lengthand can include underscores (_).
If you want to track access to a database by the JDBC protocol, you can create a specific use foryour JSA system.
Username
Type the database password. The password can be up to 255 characters in length.Password
Confirm the password to access the database.Confirm Password
If you select MSDE and the database is configured for Windows, youmust define aWindowsdomain.
If your network does not use a domain, leave this field blank.
Authentication Domain
Copyright © 2017, Juniper Networks, Inc.28
Juniper Secure Analytics Log Sources Users Guide
Table 9: JDBC - SiteProtector Protocol Parameters (continued)
DescriptionParameter
If you select MSDE and you havemultiple SQL server instances on one server, define the instanceto which you want to connect.
If you use a non-standard port in your database configuration, or have blocked access to port 1434for SQL database resolution, youmust leave the Database Instance parameter blank in yourconfiguration
Database Instance
From the list, select a predefined database query for your log source. Predefined database queriesare only available for special log source connections.
Predefined Query
Type SensorData1.Table Name
Type SensorDataAVP.AVP View Name
Type SensorDataResponse.Response View Name
Type * to include all fields from the table or view.Select List
TypeSensorDataRowID to identify new events added between queries to the tableCompare Field
Select this check box to use prepared statements.
Preparedstatementsallowthe JDBCprotocol source tosetup theSQLstatement, and thenexecutethe SQL statement numerous times with different parameters. For security and performancereasons, we recommend that you use prepared statements.
Clear this check box to use an alternative method of querying that does not use pre-compiledstatements.
Use Prepared Statements
Select this check box to collect audit events from IBM SiteProtector.
By default, this check box is clear.
Include Audit Events
Optional. Configure a start date and time for when the protocol can start to poll the database.Start Date and Time
Type the polling interval, which is the amount of time between queries to the event table. Thedefault polling interval is 10 seconds.
Administrators can define a longer polling interval by appending H for hours or M for minutes tothe numeric value. Themaximum polling interval is 1 week in any time format. Numeric valueswithout an H or M designator poll in seconds.
Polling Interval
Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. Thedefault value is 20000 EPS.
EPS Throttle
If you select MSDE as the database type, select the check box to use an alternative method to aTCP/IP port connection.
When administrators use a Named Pipe connection, the username and passwordmust be theappropriateWindows authentication username and password and not the database usernameand password. The log source configuration must use the default named pipe.
Use Named PipeCommunication
29Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 9: JDBC - SiteProtector Protocol Parameters (continued)
DescriptionParameter
If theUseNamedPipeCommunicationcheckbox is selected, theDatabaseClusterNameparameteris displayed.
Type the cluster name to ensure that named pipe communications function properly.
Database Cluster Name
Select the Use NTLMv2 check box to force MSDE connections to use the NTLMv2 protocol whencommunicating with SQL servers that require NTLMv2 authentication. The default value of thecheck box is selected.
TheUseNTLMv2 check box does not interrupt communications forMSDE connections that do notrequire NTLMv2 authentication.
Use NTLMv2
Select this check box to enable SSL encryption for the JDBC protocol.Use SSL
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is notcounted in the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offensemagnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Copyright © 2017, Juniper Networks, Inc.30
Juniper Secure Analytics Log Sources Users Guide
Table 9: JDBC - SiteProtector Protocol Parameters (continued)
DescriptionParameter
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions areXMLfiles thatcontain regular expressions,whichcanoverrideor repair theeventparsingofadevicesupport module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the JDBC siteprotector protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source. The JSA provides step-by-step
instructions to configure each log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
• Configuring the SDEE Protocol on page 41.
Configuring the Sophos Enterprise Console JDBC Protocol
SophosEnterpriseconsole JDBCprotocol canpollSophosEnterpriseconsoles forevents.
The Sophos Enterprise console JDBC protocol combines payload information from
application control logs, device control logs, data control logs, tamper protection logs,
31Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
and firewall logs in the vEvents Common Data table to provide events to Juniper Secure
Analytics (JSA). If the Sophos Enterprise console does not have the Sophos Reporting
Interface, administrators can use the standard JDBC protocol to collect antivirus events.
Detailed configuration steps for Sophos Enterprise consoles are provided in the JSA.
Table 10 on page 32 describes the parameters of the Sophos Enterprise console JDBC
protocol.
Table 10: Sophos Enterprise Console JDBC Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select the type of log source to add.Log Source Type
From the list, select Sophos Enterprise console JDBC.Protocol Configuration
Type the log source identifier in one of the following formats:
• database@hostname
• table name|database@hostname
Thedatabase namemustmatch the value of the DatabaseNameparameter. The database nameis a required parameter.
Thehostname is thehost nameor IPaddress for thedevice that hosts thedatabase. Thehostnamemust match the parameter in the IP or Hostname field. The host name is a required parameter.
Optional. The table name is the nameof the table or view on the database that contains the eventrecords. If you define the name of a table or view, youmust include a pipe ( | ) character as aseparator. The name of the view or table must match the Table Name field.
Log Source Identifier
From the list box, selectMSDE.Database Type
Type the name of the Sophos database.
The database namemust match the database name that is specified in the Log Source Identifierfield.
Database Name
Type the IP address or host name of the database server.IP or Hostname
Type the port number that is used by the database server. The default port for MSDE in SophosEnterprise console is 1168. The JDBC configuration port mustmatch the listener port of the Sophosdatabase. The Sophos databasemust have incoming TCP connections enabled to communicatewith JSA.
If a Database Instance is used with the MSDE database type, administrators must leave the Portparameter blank in the log source configuration.
Port
Type the database user name. The user name can be up to 255 alphanumeric characters in lengthand can include underscore (_) characters.
Username
Copyright © 2017, Juniper Networks, Inc.32
Juniper Secure Analytics Log Sources Users Guide
Table 10: Sophos Enterprise Console JDBC Protocol Parameters (continued)
DescriptionParameter
Type the database password that is required to access the database on the database.Password
Confirm the password to access the database.Confirm Password
Type a domain for the database.
A domain must be configured for MSDE databases that are within aWindows domain. If yournetwork does not use a domain, leave this field blank.
Authentication Domain
Type the database instance, if required.MSDEdatabases can includemultiple SQL server instanceson one server.
When a non-standard port is used for the database or administrators block access to port 1434 forSQL database resolution, the Database Instance parameter must be blank.
Database Instance
Type vEventsCommonData as the name of the table or view that includes the event records.
The table name can include the following special characters: dollar sign ( $ ), number sign ( # ),underscore ( _ ), en dash ( - ), and period( . ).
Table Name
Type * for all fields from the table or view.Select List
Type InsertedAt to identify new events added between queries to the database table.Compare Field
Select this check box to use prepared statements.
Prepared statements enable the protocol source to setup the SQL statement, and then executethe SQL statement numerous times with different parameters. For security and performancereasons, most configurations can use prepared statements.
Clear this check box to use an alternative method of querying that do not use precompiledstatements.
Use PreparedStatements
Optional. Configure a start date and time for when the protocol can start to poll the database.
If a start time is notdefined, theprotocol attempts topoll for eventsafter the log sourceconfigurationis saved and deployed.
Start Date and Time
Type the polling interval, which is the amount of time between queries to the database. The defaultpolling interval is 10 seconds.
Administrators can define a longer polling interval by appending H for hours or M forminutes to thenumeric value. Themaximum polling interval is 1 week in any time format. Numeric values withoutan H or M designator poll in seconds.
Polling Interval
Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. Thedefault value is 20000 EPS.
EPS Throttle
33Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 10: Sophos Enterprise Console JDBC Protocol Parameters (continued)
DescriptionParameter
If MSDE is configured as the database type, administrators can select this check box to use analternative method to a TCP/IP port connection.
Named pipe connections for MSDE databases require the username and password field to use aWindows authentication username and password and not the database username and password.The log source configuration must use the default named pipe on the MSDE database.
Use Named PipeCommunication
If the Use Named Pipe Communication check box, the Database Cluster Name parameter isdisplayed.
If you use your SQL server in a cluster environment, define the cluster name to ensure that namedpipe communications function properly.
Database Cluster Name
Select the Use NTLMv2 check box to force MSDE connections to use the NTLMv2 protocol whencommunicating with SQL servers that require NTLMv2 authentication. The default value of thecheck box is selected.
The Use NTLMv2 check box does not interrupt communications for MSDE connections that do notrequire NTLMv2 authentication.
Use NTLMv2
Select this check box to enable SSL encryption for the protocol.Use SSL
Select this check box to enable the log source.
When this checkbox is clear, the log sourcedoesnot collect eventsand the log source is not countedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source.Whena log sourceactively collects events froma remote source,this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Copyright © 2017, Juniper Networks, Inc.34
Juniper Secure Analytics Log Sources Users Guide
Table 10: Sophos Enterprise Console JDBC Protocol Parameters (continued)
DescriptionParameter
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions, which can override or repair the event parsing of a devicesupport module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the sophos enterprise console JDBC protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure theparameters for the logsource.The JSAprovidesstep-by-step instructions
to configure each log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Juniper Networks NSM Protocol on page 36.
35Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
• Configuring the OPSEC/LEA Protocol on page 38.
• Configuring the SDEE Protocol on page 41.
Configuring the Juniper Networks NSMProtocol
The Juniper Networks Network and Security Manager Protocol (NSM protocol) can poll
Sophos Enterprise consoles for events.
The Juniper Networks Network and Security Manager protocol can accept Juniper
Networks NSM and Juniper Networks Secure Service Gateway (SSG) logs. Detailed
configuration steps are provided in the Juniper Secure Analytics (JSA).
Table 11: Juniper Networks NSMProtocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select Juniper Networks Network and Security Manager.Log Source Type
From the list, select Juniper NSM.Protocol Configuration
Type an IP address, host name, or unique name to identify the log source.Log Source Identifier
Type the IP address or host name of the Juniper Networks NSM server.IP
Type the inbound port to which the Juniper Networks NSM sends events.
The valid range is 0 to 65536. The default is 514.
Inbound Port
Type the port to which traffic is forwarded. The default is 516.Redirect Listen Port
Select this check box to use the Juniper NSMmanagement server IP address instead of the logsource IP address. By default, the check box is selected.
Use NSM Address for LogSource
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is notcounted in the license limit.
Enabled
Select the credibility of the log source. The range is0 (lowest) - 10 (highest). Thedefault credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decreasethe magnitude value of an offense.
Credibility
Copyright © 2017, Juniper Networks, Inc.36
Juniper Secure Analytics Log Sources Users Guide
Table 11: Juniper Networks NSMProtocol Parameters (continued)
DescriptionParameter
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times withina short time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
Newandautomatically discovered log sources inherit the valueof this checkbox fromtheSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
Newandautomatically discovered log sources inherit the valueof this checkbox fromtheSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions, which can override or repair the event parsing of adevice support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the juniper networks NSM protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure theparameters for the logsource.The JSAprovidesstep-by-step instructions
to configure each log source.
37Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the OPSEC/LEA Protocol on page 38.
• Configuring the SDEE Protocol on page 41.
Configuring the OPSEC/LEA Protocol
The OPSEC/LEA protocol is a protocol that continuously polls for event data on 18184.
Detailed configuration steps for each log source type is provided in the Juniper Secure
Analytics (JSA).
Table 12: OPSEC/LEA Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select a log source type.Log Source Type
From the list, selectOPSEC/LEA.Protocol Configuration
Type an IP address, host name, or unique name to identifythe log source.
Log
Type the IP address or host name of the Juniper NetworksNSM server.
Server IP
Type the port used for OPSEC/LEA communication. Thevalid range is 0 to 65536.
Administrators must verify that JSA can communicate onport 18184 to communicate with the OPSEC/LEA protocol.
Server Port
Select this check box if you want to use the LEA server’s IPaddress instead of the managed device’s IP address for alog source.
By default, the check box is selected.
Use Server IP for Log Source
Copyright © 2017, Juniper Networks, Inc.38
Juniper Secure Analytics Log Sources Users Guide
Table 12: OPSEC/LEA Protocol Parameters (continued)
DescriptionParameter
Type the interval, in seconds, during which the number ofsyslog events are recorded in the qradar.log file.
The valid range is 4 to 2,147,483,648.
Statistics Report Interval
From the list box, select the authentication type you wantto use for this LEA configuration. The type selectedmustmatch the authentication method used by the server. Theoptions include sslca, sslca_clear, or clear.
Authentication Type
Type the Secure Internal Communications (SIC) name ofthe OPSEC
OPSEC Application Object SIC
ApplicationObject. The SIC name is the distinguished name(DN) of the application, for example:CN=LEA,o=fwconsole..7psasx. The name can be up to 255characters in length and is case sensitive.
Attribute (SIC Name)
Type the SIC name of the server, for example:cn=cp_mgmt,o=fwconsole..7psasx. The namecanbeupto 255 characters in length and is case sensitive.
Log Source SIC Attribute (Entity SIC Name)
Select this check box to define a certificate for this LEAconfiguration.
JSAattempts to retrieve thecertificatewith theseparameterswhen the certificate is required.
Specify Certificate
Type the directory path of the certificate youwant to use forthis configuration. This option only appears if SpecifyCertificate is selected.
Certificate Filename
Type the IPaddressof the server that contains thecertificate.Certificate Authority IP
Type the password to use to request the certificate.Pull Certificate Password
Type the name of the application that makes the certificaterequest.
OPSEC Application
Select this check box to enable the log source.
When this check box is clear, the log source does not collectevents and the log source does not count against the logsource limit in the license.
Enabled
39Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 12: OPSEC/LEA Protocol Parameters (continued)
DescriptionParameter
Select thecredibility of the log source. The range is0 (lowest)- 10 (highest). The default credibility is 5.
Credibility is a representation of the integrity or validity ofevents createdbya log source. The credibility valueassignedto a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules.The credibility of events from log sources contributes to thecalculation of the offense magnitude and can increase ordecrease the magnitude value of an offense.
Credibility
Select the target for the log source. When a log sourceactively collects events from a remote source, this fielddefines which appliance polls for the events.
The target event collector enablesadministrators topoll andprocess events on the target event collector, instead of theconsole appliance. Distributing event across target eventcollectors can improve performance in distributeddeployments.
Target Event Collector
Select this check box to enable the log source to coalesce(bundle) events.
Coalescing events increase the event count when the sameevent occurs multiple times within a short time interval.Coalesced events provide administrators a way to view anddetermine the frequency with which a single event typeoccurs on the Log Activity tab.
When this check box is clear, events are viewed individuallyand events are not bundled.
New and automatically discovered log sources inherit thevalue of this check box from the System Settingsconfiguration on the Admin tab. Administrators can use thischeck box to override the default behavior of the systemsettings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store thepayload information from an event.
New and automatically discovered log sources inherit thevalue of this check box from the System Settingsconfiguration on the Admin tab. Administrators can use thischeck box to override the default behavior of the systemsettings for an individual log source.
Store Event Payload
Select the language of the events that are generated by thelog source.
The log source languagehelps the systemparse events fromexternal appliances or operating systems that can createevents in multiple languages.
Log Source Language
Copyright © 2017, Juniper Networks, Inc.40
Juniper Secure Analytics Log Sources Users Guide
Table 12: OPSEC/LEA Protocol Parameters (continued)
DescriptionParameter
Optional. Select the name of the extension to apply to thelog source.
This parameter is available after a log source extension isuploaded. Log source extensions are XML files that containregular expressions, which can override or repair the eventparsing of a device support module (DSM).
Log Source Extension
From the list box, select the use condition for the log sourceextension. The options include:
• Parsingenhancement—Select thisoptionwhenmost fieldsparse correctly for the log source.
• Parsing override—Select this option when the log sourceis unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the OPSEC/LEA protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure theparameters for the logsource.The JSAprovidesstep-by-step instructions
to configure each log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the SDEE Protocol on page 41.
Configuring the SDEE Protocol
The Security Device Event Exchange (SDEE) protocol enables Juniper Secure Analytics
(JSA) to use subscriptions to collect events from appliances that use SDEE servers.
Detailed configuration steps for each log source type is provided in the JSA.
41Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 13: SDEE Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select a log source type.Log Source Type
From the list, select SDEE.Protocol Configuration
Type an IP address, host name, or name to identify the SDEE event source.
IP addresses or host names are suggested as they identify a unique value for the event source.
Log Source Identifier
Type an HTTP or HTTPS URL required to access the log source.
For example, https://www.mysdeeserver.com/cgi-bin/sdee-server. The options include:
• Administrators with SDEE/CIDEE (Cisco IDS v5.x and above), the URLmust end with/cgi-bin/sdee-server.
• Administrators with RDEP (Cisco IDS v4.x), the URLmust end with /cgibin/ event-server.
URL
Type the username required to access the URL.Username
Type the password required to access the URL.Password
Type themaximum number of events to retrieve per query.
The valid range is 0 to 501 and the default is 100.
Events / Query
Select this check box to force a new SDEE subscription.
When the check box is selected, the protocol forces the server to drop the least active connectionand accept a new SDEE subscription connection for the log source.
Clearing the check box continues with any existing SDEE subscription.
Force Subscription
Select a check box for each severity level the log source can subscribe to and collect with the logsource.
• Informational
• Low
• Medium
• High
Severity Filter
Select a check box for each severity level the log source can subscribe to and collect with the logsource.
• Alerts
• Status
• Errors
Event Filter
Copyright © 2017, Juniper Networks, Inc.42
Juniper Secure Analytics Log Sources Users Guide
Table 13: SDEE Protocol Parameters (continued)
Type the time interval to indicate the frequency with which the subscription can collect events.The time interval is defined in seconds.
Event Collection Interval
Type a time interval to indicate how long the subscription must wait before another subscriptionis attempted. The wait time interval is defined in seconds.
Connection Retry OnFailure
Type the interval to indicate the length of the event block.
When a collection request ismade and no newevents are available, the protocol enables an eventblock. The block prevents another event request from beingmade to a remote device that did nothave any new events. This timeout is intended to conserve system resources.
The time interval is defined in seconds.
MaximumWait To BlockFor Events
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source does notcount against the log source limit in the license.
Enabled
Select the credibility of the log source. The range is0 (lowest) - 10 (highest). Thedefault credibilityis 5.
Credibility is a representation of the integrity or validity of events created by a log source. Thecredibility value assigned to a log source can increase or decrease based on incoming events oradjusted as a response to user created event rules. The credibility of events from log sourcescontributes to thecalculationof theoffensemagnitudeandcan increaseordecrease themagnitudevalue of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
Newand automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
Newand automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
43Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 13: SDEE Protocol Parameters (continued)
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions, which can override or repair the event parsing of adevice support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the SDEE protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source. The JSA provides step-by-step
instructions to configure each log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
• Configuring the SNMPv1 Protocol on page 44.
Configuring the SNMPv1 Protocol
The SNMPv1 protocol provides log sources the ability to receive SNMPv1 events.
Table 14 on page 44 describes the parameters of the SNMPv1 protocol.
Table 14: SNMPv1 Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Copyright © 2017, Juniper Networks, Inc.44
Juniper Secure Analytics Log Sources Users Guide
Table 14: SNMPv1 Protocol Parameters (continued)
DescriptionParameter
Optional. Type a description for the log source.Log Source Description
From the list, select the type of log source to add.Log Source Type
From the list, select SNMPv1.Protocol Configuration
Type an IPv4 address or host name to identify the log source that created the events.
If the network contains devices that are attached to amanagement console, administrators canspecify the IP address of the individual device that created the event. A unique identifier for each,such as an IP address, prevents event searches from identifying the management console as thesource for all of the events.
Log Source Identifier
Select this check box to enable the log source.
When this checkbox is clear, the log sourcedoesnot collect eventsand the log source is not countedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source.Whena log sourceactively collects events froma remote source,this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab.
Administrators can use this check box to override the default behavior of the system settings foran individual log source.
Store Event Payload
45Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 14: SNMPv1 Protocol Parameters (continued)
DescriptionParameter
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions, which can override or repair the event parsing of a devicesupport module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the SNMPv1 protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure theparameters for the logsource.The JSAprovidesstep-by-step instructions
to configure each log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
Configuring the SNMPv2 Protocol
The SNMPv2 protocol provides log sources the ability to receive SNMPv2 events.
Table 15 on page 47 describes the parameters of the SNMPv2 protocol.
Copyright © 2017, Juniper Networks, Inc.46
Juniper Secure Analytics Log Sources Users Guide
Table 15: SNMPv2 Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select the type of log source to add.Log Source Type
From the list, select SNMPv2.Protocol Configuration
Type an IPv4 address or hostname to identify the log source that created the events.
If the network contains devices that are attached to amanagement console, administrators canspecify the IP address of the individual device that created the event. A unique identifier for each,such as an IP address, prevents searches from identifying the management console as the sourcefor all of the events.
Log Source Identifier
Type the SNMP community name required to access the system containing SNMP events. Thedefault is Public.
Community
This options allows the SNMP event payload to be constructed using namevalue pairs instead ofthe standard event payload format.
Including OIDs in the event payload is required for processing SNMPv2 or SNMPv3 events whenyou select specific log sources from the Log Source Types list. For more information, see the JSA.
Include OIDs in EventPayload
Select this check box to enable the log source.
When this checkbox is clear, the logsourcedoesnotcollecteventsand the logsource isnotcountedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
47Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 15: SNMPv2 Protocol Parameters (continued)
DescriptionParameter
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the Xconfiguration on the Admin tab. Administrators can use this check box to override the defaultbehavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the Xconfiguration on the Admin tab.
Administrators can use this check box to override the default behavior of the system settings foran individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions,which canoverride or repair the event parsing of adevicesupport module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the SNMPv2 protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source. The Juniper Secure Analytics Configuring
DSMs Guide provides step-by-step instructions to configure each log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
Copyright © 2017, Juniper Networks, Inc.48
Juniper Secure Analytics Log Sources Users Guide
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
Configuring the SNMPv3 Protocol
The SNMPv3 protocol provides log sources the ability to receive SNMPv3 events.
Table 16 on page 49 describes the parameters of the SNMPv3 protocol.
Table 16: SNMPv3 Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select the type of log source to add.Log Source Type
From the list, select SNMPv3.Protocol Configuration
Type an IPv4 address or hostname to identify the log source that created the events.
If the network contains devices that are attached to amanagement console, administrators canspecify the IP address of the individual device that created the event. A unique identifier for each,such as an IP address, prevents event searches from identifying the management console as thesource for all of the events.
Log Source Identifier
From the list, select the algorithm you want to use to authenticate SNMP traps. The optionsinclude:
• MD5
• SHA
Authentication Protocol
Type the password you want to use to authenticate SNMP.
The password can be up to 64 characters in length.
NOTE: Your authentication passwordmust include aminimum of 8 characters.
Authentication Password
Fromthe list box, select theprotocol youwant touse todecryptSNMPtraps.Thedefault isAES256.Decryption Protocol
Type the password used to decrypt SNMP traps. The password can be up to 64 characters inlength.
Decryption Password
49Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 16: SNMPv3 Protocol Parameters (continued)
DescriptionParameter
Type the user access for this protocol. The default is AdminUser.
The username can be up to 255 characters in length.
User
This options allows the SNMP event payload to be constructed using namevalue pairs instead ofthe standard event payload format.
Including OIDs in the event payload is required for processing SNMPv2 or SNMPv3 events whenyou select specific log sources from the Log Source Types list. For more information, see the JSA.
Include OIDs in EventPayload
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is notcounted in the license limit.
Enabled
Select the credibility of the log source. The range is0 (lowest) - 10 (highest). Thedefault credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offensemagnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
Newand automatically discovered log sources inherit the value of this check box from theSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
Newand automatically discovered log sources inherit the value of this check box from theSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Copyright © 2017, Juniper Networks, Inc.50
Juniper Secure Analytics Log Sources Users Guide
Table 16: SNMPv3 Protocol Parameters (continued)
DescriptionParameter
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions, which can override or repair the event parsing of adevice support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the SNMPv3 protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source. The JSA provides step-by-step
instructions to configure each log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
Configuring the Sourcefire Defense Center Estreamer Protocol
The Sourcefire Defense Center Estreamer protocol enables Juniper Secure Analytics
(JSA) to receivestreamingeventdata fromaSourcefireDefenseCenterEstreamer (Event
Streamer) service.
Event files are streamed to JSA to be processed after the Sourcefire Defense Center DSM
is configured. Detailed configuration steps for Sourcefire Defense Center is provided in
the JSA.
51Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 17: Sourcefire Defense Center Estreamer Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select a log source type.Log Source Type
From the list, select Sourcefire Defense Center Estreamer.Protocol Configuration
Type an IP address, host name, or name to identify the Sourcefire Defense Center event source.
IP addresses or host names are suggested as they identify a unique value for the event source.
Log Source Identifier
Type the IP address or hostname of the Sourcefire Defense Center device.Server Address
Type theport number JSAuses to receiveSourcefireDefenseCenter Estreamer events. Thedefaultis 8302.
Server Port
Type the directory path and file name for the keystore private key and associated certificate.
By default, the import script creates the keystore file in the following directory:/opt/qradar/conf/estreamer.keystore.
Keystore Filename
Type the directory path and file name for the truststore files.
The truststore file contain the certificates trusted by the client.
By default, the import script creates the truststore file in the following directory:/opt/qradar/conf/estreamer.truststore.
Truststore Filename
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is notcounted in the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offensemagnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Copyright © 2017, Juniper Networks, Inc.52
Juniper Secure Analytics Log Sources Users Guide
Table 17: Sourcefire Defense Center Estreamer Protocol Parameters (continued)
DescriptionParameter
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions,whichcanoverrideor repair theeventparsingofadevicesupport module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the sourcefire defense center estreamer protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure theparameters for the logsource.The JSAprovidesstep-by-step instructions
to configure each log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
53Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
• Configuring the SDEE Protocol on page 41.
Configuring the Log File Protocol
The log file protocol retrieves event files that are stored from hosts to process events
stored in remote locations.
The log file protocol is intended for systems thatwritedaily event logs. It is not appropriate
to use the log file protocol for devices that appended information to their event files.
Log files are retrieved one at a time to be processed. The log file protocol canmanage
plain text, compressed files, or file archives. Archives must contain plain-text files that
can be processed one line at a time. When the log file protocol downloads an event file,
the information received in the file updates the Log Activity tab. If more information is
written to the file after the download is complete, the appended information is not
processed.
Table 18: Log File Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.LogSourceDescription
From the list, select the type of log source to add.Log Source Type
From the list, select Log File.Protocol Configuration
Type an IPv4 address or host name to identify the log source that created the events.
If the remote source contains multiple devices, such as a file repository, administrators must specifythe IP address of the device that created the event.
Unique identifiers ensure that events are associated to the correct device in the network, instead ofidentifying the event for the management console or file repository.
Log Source Identifier
Copyright © 2017, Juniper Networks, Inc.54
Juniper Secure Analytics Log Sources Users Guide
Table 18: Log File Protocol Parameters (continued)
DescriptionParameter
From the list box, select theprotocol to usewhen retrieving log files froma remove server. Theoptionsinclude:
• SFTP—Secure file transfer protocol
• FTP—File transfer protocol
• SCP—Secure copy protocol
The default is SFTP.
The server that is specified in the Remote IP or Hostname field must have the SFTP subsystemenabled to retrieve log files with SCP or SFTP.
Service Type
Type the IP address or host name of the device that contains the event log files.Remote IP orHostname
Type the port that is used to communicate with the remote host. The valid range is 1 – 65535. Theoptions include:
• FTP – TCP Port 21
• SFTP – TCP Port 22
• SCP – TCP Port 22
If the remote host uses a non-standard port number, administrators must adjust the port value toretrieve events.
Remote Port
Type the user name necessary to log in to the host that contains the event files.Remote User
Type the password necessary to log in to the host.Remote Password
Confirm the password necessary to log in to the host.Confirm Password
Type the path to the SSH key, if the system is configured to use key authentication.
When an SSH key file is used, the Remote Password field is ignored.
SSH Key File
Type the directory location on the remote host fromwhich the files are retrieved. The directory pathis relative to the user account that is used to log in.
NOTE: For FTP only. If the log files are in the remote user’s home directory, you can leave the remotedirectory blank. A blank remote directory field supports systems where a change in the workingdirectory (CWD) command is restricted.
Remote Directory
Select this check box to enable the file pattern to search sub folders. By default, the check box isclear.
This option is ignored for SCP file transfers.
Recursive
Type the regular expression (regex) required to identify the files to download from the remote host.All files that match the regular expression are included in the download.
This field applies to the SFTP or FTP file transfers.
FTP File Pattern
For SCP file transfers, type the name of the file on the remote host.SCP Remote File
55Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 18: Log File Protocol Parameters (continued)
DescriptionParameter
From the list box, select the transfer mode for the log source:
• Binary—Select this option for log sources that require binary data files or compressed archive files.
• ASCII—Select ASCII for log sources that require an ASCII FTP file transfer.
Administrators must selectNONE in the Processor field and LINEBYLINE in the Event Generatorfield for ASCII transfers over FTP.
FTP Transfer Mode
Type the time of day for the log source to start the file import.
This parameter functions with the Recurrence value to establish when and how often the RemoteDirectory is scanned for files.
Start Time
Type a time interval to determine how frequently the remote directory is scanned for new event logfiles. Theminimum value is 15 minutes.
The time interval can include values in hours (H),minutes (M), or days (D). For example, a recurrenceof 2H scans the remote directory every 2 hours.
Recurrence
Select this check box to start the log file import immediately after the administrators saves the logsource.
After the first file import, the log file protocol follows the start time and recurrence schedule that isdefined by the administrator.
When selected, this check box clears the list of previously downloaded and processed files.
Run On Save
Type the number of Events Per Second (EPS) that the protocol cannot exceed.
The valid range is 100 – 5000.
EPS Throttle
If the files on the remote host are stored in an archive format, select the processor that is required toun-compress the event log.
Processor
Select this check box to track files that were processed by the log source.
This option prevents duplicate events from files that are processed a second time.
This check box applies to FTP and SFTP file transfers.
Ignore PreviouslyProcessed File(s)
Select this check box to define the local directory on the Target Event Collector to store event logsbefore they are processed.
Administrators can leave this check box clear for more configurations.
Change LocalDirectory?
Type the local directory on the Target Event Collector. This option is used with the Change LocalDirectory field.
The directory must exist before the log file protocol attempts to retrieve events.
Local Directory
Copyright © 2017, Juniper Networks, Inc.56
Juniper Secure Analytics Log Sources Users Guide
Table 18: Log File Protocol Parameters (continued)
DescriptionParameter
From the Event Generator list box, select one of the following options:
• LineByLine—Each line of the file is processed as a single event. For example, if a file has 10 lines oftext, 10 separate events are created.
• HPTandem—The file is processed as a HPTandemNonStop binary audit log. Each record in thelog file (whether primary or secondary) is converted into text and processed as a single event.HPTandem audit logs use the following file name pattern: [aA]\d{7}.
• WebSphere Application Server—Processes event logs for WebSphere Application Server. Theremote directory must define the file path that is configured in the DSM.
• W3C—Processes log files fromsources that use thew3c format. The header of the log file identifiesthe order and data that is contained in each line of the file.
• Fair Warning—Processes log files from Fair Warning devices that protect patient identity andmedical information. The remote directory must define the file path to the event logs that aregenerated by the Fair Warning device.
• DPI Subscriber Data—The file is processed as a DPI statistic log produced by a Juniper NetworksMX router. The header of the file identifies the order and data that is contained in each line of thefile. Each line in the file after the header is formatted to a tab-delimited name=value pair event.
• SAP Audit Logs—Process files for SAP Audit Logs to keep a record of security-related events inSAP systems. Each line of the file is formatted to be processed.
• Oracle BEAWebLogic—Processes files for Oracle BEAWebLogic application log files. Each line ofthe file is formatted to be processed.
• Juniper SBR—Processes event log files from Juniper Steel-belted RADIUS. Each line of the file isformatted to be processed.
• ID-Linked Multiline—Processes multiline event logs that contain a common value at the start ofeach line in a multiline event message. This option uses regular expressions to identify andreassemble the multiline event in to single event payload.
Event Generator
From the list box, select the character encoding that is used by the events in your log file.File Encoding
Type the character that is used to separate folders for your operating system. The default value is /.
Most configurations can use the default value in Folder Separator field.
This field is intended for operating systems that use a different character to define separate folders.For example, periods that separate folders onmainframe systems.
Folder Separator
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is not countedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representationof the integrity or validity of events createdbya log source. Thecredibilityvalue assigned to a log source can increase or decrease based on incoming events or adjusted as aresponse to user created event rules. The credibility of events from log sources contributes to thecalculationof theoffensemagnitudeandcan increaseordecrease themagnitudevalueofanoffense.
Credibility
57Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 18: Log File Protocol Parameters (continued)
DescriptionParameter
Select the Event Collector to use as the target for the log source. When a log source actively collectsevents from a remote source, this field defines which appliance polls for the events.
This enables administrators to poll and process events on the target event collector, instead of theconsole appliance. This can improve performance in distributed deployments.
When an administrator verifies firewall ports between JSA and the remote database, the firewallmust allow communication between the target event collector and the remote database.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event countwhen the sameevent occursmultiple timeswithin a shorttime interval. Coalesced events provide administrators a way to view and determine the frequencywith which a single event type occurs on the Log Activity tab.
When this check box is clear, the events are displayed individually and the information is not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on theAdmin tab. Administrators can use this check box to override thedefaultbehavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on theAdmin tab. Administrators can use this check box to override thedefaultbehavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events generated by the log source.
The log source languagehelps the systemparseevents fromexternal appliancesor operating systemsthat can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is only available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions, which can override or repair the event parsing patternsdefined by a device support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension UseCondition
Select one or more groups for the log source.Groups
To configure the log file protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
Copyright © 2017, Juniper Networks, Inc.58
Juniper Secure Analytics Log Sources Users Guide
4. Configure theparameters for the logsource.The JSAprovidesstep-by-step instructions
to configure each log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
Configuring theMicrosoft Security Event Log Protocol
The Microsoft Security Event Log protocol provides remote agentlessWindows event
log collection for Windows with the Microsoft Windows Management Instrumentation
(WMI) API.
TheWMI API is a Microsoft technology that is used to communicate and exchange
information between operating systems. This API requires that firewall configurations
accept incoming external communications on port 135 and any dynamic ports that are
required forDCOM.The following log source limitationsapplywhenadministratorsdeploy
the Microsoft Security Event Log Protocol in your environment:
• Systems that exceed 50 events per second (eps) can exceed the capabilities of this
protocol. WinCollect can be used for systems that exceed 50 eps.
• A Juniper Secure Analytics (JSA) all-in-one installation can support up to 250 log
sources with the Microsoft Security Event Log protocol.
• Dedicated Event Collectors can support up to 500 log sources with the Microsoft
Security Event Log protocol.
The Microsoft Security Event Log protocol is not suggested for remote servers that are
accessedover network links. For example, systemswith high round-trip delay times, such
as satellite or slowWAN networks. Round-trip delay can be confirmed by examining
request and response time between a server ping. Network delays that are created by
slow connections decrease the EPS throughput available to those remote servers. In
addition, event collection from busy servers or Domain Controllers rely on low round-trip
delay times to keepupwith incoming events. If it is not possible to decrease your network
round-trip delay time, administrators can useWinCollect to processWindows events.
The Microsoft Security Event Log supports the following software versions with the
Microsoft Windows Management Instrumentation (WMI) API:
59Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
• Microsoft Windows 2000
• Microsoft Windows Server 2003
• Microsoft Windows Server 2008 (all versions)
• Microsoft Windows XP
• Microsoft Windows Vista
• Microsoft Windows 7
Table 19: Microsoft Security Event Log Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select a log source type.Log Source Type
From the list, selectWindows Security Event Log.Protocol Configuration
Type the IP address or host name of theWindows host
The log source identifier must be unique for the log source type.
Log Source Identifier
Optional. Type the domain that is required for the server.Domain
Type the user name that is required to access theWindows host.Username
Type the password that is required to access theWindows hostPassword
Confirm the password that is required to access the server.Confirm Password
Select a check boxes for each log type to monitor. At least one check boxmust be selected.
• Security
• System
• Application
• DNS Server
• File Replication Service
• Directory Service
Standard Log Types
Select a check boxes for each event type to monitor. At least one check boxmust be selected.
• Informational
• Warning
• Error
• Success Audit
• Failure Audit
Event Types
Copyright © 2017, Juniper Networks, Inc.60
Juniper Secure Analytics Log Sources Users Guide
Table 19: Microsoft Security Event Log Protocol Parameters (continued)
DescriptionParameter
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is notcounted in the license limit.
Enabled
Select the credibility of the log source. The range is0 (lowest) - 10 (highest). Thedefault credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decreasethe magnitude value of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
This enables administrators to poll and process events on the target event collector, instead ofthe console appliance. This can improve performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times withina short time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, the events are displayed individually and the information is notbundled.
Newandautomatically discovered log sources inherit the valueof this checkbox from theSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
Newandautomatically discovered log sources inherit the valueof this checkbox from theSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is only available after you upload a log source extension to JSA. Log sourceextensions are XML files that contain regular expressions, which can override or repair the eventparsing patterns defined by a device support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
61Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 19: Microsoft Security Event Log Protocol Parameters (continued)
DescriptionParameter
Select one or more groups for the log source.Groups
To configure the microsoft security event log protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
Configuring theMicrosoft Security Event Log CustomProtocol
The Microsoft Security Event Log protocol provides remote agentlessWindows event
log collection for customized event logs with the Microsoft (WMI) API.
TheWMI API is a Microsoft technology that is used to communicate and exchange
information between operating systems. This API requires that firewall configurations
accept incoming external communications on port 135 and any dynamic ports that are
required forDCOM.The following log source limitationsapplywhenadministratorsdeploy
the Microsoft Security Event Log Custom protocol in your environment:
• Systems that exceed 50 events per second (eps) can exceed the capabilities of this
protocol. Win Collect can be used for systems that exceed 50 eps.
• A Juniper Secure Analytics (JSA) all-in-one installation can support up to 250 log
sources with the Microsoft Security Event Log Custom protocol.
• Dedicated Event Collectors can support up to 500 log sources with the Microsoft
Security Event Log Custom protocol.
The Microsoft Security Event Log protocol is not suggested for remote servers that are
accessedover network links. For example, systemswith high round-trip delay times, such
Copyright © 2017, Juniper Networks, Inc.62
Juniper Secure Analytics Log Sources Users Guide
as satellite or slowWAN networks. Round-trip delay can be confirmed by examining
request and response time between a server ping. Network delays that are created by
slow connections decrease the EPS throughput available to those remote servers. In
addition, event collection from busy servers or Domain Controllers rely on low round-trip
delay times to keepupwith incoming events. If it is not possible to decrease your network
round-trip delay time, administrators can useWin Collect to processWindows events.
The Microsoft Security Event Log supports the following software versions with the
Microsoft Windows Management Instrumentation (WMI) API:
• Microsoft Windows 2000
• Microsoft Windows Server 2003
• Microsoft Windows Server 2008 (all versions)
• Microsoft Windows XP
• Microsoft Windows Vista
• Microsoft Windows 7
Table 20: Microsoft Security Event Log Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select a log source type.Log Source Type
From the list, selectWindows Security Event Log.Protocol Configuration
Type the IP address or host name of theWindows host.
The log source identifier must be unique for the log source type.
Log Source Identifier
Optional. Type the domain that is required for the server.Domain
Type the user name that is required to access theWindows host.Username
Type the password that is required to access theWindows hostPassword
Confirm the password that is required to access the server.Confirm Password
Type the name of the custom event log.Monitored Event Logs
63Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 20: Microsoft Security Event Log Protocol Parameters (continued)
DescriptionParameter
Select a check boxes for each event type to monitor. At least one check boxmust be selected:
• Informational
• Warning
• Error
• Success Audit
• Failure Audit
Event Types
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is notcounted in the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The defaultcredibility is 5.
Credibility is a representation of the integrity or validity of events that are created by a logsource. The credibility value that is assigned to a log source can increase or decrease based onincoming events or adjusted as a response to user created event rules. The credibility of eventsfrom log sources contributes to the calculation of the offense magnitude and can increase ordecrease the magnitude value of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
This option enables administrators to poll and process events on the target event collector,instead of the console appliance. This can improve performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from theSystem Settings configuration on the Admin tab. Administrators can use this check box tooverride the default behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is only available after you upload a log source extension to JSA. Log sourceextensions areXML files that contain regular expressions,which canoverride or repair the eventparsing patterns defined by a device support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsingenhancement—Select this optionwhenmost fieldsparse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
Copyright © 2017, Juniper Networks, Inc.64
Juniper Secure Analytics Log Sources Users Guide
To configure the microsoft security event log custom protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
Configuring theMicrosoft DHCP Protocol
The Microsoft DHCP protocol supports a single connection to a Microsoft DHCP server
to remotely collect events.
The Microsoft authentication protocol NTLMv2 is not supported by the Microsoft DHCP
protocol.
Folder paths that contain an administrative share (C$), require NetBIOS privileges on
the administrative share (C$) to read the log files. Local or domain administrators have
sufficient privileges to access log files on administrative shares.
Fields for the Microsoft DHCP protocol that support file paths allow administrators to
define a drive letter with the path information. For example, the field can contain
c$\LogFiles\ for an administrative share, or LogFiles\ for a public share folder path, but
not c:\LogFiles.
Detailed configuration steps for Microsoft DHCP are provided in the Juniper Secure
Analytics (JSA).
Table 21: Microsoft DHCP Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
65Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 21: Microsoft DHCP Protocol Parameters (continued)
DescriptionParameter
From the list, select a log source type.Log Source Type
From the list, selectMicrosoft DHCP.Protocol Configuration
Type an IP address, host name, or name to identify the Microsoft DHCP server.
The log source identifier must be unique for the log source type.
Log Source Identifier
Optional. Type the domain that is required to access the Microsoft DHCP server.Domain
Type the user name that is required to access the Microsoft DHCP server.Username
Type the password that is required to access the Microsoft DHCP server.Password
Confirm the password that is required to access Microsoft DHCP server.Confirm Password
Type the directory path to access the DHCP log files.
The default is \WINDOWS\system32\dhcp\.
Folder Path
Type the regular expression (regex) to identify and download the event logs.
The log files must contain a three-character abbreviation for a day of the week.
The available file patterns are:
• IPv4 file pattern - DhcpSrvLog-(?:Sun|Mon|Tue|Wed|Thu| Fri| Sat)\.log.
• IPv6 file pattern - DhcpV6SrvLog-(?:Sun|Mon|Tue|Wed|Thu| Fri|Sat) \.log.
All files that match the file pattern are processed.
File Pattern
Select this check box if you want the file pattern to search sub folders. By default, the check boxis selected.
Recursive
Type the polling interval, which is the number of seconds between queries to the log files to checkfor new data.
Theminimum polling interval is 10 seconds, with a maximum polling interval of 3,600 seconds.
Polling Interval (seconds)
Type themaximum number of events the DHCP protocol can forward per second.
Theminimum value is 100 EPS and themaximum value is 20,000 EPS.
Throttle Events/Second
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is notcounted in the license limit.
Enabled
Copyright © 2017, Juniper Networks, Inc.66
Juniper Secure Analytics Log Sources Users Guide
Table 21: Microsoft DHCP Protocol Parameters (continued)
DescriptionParameter
Select the credibility of the log source. The range is0 (lowest)– 10 (highest). Thedefault credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offensemagnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
This optionenablesadministrators topoll andprocess eventson the target event collector, insteadof the console appliance. This can improve performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, the events are displayed individually and the information is notbundled.
Newand automatically discovered log sources inherit the value of this check box from theSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
Newand automatically discovered log sources inherit the value of this check box from theSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is only available after you upload a log source extension to JSA. Log sourceextensions are XML files that contain regular expressions, which can override or repair the eventparsing patterns defined by a device support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
67Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
To configure the microsoft DHCP protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
Configuring theMicrosoft Exchange Protocol
TheMicrosoftWindows Exchange protocol supports SMTP,OWA, andmessage tracking
logs for Microsoft Exchange 2007 and 2010.
TheMicrosoft Exchangeprotocoldoesnot supportMicrosoft Exchange2003orMicrosoft
authentication protocol NTLMv2 Session.
Folder paths that contain an administrative share (C$), require NetBIOS privileges on
the administrative share (C$) to read the log files. Local or domain administrators have
sufficient privileges to access log files on administrative shares.
Fields for the Microsoft Exchange protocol that support file paths allow administrators
to define a drive letter with the path information. For example, the field can contain
c$\LogFiles\ for an administrative share, or LogFiles\for a public share folder path, but
not c:\LogFiles.
Detailed configuration steps for Microsoft Exchange is provided in the Juniper Secure
Analytics (JSA).
Table 22: Microsoft Exchange Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
Copyright © 2017, Juniper Networks, Inc.68
Juniper Secure Analytics Log Sources Users Guide
Table 22: Microsoft Exchange Protocol Parameters (continued)
DescriptionParameter
From the list, select a log source type.Log Source Type
From the list, selectMicrosoft Exchange.Protocol Configuration
Type an IP address, host name, or name to identify theWindows Exchange event source.
The log source identifier must be unique for the log source type.
Log Source Identifier
Optional. Type the domain that is required to access the Microsoft Exchange server.Domain
Type the user name that is required to access the Microsoft Exchange server.Username
Type the password that is required to access the Microsoft Exchange server.Password
Confirm the password that is required to access Microsoft Exchange server.Confirm Password
Type the directory path to access the SMTP log files.
The default isProgramFiles\Microsoft\ExchangeServer \TransportRoles\Logs\ProtocolLog\.
When the folder path is clear, SMTP event collection is disabled.
SMTP Log Folder Path
Type the directory path to access the OWA log files.
The default isWindows\system32\LogFiles\W3SVC1.
When the folder path is clear, OWA event collection is disabled.
OWA Log Folder Path
Type the directory path to access message tracking log files.
The default is Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking/.
Message tracking is available on Microsoft Exchange 2007 or 2010 servers assigned the HubTransport, Mailbox, or Edge Transport server role.
MSGTRK Log Folder Path
Type the regular expression (regex) to identify and download the event logs. The default is.*\.(?:log|LOG).
All files that match the regex pattern are processed.
File Pattern
Select this checkbox to force theprotocol to read the log file. Bydefault, the checkbox is selected.If the check box is clear, the log file is read only when JSA detects a change in the modified timeor file size.
Force File Read
Select this check box if you want the file pattern to search sub folders. By default, the check boxis selected.
Recursive
Type the polling interval, which is the number of seconds betweenqueries to the log files to checkfor new data.
Theminimum polling interval is 10 seconds, with a maximum polling interval of 3,600 seconds.
Polling Interval (seconds)
69Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 22: Microsoft Exchange Protocol Parameters (continued)
DescriptionParameter
Type themaximum number of events the Exchange protocol can forward per second.
Theminimum value is 100 EPS and themaximum value is 20,000 EPS.
Throttle Events/Second
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is notcounted in the license limit.
Enabled
Select the credibility of the log source. The range is0 (lowest) - 10 (highest). Thedefault credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decreasethe magnitude value of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
This enables administrators to poll and process events on the target event collector, instead ofthe console appliance. This can improve performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times withina short time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, the events are displayed individually and the information is notbundled.
Newandautomatically discovered log sources inherit the valueof this checkbox fromtheSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
Newandautomatically discovered log sources inherit the valueof this checkbox fromtheSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is only available after you upload a log source extension to JSA. Log sourceextensions are XML files that contain regular expressions, which can override or repair the eventparsing patterns defined by a device support module (DSM).
Log Source Extension
Copyright © 2017, Juniper Networks, Inc.70
Juniper Secure Analytics Log Sources Users Guide
Table 22: Microsoft Exchange Protocol Parameters (continued)
DescriptionParameter
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the microsoft windows exchange protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
Configuring theMicrosoft IIS protocol
The Microsoft IIS protocol supports a single point of collection for w3c format log files
that are located on a Microsoft IIS web servers.
The Microsoft authentication protocol NTLMv2 is not supported by the Microsoft IIS
protocol.
Folder paths that contain an administrative share (C$), require NetBIOS privileges on
the administrative share (C$) to read the log files. Local or domain administrators have
sufficient privileges to access log files on administrative shares.
Fields for theMicrosoft IIS protocol that support file paths allow administrators to define
a drive letter with the path information. For example, the field can contain c$\LogFiles\
for an administrative share, or LogFiles\ for a public share folder path, but not c:\LogFiles.
71Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Detailed configuration steps forMicrosoft IIS are provided in the Juniper Secure Analytics
(JSA).
Table 23: Microsoft IIS Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select a log source type.Log Source Type
From the list, selectMicrosoft IIS.Protocol Configuration
Type an IP address, host name, or name to identify the Microsoft IIS server.
The log source identifier must be unique for the log source type.
Log Source Identifier
Optional. Type the domain that is required to access the Microsoft IIS server.Domain
Type the user name that is required to access the Microsoft IIS server.Username
Type the password that is required to access the Microsoft IIS server.Password
Confirm the password that is required to access Microsoft IIS server.Confirm Password
Type the directory path to access the IIS log files.
The default is \WINDOWS\system32\LogFiles\W3SVC1\.
Folder Path
Type the regular expression (regex) to identify and download the event logs.
The default file pattern is (?:u_)?ex.*\.(?:log|LOG).
All files that match the file pattern are processed.
File Pattern
Select this check box if you want the file pattern to search sub folders. By default, the check boxis selected.
Recursive
Type the polling interval, which is the number of seconds betweenqueries to the log files to checkfor new data.
Theminimum polling interval is 10 seconds, with a maximum polling interval of 3,600 seconds.
Polling Interval (seconds)
Type themaximum number of events the IIS protocol can forward per second.
Theminimum value is 100 EPS and themaximum value is 20,000 EPS.
Throttle Events/Second
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source does notcount against the log source limit in the license.
Enabled
Copyright © 2017, Juniper Networks, Inc.72
Juniper Secure Analytics Log Sources Users Guide
Table 23: Microsoft IIS Protocol Parameters (continued)
DescriptionParameter
Select the credibility of the log source. The range is0 (lowest) - 10 (highest). Thedefault credibilityis 5.
Credibility is a representation of the integrity or validity of events created by a log source. Thecredibility value assigned to a log source can increase or decrease based on incoming events oradjusted as a response to user created event rules. The credibility of events from log sourcescontributes to the calculation of the offense magnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times withina short time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
Newandautomatically discovered log sources inherit the valueof this checkbox fromtheSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
Newandautomatically discovered log sources inherit the valueof this checkbox fromtheSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions, which can override or repair the event parsing of adevice support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for the log source.
Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
73Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
To configure the microsoft IIS protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
Configuring the SMB Tail Protocol
The SMB Tail protocol enables administrators to remotely watch event a file in a remote
directory on a Samba share to determine when new lines are added to an event log to
retrieve the remote events.
Table 24: SMB Tail Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select a log source type.Log Source Type
From the list, select SMB Tail.Protocol Configuration
Type an IP address, hostname, or name to identify the SMB Tail event source.
IP addresses or host names are suggested as they identify a unique value for the event source.
Log Source Identifier
Type the IP address or hostname of the samba server.Server Address
Optional. Type the domain required for the SMB (samba) server.Domain
Type the username required to access the remote server.Username
Copyright © 2017, Juniper Networks, Inc.74
Juniper Secure Analytics Log Sources Users Guide
Table 24: SMB Tail Protocol Parameters (continued)
DescriptionParameter
Type the password required to access the remote server.Password
Confirm the password required to access the server.Confirm Password
Type the directory path to access the log files.
For example, administrators can use c$\LogFiles\ for an administrative share, or LogFiles\ for apublic share folder path. However, c:\LogFiles is not a supported log folder path.
If a log folder path contains an administrative share (C$), users with NetBIOS access on theadministrative share (C$) have the privileges required to read the log files.
Local system or domain administrator privileges are also sufficient to access a log files that resideon an administrative share.
Log Folder Path
Type the regular expression (regex) to identify and download the event logs.
All matching files are included in the processing.
File Pattern
Select this check box to force the protocol to read the log file. By default, the check box is selected.If the check box is clear, the log file is read only when JSA detects a change in the modified timeor file size.
Force File Read
Select this check box if you want the file pattern to search sub folders. By default, the check boxis selected.
Recursive
Type the polling interval, which is the number of seconds between queries to the log files to checkfor new data.
Theminimum polling interval is 10 seconds, with a maximum polling interval of 3,600 seconds.
Polling Interval (seconds)
Type themaximum number of events the SMB Tail protocol forwards per second.
Theminimum value is 100 EPS and themaximum value is 20,000 EPS.
Throttle Events/Second
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is notcounted in the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). Thedefault credibilityis 5.
Credibility is a representation of the integrity or validity of events created by a log source. Thecredibility value assigned to a log source can increase or decrease based on incoming events oradjusted as a response to user created event rules. The credibility of events from log sourcescontributes to thecalculationof theoffensemagnitudeandcan increaseordecrease themagnitudevalue of an offense.
Credibility
75Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 24: SMB Tail Protocol Parameters (continued)
DescriptionParameter
Select the Event Collector to use as the target for the log source. When a log source activelycollects events from a remote source, this field defines which appliance polls for the events.
This enables administrators to poll and process events on the target event collector, instead ofthe console appliance. This can improve performance in distributed deployments.
When an administrator verifies firewall ports between JSA and the remote database, the firewallmust allow communication between the target event collector and the remote database.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, the events are displayed individually and the information is notbundled.
Newand automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is only available after you upload a log source extension to JSA. Log sourceextensions are XML files that contain regular expressions, which can override or repair the eventparsing patterns defined by a device support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the SMB tail protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
Copyright © 2017, Juniper Networks, Inc.76
Juniper Secure Analytics Log Sources Users Guide
4. Configure the parameters for your log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
Configuring the EMCVMware Protocol
The EMC VMware protocol provides log sources the ability to receive event data from
the VMware web service for virtual environments.
Table 25 on page 77 describes the parameters of the EMC VMware protocol.
Table 25: EMC VMware Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select the type of log source to add.Log Source Type
From the list, select EMCVMware.Protocol Configuration
Type the IP address or hostname for the log source. The value for this parameter must match theVMware IP.
Log Source Identifier
Type the IP address of the VMware ESXi server.
For example, 1.1.1.1.
The VMware protocol appends the IP address of your VMware ESXi server with HTTPS before theprotocol requests event data.
VMware IP
Type the username required to access the VMware server.
If you want to configure a read-only account to use with the VMware protocol, you can create auser on your VMware with read-only permission.
User Name
Confirm the password that is required to remotely access the VMware Server.Password
77Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 25: EMC VMware Protocol Parameters (continued)
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source does notcount against the log source limit in the license.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events created by a log source. Thecredibility value assigned to a log source can increase or decrease based on incoming events oradjusted as a response to user created event rules. The credibility of events from log sourcescontributes to thecalculationof theoffensemagnitudeandcan increaseordecrease themagnitudevalue of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is only available after you upload a log source extension to JSA. Log sourceextensions are XML files that contain regular expressions, which can override or repair the eventparsing patterns defined by a device support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
Copyright © 2017, Juniper Networks, Inc.78
Juniper Secure Analytics Log Sources Users Guide
To confiugre the EMC VMware protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source. The JSA provides step-by-step
instructions to configure each log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
• Configuring the SDEE Protocol on page 41.
Configuring the Oracle Database Listener Protocol
TheOracleDatabase Listener protocol source enables administrators to remotely collect
log files generated from an Oracle database server.
Before you configure the Oracle Database Listener protocol to monitor log files for
processing, youmust obtain the directory path to the Oracle database log files.
Detailed configuration steps forOracle areprovided in the JuniperSecureAnalytics (JSA).
Table 26: Oracle Database Listener Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select a log source type.Log Source Type
From the list, selectOracle Database Listener.Protocol Configuration
Type an IP address, host name, or name to identify the Oracle database server.
The log source identifier must be unique for the log source type.
Log Source Identifier
79Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 26: Oracle Database Listener Protocol Parameters (continued)
DescriptionParameter
Optional. Type the domain that is required to access the Oracle database server.Domain
Type the user name that is required to access the Oracle database server.Username
Type the password that is required to access the Oracle database server.Password
Confirm the password that is required to access Oracle database server.Confirm Password
Type the directory path to access the Oracle database log files.Log Folder Path
Type the regular expression (regex) to identify and download the event logs.
The default file pattern is listener\.log.
All files that match the file pattern are processed.
File Pattern
Select this check box if you want the file pattern to search sub folders. By default, the check boxis selected.
Recursive
Type thepolling interval,which is thenumber of secondsbetweenqueries to the log files to checkfor new data.
Theminimum polling interval is 10 seconds, with a maximum polling interval of 3,600 seconds.
Polling Interval (seconds)
Type themaximum number of events the protocol can forward per second.
Theminimum value is 100 EPS and themaximum value is 20,000 EPS.
Throttle Events/Second
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is notcounted in the license limit.
Enabled
Select thecredibility of the log source. The range is0 (lowest) - 10 (highest). Thedefault credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decreasethe magnitude value of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
This option enables administrators to poll and process events on the target event collector,instead of the console appliance. This can improve performance in distributed deployments.
Target Event Collector
Copyright © 2017, Juniper Networks, Inc.80
Juniper Secure Analytics Log Sources Users Guide
Table 26: Oracle Database Listener Protocol Parameters (continued)
DescriptionParameter
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times withina short time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, the events are displayed individually and the information is notbundled.
Newandautomaticallydiscovered log sources inherit thevalueof this checkbox fromtheSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
Newandautomaticallydiscovered log sources inherit thevalueof this checkbox fromtheSystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions, which can override or repair the event parsing of adevice support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the oracle database listener protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for the log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
81Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.
• Configuring the Juniper Networks NSM Protocol on page 36.
• Configuring the OPSEC/LEA Protocol on page 38.
Configuring the Cisco NSEL Protocol
TheCiscoNetwork Security Event Logging (NSEL) protocol source allows Juniper Secure
Analytics (JSA) tomonitorNetFlowpacket flows fromaCiscoAdaptiveSecurityAppliance
(ASA).
To integrate Cisco ASA using NetFlowwith JSA, youmust manually create a log source
to receive NetFlow events. JSA does not automatically discover or create log sources for
syslog events from Cisco ASA using NetFlow and NSEL. For more information, see the
JSA.
Table 27 on page 82 describes the parameters of the Cisco NSEL protocol.
Table 27: Cisco NSEL Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select the type of log source to add.Log Source Type
From the list, select Cisco NSEL.Protocol Configuration
Type an IPv4 address or hostname to identify the log source that created the events.
If the network contains devices that are attached to amanagement console, administrators canspecify the IP address of the individual device that created the event. A unique identifier for each,such as an IP address, prevents event searches from identifying the management console as thesource for all of the events.
Log Source Identifier
Type the UDP port number used by Cisco ASA to forward NSEL events. The valid range of theCollector Port parameter is 1 – 65535.
JSA uses port 2055 for flow data on QFlow Collectors. Administrators must assign a different UDPport on the Cisco Adaptive Security Appliance for NetFlow using NSEL.
Collector Port
Select this check box to enable the log source.
When this checkbox is clear, the log sourcedoesnot collect events and the log source is not countedin the license limit.
Enabled
Copyright © 2017, Juniper Networks, Inc.82
Juniper Secure Analytics Log Sources Users Guide
Table 27: Cisco NSEL Protocol Parameters (continued)
DescriptionParameter
Select the credibility of the log source. The range is 0 (lowest) – 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source.Whena log source actively collects events froma remote source,this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions, which can override or repair the event parsing of a devicesupport module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
83Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
To configure the cisco NSEL protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source. The JSA provides step-by-step
instructions to configure each log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the TCPMultiline Syslog Protocol on page 97.
• Configuring the VMware vCloud Director Protocol on page 100.
• Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 102.
Configuring the PCAP Syslog Combination Protocol
The PCAP Syslog Combination protocol enables events to be collected from Juniper
Networks SRX Series appliances that forward packet capture (PCAP) data.
Administrators must determine the outgoing PCAP port configured on the Juniper
Networks SRX appliance before the log source can be configured. PCAP data cannot be
forwarded to port 514.
Detailed configuration steps are provided in the Juniper Secure Analytics (JSA).
Table 28: PCAP Syslog Combination Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select a log source type.Log Source Type
From the list, select PCAP Syslog Combination.Protocol Configuration
Type an IP address, host name, or name to identify the Juniper Networks SRX Series appliance.
The log source identifier must be unique for the log source type.
Log Source Identifier
Copyright © 2017, Juniper Networks, Inc.84
Juniper Secure Analytics Log Sources Users Guide
Table 28: PCAP Syslog Combination Protocol Parameters (continued)
DescriptionParameter
Specify the port number used by the Juniper Networks SRX Series appliance to forward incomingPCAP data.
The PCAP UDP port number must be configured from your Juniper SRX Series appliance.
If the outgoing PCAP port is edited on the Juniper Networks SRXSeries appliance, the administratormust edit the log source.
To edit the Incoming PCAP Port number, complete the following steps:
1. Type the new port number for receiving PCAP data
2. Click Save.
3. On the Admin tab, select Advanced > Deploy Full Configuration.
Attention: When administrators click Deploy Full Configuration, the system restarts all services,resulting in a gap in data collection for events and flows until the deployment completes.
Incoming PCAP Port
Select this check box to enable the log source.
When this checkbox is clear, the log sourcedoes not collect events and the log source is not countedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source.Whena log source actively collects events froma remote source,this field defines which appliance polls for the events.
This option enables administrators to poll and process events on the target event collector, insteadof the console appliance. This can improve performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this checkbox is clear, theeventsaredisplayed individually and the information isnotbundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
85Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 28: PCAP Syslog Combination Protocol Parameters (continued)
DescriptionParameter
Select the language of the events generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions,which canoverrideor repair the event parsingpatternsdefinedby a device support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the PCAP syslog combination protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Syslog Protocol on page 20.
• Configuring the JDBC Protocol on page 23.
• Configuring the JDBC - SiteProtector Protocol on page 27.
• Configuring the TLS Syslog Protocol on page 89.
• Configuring the Juniper Security Binary Log Collector Protocol on page 92.
• Configuring the UDPMultiline Syslog Protocol on page 94.
Configuring the Forwarded Protocol
The forwarded protocol enables administrators to receive events from another console
in your deployment.
The forwarded protocol is typically used in a scenario where administrators want to
forwardevents toanother JuniperSecureAnalytics (JSA)console. In this scenario, console
Copyright © 2017, Juniper Networks, Inc.86
Juniper Secure Analytics Log Sources Users Guide
A is configured with an off-site target in the deployment editor, which points to console
B. Log sources that are automatically discovered are automatically added to console B.
Any log sources from console A that is not automatically discoveredmust be added to
console B as a log source with the forwarded protocol.
Table 29: Forwarded Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select a log source type.Log Source Type
From the list, select Forwarded.Protocol Configuration
Type an IP address or host name for the originating log source.
For example, the identifier is the IP address or host name of the log source in Network A.
The log source identifier must be unique for the log source type.
Log Source Identifier
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is notcounted in the license limit.
Enabled
87Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 29: Forwarded Protocol Parameters (continued)
DescriptionParameter
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. This can improve performance in distributeddeployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this checkbox is clear, theeventsaredisplayed individually and the information isnotbundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is only available after you upload a log source extension to JSA. Log sourceextensions are XML files that contain regular expressions, which can override or repair the eventparsing patterns defined by a device support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
Copyright © 2017, Juniper Networks, Inc.88
Juniper Secure Analytics Log Sources Users Guide
To configure the forwarded protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the TLS Syslog Protocol on page 89.
• Configuring the Juniper Security Binary Log Collector Protocol on page 92.
• Configuring the UDPMultiline Syslog Protocol on page 94.
• Configuring the TCPMultiline Syslog Protocol on page 97.
• Configuring the VMware vCloud Director Protocol on page 100.
• Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 102.
Configuring the TLS Syslog Protocol
TLS Syslog protocol enables log sources to receive encrypted syslog events from up to
50 network devices that support TLS Syslog event forwarding.
The log source creates a listen port for incoming TLS Syslog events and generate a
certificate file for the network devices. Up to 50 network appliances can forward events
to the port created for the log source.
Table 30: TLS Syslog Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select a log source type.Log Source Type
From the list, select TLS Syslog.Protocol Configuration
Type the IP address or host name of the network device forwarding encrypted syslog.Log Source Identifier
89Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 30: TLS Syslog Protocol Parameters (continued)
DescriptionParameter
Type the port number to accept incoming TLS Syslog events.
The default TLS listen port is 6514.
The port number that is specified as the listen port for TLS events can be used by up to 50 logsources. If multiple network devices are forwarding TLS syslog events, they can also use 6514 astheir default TLS syslog port.
To edit the port number, complete the following steps:
1. Type the new port number for the TLS syslog protocol.
2. Click Save.
3. On the Admin tab, select Advanced > Deploy Full Configuration.
Attention: When administrators click Deploy Full Configuration, the system restarts all services,resulting in a gap in data collection for events and flows until the deployment completes.
TLS Listen Port
Select this check box to enable the log source.
When this checkbox is clear, the log sourcedoes not collect events and the log source is not countedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) – 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source.Whena log source actively collects events froma remote source,this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this checkbox is clear, theeventsaredisplayed individually and the information is notbundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Copyright © 2017, Juniper Networks, Inc.90
Juniper Secure Analytics Log Sources Users Guide
Table 30: TLS Syslog Protocol Parameters (continued)
DescriptionParameter
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions,which canoverride or repair the event parsingpatterns definedby a device support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
ExtensionUseCondition
Select one or more groups for the log source.Groups
To configure the TLS syslog protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
After the log source is saved, a syslog-tls certificate is created for log source device. The
certificate must be copied to any device on your network that is capable of forwarding
encrypted syslog. Additional network devices with a syslogtls certificate file and the TLS
listen port number can be automatically discovered as a TLS syslog log source in JSA.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Juniper Security Binary Log Collector Protocol on page 92.
• Configuring the UDPMultiline Syslog Protocol on page 94.
• Configuring the TCPMultiline Syslog Protocol on page 97.
• Configuring the VMware vCloud Director Protocol on page 100.
• Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 102.
91Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Configuring the Juniper Security Binary Log Collector Protocol
The JuniperBinary LogCollector protocol canacceptaudit, system, firewall, and intrusion
prevention system (IPS) events in binary format.
Administratorsmust configure their Juniper appliances to streambinary formattedevents.
The port number that is used by Juniper to stream binary events is required before an
administrator can configure the log source.
Thebinary log format from Juniper SRXor J Series appliances are streamedwith theUDP
protocol. Youmust specify a unique port for streaming binary formatted events, the
standard syslog port (514) cannot be used for binary formatted events. The default port
that is assigned to receive streamingbinary events fromJuniper appliances is port 40798.
Table 31: Juniper Security Binary Log Collector Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select a log source type.Log Source Type
From the list, select Security Binary Log Collector.Protocol Configuration
Type an IP address or host name to identify the log source.
The identifier addressmust be the Juniper SRXor J Series appliance that generates thebinary eventstream.
Log Source Identifier
Type the port number to accept incoming binary events.
The default listen port is 40798.
To edit the port number, complete the following steps:
1. Type the new port number for the protocol.
2. Click Save.
3. On the Admin tab, select Advanced > Deploy Full Configuration.
Attention: When administrators click Deploy Full Configuration, the system restarts all services,resulting in a gap in data collection for events and flows until the deployment completes.
Binary Collector Port
Type the path to the XML file used to decode the binary stream from your Juniper SRX or JuniperJ-Series appliance.
By default, the device support module (DSM) includes an XML file for decoding the binary stream.
The XML file is in the following directory: /opt/qradar/conf/ security_log.xml.
XML Template FileLocation
Copyright © 2017, Juniper Networks, Inc.92
Juniper Secure Analytics Log Sources Users Guide
Table 31: Juniper Security Binary Log Collector Protocol Parameters (continued)
DescriptionParameter
Select this check box to enable the log source.
When this checkbox is clear, the logsourcedoesnotcollect eventsand the logsource isnot countedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this checkbox is clear, theeventsaredisplayed individually and the information is notbundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions, which can override or repair the event parsing patternsdefined by a device support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
93Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 31: Juniper Security Binary Log Collector Protocol Parameters (continued)
DescriptionParameter
Select one or more groups for the log source.Groups
To configure the juniper security binary log collector protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the UDPMultiline Syslog Protocol on page 94.
• Configuring the TCPMultiline Syslog Protocol on page 97.
• Configuring the VMware vCloud Director Protocol on page 100.
• Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 102.
Configuring the UDPMultiline Syslog Protocol
The UDPmultiline syslog protocol uses a regular expression to identify and reassemble
the multiline syslog messages in to single event payload.
The UDPmultiline protocol enables administrators to add a log source that creates a
single-line syslog event from amultiline event. The original event must contain a value
that repeats that a regular expression can use identify and reassemble the multiline
event. An example event that contains a repeated value is provided as an example.
15:08:56 1.1.1.1 slapd[517]: conn=2467222 op=2 SEARCH RESULT tag=10115:08:56 1.1.1.1 slapd[517]: conn=2467222 op=2 SRCH base="dc=iso-n,dc=com"15:08:56 1.1.1.1 slapd[517]: conn=2467222 op=2 SRCH attr=gidNumber15:08:56 1.1.1.1 slapd[517]: conn=2467222 op=1 SRCH base="dc=iso-n,dc=com”
Table 32: UDPMultiline Syslog Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select a log source type.Log Source Type
Copyright © 2017, Juniper Networks, Inc.94
Juniper Secure Analytics Log Sources Users Guide
Table 32: UDPMultiline Syslog Protocol Parameters (continued)
DescriptionParameter
From the list, select UDPMultiline Syslog.Protocol Configuration
Type the IP address or host name of the network device forwarding encrypted syslog.Log Source Identifier
Type the port number to accept incoming UDPmultiline Syslog events.
The default listen port is 517.
To edit the port number, complete the following steps:
1. Type the new port number for the protocol.
2. Click Save.
3. On the Admin tab, select Advanced > Deploy Full Configuration.
Attention: When administrators click Deploy Full Configuration, the system restarts all services,resulting in a gap in data collection for events and flows until the deployment completes.
Listen Port
Type the regular expression (regex) required to filter the event payloadmessages.
The UDPmultiline eventmessagesmust contain a common identifying value that repeats on eachline of the event message.
Message ID Pattern
Select this check box to enable the log source.
When this checkbox is clear, the log sourcedoesnot collect eventsand the log source is not countedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source.Whena log sourceactively collects events froma remote source,this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
95Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 32: UDPMultiline Syslog Protocol Parameters (continued)
DescriptionParameter
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, the events are listed individually and the information is not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions, which can override or repair the event parsing patterns thatare defined by a device support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the UDPmultiline syslog protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
After the log source is saved, a syslog-tls certificate is created for log source device. The
certificatemustbecopied toanydeviceonyour network configured to forwardencrypted
syslog. Additional network deviceswith a syslog-tls certificate file and theTLS listen port
number can be automatically discovered as a TLS syslog log source.
Copyright © 2017, Juniper Networks, Inc.96
Juniper Secure Analytics Log Sources Users Guide
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the Juniper Security Binary Log Collector Protocol on page 92.
• Configuring the TCPMultiline Syslog Protocol on page 97.
• Configuring the VMware vCloud Director Protocol on page 100.
• Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 102.
Configuring the TCPMultiline Syslog Protocol
The TCPmultiline syslog protocol uses regular expressions to identify the start and end
pattern of multiline events to create a single-line event.
The TCPmultiline protocol enables administrators to add a log source that creates a
single-line syslog event from amultiline event. An example multiline event is provided
as an example.
06/13/2012 08:15:15 PMLog Name=SecuritySource Name=Microsoft Windows security auditing.Event Code=5156Event Type=0Task Category=Filtering Platform ConnectionKeywords=Audit SuccessMessage=The Windows Filtering Platform permitted a connection.Process ID: 4Application Name: SystemDirection: InboundSource Address: 1.1.1.1Source Port: 80Destination Address: 1.1.1.12Destination Port:444
Table 33: TCPMultiline Syslog Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select a log source type.Log Source Type
From the list, select TCPMultiline Syslog.Protocol Configuration
Type the IP address or host name of the network device forwarding encrypted syslog.Log Source Identifier
97Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 33: TCPMultiline Syslog Protocol Parameters (continued)
DescriptionParameter
Type the port number to accept incoming TCPmultiline syslog events.
The default listen port is 12468.
To edit the port number, complete the following steps:
1. Type the new port number for the protocol.
2. Click Save.
3. On the Admin tab, select Advanced > Deploy Full Configuration.
Attention: When administrators click Deploy Full Configuration, the system restarts all services,resulting in a gap in data collection for events and flows until the deployment completes.
Listen Port
From the list, select one of the following options:
• No Formatting—Select this option when no extra formatting is required for the multiline events.
• WindowsMultiline—Select this option formultiline events are formatted specifically forWindows.
Event Formatter
Type the regular expression (regex) required to identify the start of a TCPmultiline event payload.
Syslog headers typically begin with a date or time stamp.
The protocol can create a single-line event that are based on solely an event start pattern, such asa time stamp.
When a start pattern is all that is available, the protocol captures all the information between eachstart value to create a valid event.
Event Start Pattern
Type the regular expression (regex) required to identify the last fieldof aTCPmultiline eventpayload.
If the syslogevent endswith the samevalue, administrators canusea regular expression todeterminethe end of an event.
The protocol can capture events based on solely on an event end pattern.
When an end pattern is all that is available, the protocol captures all the information between endstart value to create a valid event.
Event End Pattern
Select this check box to enable the log source.
When this check box is clear, the log source does not collect events and the log source is not countedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingeventsor adjustedasa response touser createdevent rules. Thecredibility of events from log sourcescontributes to the calculation of the offensemagnitude and can increase or decrease themagnitudevalue of an offense.
Credibility
Copyright © 2017, Juniper Networks, Inc.98
Juniper Secure Analytics Log Sources Users Guide
Table 33: TCPMultiline Syslog Protocol Parameters (continued)
DescriptionParameter
Select the target for the log source.When a log source actively collects events froma remote source,this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this checkbox is clear, the events aredisplayed individually and the information is not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configurationon theAdmin tab.Administrators canuse this checkbox tooverride thedefaultbehavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configurationon theAdmin tab.Administrators canuse this checkbox tooverride thedefaultbehavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions are XMLfiles that contain regular expressions, which can override or repair the event parsing patterns definedby a device support module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
ExtensionUseCondition
Select one or more groups for the log source.Groups
To configure the TCPmultiline syslog protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for your log source.
99Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the TLS Syslog Protocol on page 89.
• Configuring the Juniper Security Binary Log Collector Protocol on page 92.
• Configuring the UDPMultiline Syslog Protocol on page 94.
• Configuring the VMware vCloud Director Protocol on page 100.
• Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 102.
Configuring the VMware vCloud Director Protocol
The VMware vCloud Director protocol provides log sources the ability to use the VMware
API to collect events from the VMware vCloud Director virtual environments.
Table 34 on page 100 describes the parameters of the VMware vCloudDirector protocol.
Table 34: VMware vCloud Director Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Optional. Type a description for the log source.Log Source Description
From the list, select the type of log source to add.Log Source Type
From the list, select VMware vCloud Director.Protocol Configuration
Type an IPv4 address or host name to identify the log source that created the events.Log Source Identifier
Type the URL configured on the VMware vCloud appliance to access the REST API.
The URLmust match the address that is configured as the VCD public REST API base URL on thevCloud Server.
For example, https://1.1.1.1.
vCloud URL
Type the user name that is required to remotely access the vCloud Server.
For example, console/user@organization.
To configure a read-only account to use with the vCloud Director protocol, administrators cancreate a user in the organization with console Access Only permission.
User Name
Confirm the password that is required to remotely access the vCloud Server.Password
Copyright © 2017, Juniper Networks, Inc.100
Juniper Secure Analytics Log Sources Users Guide
Table 34: VMware vCloud Director Protocol Parameters (continued)
DescriptionParameter
Type a polling interval, which is the amount of time between queries to the vCloud Server for newevents.
The default polling interval is 10 seconds.
Polling Interval
Select this check box to enable the log source.
When this checkbox is clear, the log sourcedoesnot collect eventsand the log source is not countedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions,which canoverrideor repair the event parsingof adevicesupport module (DSM).
Log Source Extension
101Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 34: VMware vCloud Director Protocol Parameters (continued)
DescriptionParameter
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the VMware vCloud director protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure theparameters for the logsource.The JSAprovidesstep-by-step instructions
to configure each log source.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
RelatedDocumentation
Protocol Configuration Overview on page 20.•
• Configuring the TLS Syslog Protocol on page 89.
• Configuring the Juniper Security Binary Log Collector Protocol on page 92.
• Configuring the UDPMultiline Syslog Protocol on page 94.
• Configuring the TCPMultiline Syslog Protocol on page 97.
• Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 102.
Configuring the IBM® Tivoli® Endpoint Manager SOAP Protocol
The IBM Tivoli Endpoint Manager SOAP protocol retrieves Log Extended Event Format
(LEEF) formatted events from IBM®Tivoli
®Endpoint Manager appliances.
This protocol requires IBMTivoli EndpointManager versionsV8.2.x or above and theWeb
Reports application for Tivoli Endpoint Manager.
The Tivoli Endpoint Manager SOAP protocol retrieves events in 30-second intervals over
HTTP or HTTPS. As events are retrieved the IBM Tivoli Endpoint Manager DSM parses
and categorizes the events.
Table 35: IBM Tivoli Endpoint Manager SOAP Protocol Parameters
DescriptionParameter
Type a unique name of the log source.Log Source Name
Copyright © 2017, Juniper Networks, Inc.102
Juniper Secure Analytics Log Sources Users Guide
Table 35: IBM Tivoli Endpoint Manager SOAP Protocol Parameters (continued)
DescriptionParameter
Optional. Type a description for the log source.Log Source Description
From the list, select a log source type.Log Source Type
From the list, select IBM Tivoli Endpoint Manager SOAP.Protocol Configuration
Type the IP address or host name of the network device forwarding encrypted syslog.Log Source Identifier
Select this check box to connect to your IBM Tivoli Endpoint Manager with HTTPS.
If a certificate is required to connect with HTTPS, administrators must copy any certificates thatare required to the following directory: /opt/qradar/conf/ trusted_certificates.
Certificates with the following file extensions: .crt, .cert, or.der are supported.
Administrators must copy certificates to the trusted certificates directory before the log source issaved and deployed.
Use HTTPS
Type the port number used to connect to the IBM Tivoli Endpoint Manager using the SOAP API.
By default, port 80 is the port number for communicating with IBM Tivoli Endpoint Manager.
If administrators use HTTPS, the port field must be updated appropriately.
Most configurations use port 443 for HTTPS communications.
SOAP Port
Type the username required to access IBM Tivoli Endpoint Manager.Username
Type the password required to access IBM Tivoli Endpoint Manager.Password
Confirm the password to access IBM Tivoli Endpoint Manager.Confirm Password
Select this check box to enable the log source.
When this checkbox is clear, the logsourcedoesnotcollect eventsand the logsource isnot countedin the license limit.
Enabled
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibilityis 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.The credibility value that is assigned to a log source can increase or decrease based on incomingevents or adjusted as a response to user created event rules. The credibility of events from logsources contributes to the calculation of the offense magnitude and can increase or decrease themagnitude value of an offense.
Credibility
Select the target for the log source. When a log source actively collects events from a remotesource, this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target eventcollector, instead of the console appliance. Distributing event across target event collectors canimprove performance in distributed deployments.
Target Event Collector
103Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Table 35: IBM Tivoli Endpoint Manager SOAP Protocol Parameters (continued)
DescriptionParameter
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within ashort time interval. Coalesced events provide administrators a way to view and determine thefrequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Coalescing Events
Select this check box to enable the log source to store the payload information from an event.
New and automatically discovered log sources inherit the value of this check box from the SystemSettings configuration on the Admin tab. Administrators can use this check box to override thedefault behavior of the system settings for an individual log source.
Store Event Payload
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operatingsystems that can create events in multiple languages.
Log Source Language
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions areXML files that contain regular expressions,which canoverride or repair the event parsing of a devicesupport module (DSM).
Log Source Extension
From the list box, select the use condition for the log source extension. The options include:
• Parsing enhancement—Select this option whenmost fields parse correctly for your log source.
• Parsing override—Select this option when the log source is unable to correctly parse events.
Extension Use Condition
Select one or more groups for the log source.Groups
To configure the IBM tivoli endpoint manager SOAP protocol:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. Click Add.
4. Configure the parameters for the log source.
Administrators should copy certificates to the trusted certificates directory before the
log source is saved and deployed.
5. Click Save.
6. On the Admin tab, click Deploy Changes.
Copyright © 2017, Juniper Networks, Inc.104
Juniper Secure Analytics Log Sources Users Guide
RelatedDocumentation
• Protocol Configuration Overview on page 20.
• Configuring the TLS Syslog Protocol on page 89.
• Configuring the Juniper Security Binary Log Collector Protocol on page 92.
• Configuring the UDPMultiline Syslog Protocol on page 94.
• Configuring the TCPMultiline Syslog Protocol on page 97.
• Configuring the VMware vCloud Director Protocol on page 100.
105Copyright © 2017, Juniper Networks, Inc.
Chapter 3: Managing Protocol Configuration
Copyright © 2017, Juniper Networks, Inc.106
Juniper Secure Analytics Log Sources Users Guide
CHAPTER 4
Grouping Log Sources
This chapter describes about the following sections:
• Grouping Log Source Overview on page 107
• Viewing Log Source Groups on page 108
• Assigning a Log Source to a Group on page 108
• Creating a Log Source Group on page 109
• Editing a Log Source Group on page 109
• Copying a Log Source to Another Group on page 110
• Removing a Log Source From a Group on page 110
Grouping Log Source Overview
Administrators can create log source groups to categorize their log sources by type,
location, or functionality.
Administrators can create andmanagemultiple levels of log source groups to help users
efficiently search for events. Log source groups are name associations to log sources
that administrators can create to categorize log sources. Each group can contain a
maximum of 1,000 log sources. Auto discovered log sources are assigned to a generic
log source group. Log source groups for bulk log sources are automatically createdwhen
administrators add bulk log sources.
RelatedDocumentation
Viewing Log Source Groups on page 108.•
• Assigning a Log Source to a Group on page 108.
• Creating a Log Source Group on page 109.
• Editing a Log Source Group on page 109 .
• Copying a Log Source to Another Group on page 110.
• Removing a Log Source From a Group on page 110 .
107Copyright © 2017, Juniper Networks, Inc.
Viewing Log Source Groups
Administrators can sort the list of log sources to view log sources that are assigned to a
group.
To view the log source groups:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. From the Search For list, select the log source group.
4. Click Go.
The log source list refreshes to show log sources associated to the group.
RelatedDocumentation
Grouping Log Source Overview on page 107•
• Assigning a Log Source to a Group on page 108.
• Creating a Log Source Group on page 109.
• Editing a Log Source Group on page 109 .
• Copying a Log Source to Another Group on page 110.
• Removing a Log Source From a Group on page 110 .
Assigning a Log Source to a Group
Administrators can use the assign feature to move one or more log sources from one
group to another. The assign feature can also be used to quickly assign a log source to
multiple groups. Auto discovered log sources often require a new log source assignments
because all auto discovered log sources are categorized to a generic group.
To assign a log source to a group:
1. Click the Admin tab.
2. Click the Log Source icon.
3. Select one or more log sources to assign to a group.
4. Click Assign.
5. Select a group for the log source.
6. Click Assign Groups.
The log sources are reassigned to the group selected by the administrator.
RelatedDocumentation
Grouping Log Source Overview on page 107•
• Viewing Log Source Groups on page 108.
• Creating a Log Source Group on page 109.
Copyright © 2017, Juniper Networks, Inc.108
Juniper Secure Analytics Log Sources Users Guide
• Editing a Log Source Group on page 109 .
• Copying a Log Source to Another Group on page 110.
• Removing a Log Source From a Group on page 110 .
Creating a Log Source Group
Administrators can create log source groups for users to organize the list of log sources
for users. A log source canbelong tomultiple groupsat the same timeandadministrators
can create multiple levels of log source groups.
To create a log source group:
1. Click the Admin tab.
2. Click the Log Source Groups icon.
3. Click NewGroup.
4. Click Go.
The log source list refreshes with a list of log sources based on the group you selected.
RelatedDocumentation
Grouping Log Source Overview on page 107•
• Viewing Log Source Groups on page 108.
• Assigning a Log Source to a Group on page 108.
• Editing a Log Source Group on page 109 .
• Copying a Log Source to Another Group on page 110.
• Removing a Log Source From a Group on page 110 .
Editing a Log Source Group
Administrators can sort the list of log sources to view log sources that are assigned to a
group.
To edit a log source group:
1. Click the Admin tab.
2. Click the Log Sources icon.
3. From the Search For list, select the log source group.
4. Click Go.
The log source list refreshes to show log sources associated to the group.
RelatedDocumentation
Grouping Log Source Overview on page 107•
• Viewing Log Source Groups on page 108.
109Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Grouping Log Sources
• Assigning a Log Source to a Group on page 108.
• Creating a Log Source Group on page 109 .
• Copying a Log Source to Another Group on page 110.
• Removing a Log Source From a Group on page 110 .
Copying a Log Source to Another Group
Administrators can copy log source groups to move log sources between groups.
To copy a log source to another group:
1. Click the Admin tab.
2. Click the Log Source Groups icon.
3. Select the name of a group to view a list of log sources.
4. Select the log source to copy to a new group.
5. Click Copy.
6. Select the new group for the log source. This selection can includemultiple groups.
7. Click Assign Groups.
The log source is reassigned to the groups selected by the administrator.
RelatedDocumentation
Grouping Log Source Overview on page 107•
• Viewing Log Source Groups on page 108.
• Assigning a Log Source to a Group on page 108.
• Creating a Log Source Group on page 109 .
• Editing a Log Source Group on page 109.
• Removing a Log Source From a Group on page 110 .
Removing a Log Source From a Group
Administrators can remove log sources from groups when a group is no longer required.
To remove a log source from a group:
1. Click the Admin tab.
2. Click the Log Source Groups icon.
3. Select the name of a group to view a list of log sources.
4. Select the log source to remove from the group.
Copyright © 2017, Juniper Networks, Inc.110
Juniper Secure Analytics Log Sources Users Guide
5. Click Remove.
6. ClickOK.
The log source is removed from the group.
RelatedDocumentation
• Grouping Log Source Overview on page 107
• Viewing Log Source Groups on page 108.
• Assigning a Log Source to a Group on page 108.
• Creating a Log Source Group on page 109 .
• Editing a Log Source Group on page 109.
• Copying a Log Source to Another Group on page 110 .
111Copyright © 2017, Juniper Networks, Inc.
Chapter 4: Grouping Log Sources
Copyright © 2017, Juniper Networks, Inc.112
Juniper Secure Analytics Log Sources Users Guide
CHAPTER 5
Adding Log Source Parsing Order
This chapter describes about the following sections:
• Log Source Parsing Order Overview on page 113
• Adding a Log Source Parsing Order on page 113
Log Source Parsing Order Overview
Administrators can assign an order to prioritize the events parsed by the target event
collector assigned to the log source.
Administrators can order the importance of the log sources by defining the parsing order
for log sources that share a common IP address or host name. Defining the parsing order
for log sources ensures that certain log sources are parsed in a specific order, regardless
of changes to the logsourceconfiguration.Theparsingorder ensures systemperformance
is not affectedby changes to log source configurationbypreventing unnecessary parsing.
The parsing order ensures that low level event sources are not parsed for events above
more important log source.
RelatedDocumentation
Adding a Log Source Parsing Order on page 113•
Adding a Log Source Parsing Order
Administrators can assign an order to prioritize the events parsed by the target event
collector assigned to the log source.
To add a log source parsing order:
1. Click the Admin tab.
2. Click the Log Source Parsing Ordering icon.
3. Select a log source based on the IP address or host name.
4. Optional. From the Selected Event Collector list, select the Event Collector to define
the log source parsing order.
5. Optional. From the Log Source Host list, select a log source.
113Copyright © 2017, Juniper Networks, Inc.
6. Prioritize the log source parsing order.
7. Click Save.
RelatedDocumentation
• Log Source Parsing Order Overview on page 113
Copyright © 2017, Juniper Networks, Inc.114
Juniper Secure Analytics Log Sources Users Guide
CHAPTER 6
Managing Log Source Extensions
This chapter describes about the following sections:
• Log Source Extensions Overview on page 115
• Viewing the Status of a Log Source Extension on page 116
• Adding a Log Source Extension on page 117
• Editing a Log Source Extension on page 118
• Copying a Log Source Extension on page 119
• Enabling or Disabling a Log Source Extension on page 121
• Deleting a Log Source Extension on page 121
Log Source Extensions Overview
Log source extensions can be created by administrators to extend or modify the parsing
routines of specific devices.
A log source extension is an XML file that includes all of the regular expression patterns
required to identify and categorize events from the event payload. Extension files can be
used to parse all events when a device support module (DSM) does not exist or an
administrator needs to correct a parsing issue for or override the default parsing for an
event from a DSM. An extension can provide event support when a DSM does not exist
to parse events for an appliance or security device in your network. The Log Activity tab
identifies log source events in three basic types:
To log the source extensions:
1. Log sources that properly parse the event. Events that a properly parse by the system
are assigned to the proper log source type and categorized correctly. In this case, no
intervention or extension is required.
2. Log sources that parse events, but include Unknown events. Unknown events are log
source events where the log source type is identified, but the payload information
cannot be understood by the DSM. The system is unable to determine an event
identifier from the available information to properly categorize the event. In this case,
the event can bemapped to a category from the Log Activity tab or a log source
extension can be written to repair the event parsing for unknown events.
115Copyright © 2017, Juniper Networks, Inc.
3. Log sources that cannot identify the log source type andmark the event as a Stored
event. Stored events require administrators to update their DSM files or write a log
source extension toproperly parse the event. After the event parses, the administrator
can thenmap the events in the Log Activity tab.
Before a log source extension is added, the administrator must create the extension
document. The extension document is an XML document that can be created with any
commonword processing or text editing application. Multiple extension documents can
be created, uploaded, and associated to various log source types. The format of the
extension document must conform to a standard XML schema document (XSD). To
developanextensiondocument, knowledgeofandexperiencewithXMLcoding is required.
RelatedDocumentation
Viewing the Status of a Log Source Extension on page 116.•
• Adding a Log Source Extension on page 117.
• Editing a Log Source Extension on page 118.
• Copying a Log Source Extension on page 119.
• Enabling or Disabling a Log Source Extension on page 121.
• Deleting a Log Source Extension on page 121.
Viewing the Status of a Log Source Extension
Administrators can view a list of log source extensions, the description, status, and log
sources assigned to an extension.
Log Source Extension Parameters describes parameters in the user interface when an
administrator views the status of a log source extension:
Table 36: Log Source Extension Parameters
DescriptionParameter
The name of the log source.
Administrators can click the name of the extension to download the xml file for the log sourceextension.
Extension Name
The description for the log source extension. The description must not exceed 255 characters.Description
A value of True indicates that the extension is enabled and the parsing patterns are active forthe log source. False indicates that the log source extension is currently disabled.
Enabled
The log source extension applies parsing from the extension XML file to all Log Source Typeslisted in this column. This includes auto discovered log sources thatmatch the Log Source Typespecified.
A value of None indicates that the extension is uploaded, but not associated to a log source.
Defaults for Log Source Type
Copyright © 2017, Juniper Networks, Inc.116
Juniper Secure Analytics Log Sources Users Guide
To view the status of a log source extension:
1. Click the Admin tab.
2. Click the Log Source Extensions icon.
3. Review the status of your log source extensions.
RelatedDocumentation
Log Source Extensions Overview on page 115•
• Adding a Log Source Extension on page 117.
• Editing a Log Source Extension on page 118.
• Copying a Log Source Extension on page 119.
• Enabling or Disabling a Log Source Extension on page 121.
• Deleting a Log Source Extension on page 121.
Adding a Log Source Extension
Administrators can enable or disable a log source extensions. Enabled log source
extensions are listed in the Status column as True. Disabled log source extension are
listed in the Status column as False.
The following table describes the parameters in a log source fields:
To add a log source extension:
1. Click the Admin tab.
2. Click the Log Source Extensions icon.
3. Click Add.
4. Type a name for the log source extension.
5. Optional. Type a description for the log source extension.
6. From the Use Condition list, select one of the following options:
DescriptionOption
Select this option when the device support module (DSM) correctly parses most fields for thelog source.
The incorrectly parsed field values are enhanced with the new XML values. This is the defaultsetting.
Parsing Enhancement
Select this option when the device support module (DSM) is unable to parse correctly.
The log source extension completely overrides the failed parsing by the DSM and substitutesthe parsing with the new XML values.
Parsing Override
117Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Managing Log Source Extensions
7. From the Log Source Types list, select one of the following options:
DescriptionOption
Select this option when the device support module (DSM) correctly parses most fields for the logsource.
The incorrectly parsed field values are enhanced with the new XML values. This is the default setting.
Available
Select log sources to add or remove from the extension parsing. Administrators can add or removeextensions from a log source.
When a log source extension is Set to default for a log source, this indicates that any new log sourcesof the same Log Source Type use the assigned log source extension. This includes auto discoveredlog sources.
Set to default for
8. Click Browse to locate your log source extension XML document.
9. Click Upload. The contents of the log source extension is displayed to ensure the
proper extension file is uploaded. The extension file is evaluated against the XSD for
errors when the file is uploaded.
10. Click Save.
If the extension file does not contain any errors, the new log source extension is created
andenabled. It is possible touploada log sourceextensionwithoutapplying theextension
to a log source. Any change to the status of an extension is applied immediately and
managed hosts or consoles enforce the new event parsing parameters in the log source
extension.
On the Log Activity tab, the parsing patterns for events should be verified to ensure that
the parsing is applied correctly to your events. If the log source categorizes events as
Stored, then this indicates that the parsing pattern in the log source extension requires
adjustment. The administrator can review the extension file against log source events
to locate any event parsing issues.
RelatedDocumentation
Log Source Extensions Overview on page 115•
• Viewing the Status of a Log Source Extension on page 116.
• Editing a Log Source Extension on page 118.
• Copying a Log Source Extension on page 119.
• Enabling or Disabling a Log Source Extension on page 121.
• Deleting a Log Source Extension on page 121.
Editing a Log Source Extension
Log source extension files must be edited in an external editor. Administrators can edit
a log source extension to modify the name or upload a new extension file to replace an
existing log source extensions.
Copyright © 2017, Juniper Networks, Inc.118
Juniper Secure Analytics Log Sources Users Guide
To edit a log source extension:
1. Click the Admin tab.
2. Click the Log Source Extensions icon.
3. Click Edit.
4. Edit the name or any other configuration parameters.
5. Click Browse to locate your log source extension XML document.
6. Click Upload. The log source extension is uploaded and the contents are displayed.
Administrators can review or replace the extension before they save the changes.
7. Click Save.
The new log source extension is created and enabled. It is possible to upload a log source
extension without applying the extension to a log source. Any change to the status of an
extension is applied immediately to the log source andmanaged hosts or consoles
enforce the new event parsing parameters in the log source extension.
On the Log Activity tab, the parsing patterns for events should be verified to ensure that
the parsing is applied correctly to your events. If the log source categorizes events as
Stored, then this indicates that the parsing pattern in the log source extension requires
adjustment. The administrator can review the extension file against log source events
to locate any event parsing issues.
RelatedDocumentation
Log Source Extensions Overview on page 115•
• Viewing the Status of a Log Source Extension on page 116.
• Adding a Log Source Extension on page 117.
• Copying a Log Source Extension on page 119.
• Enabling or Disabling a Log Source Extension on page 121.
• Deleting a Log Source Extension on page 121.
Copying a Log Source Extension
Administrators cancopya log sourceextensions. Enabled log sourceextensionsare listed
in the Status column as True. Disabled log source extension are listed in the Status
column as False.
The following table describes the parameters in a log source fields:
To copy a log source extension:
1. Click the Admin tab.
2. Click the Log Source Extensions icon.
3. Select a log source extension.
4. Click Copy.
119Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Managing Log Source Extensions
5. Type a name for the log source extension.
6. Optional. Type a description for the log source extension.
7. From the Use Condition list, select one of the following options:
DescriptionOption
Select this option when the device support module (DSM) correctly parses most fields for thelog source.
The incorrectly parsed field values are enhanced with the new XML values. This is the defaultsetting.
Parsing Enhancement
Select this option when the device support module (DSM) is unable to parse correctly.
The log source extension completely overrides the failed parsing by the DSM and substitutesthe parsing with the new XML values.
Parsing Override
8. From the Log Source Types list, select one of the following options:
DescriptionOption
Select this option when the device support module (DSM) correctly parses most fields for the logsource.
The incorrectly parsed field values are enhanced with the new XML values. This is the default setting.
Available
Select log sources to add or remove from the extension parsing. Administrators can add or removeextensions from a log source.
When a log source extension is Set to default for a log source, this indicates that any new log sourcesof the same Log Source Type use the assigned log source extension. This includes auto discoveredlog sources.
Set to default for
9. Click Browse to locate your log source extension XML document.
10. Click Upload. The contents of the log source extension is displayed to ensure the
proper extension file is uploaded. The extension file is evaluated against the XSD for
errors when the file is uploaded.
11. Click Save.
If the extension file does not contain any errors, the log source extension is copied to
another log source and enabled. Any change to the status of an extension is applied
immediately andmanaged hosts or consoles enforce the new event parsing parameters
in the log source extension.
On the Log Activity tab, the parsing patterns for events should be verified to ensure that
the parsing is applied correctly to your events. If the log source categorizes events as
Stored, then this indicates that the parsing pattern in the log source extension requires
adjustment. The administrator can review the extension file against log source events
to locate any event parsing issues.
Copyright © 2017, Juniper Networks, Inc.120
Juniper Secure Analytics Log Sources Users Guide
RelatedDocumentation
Log Source Extensions Overview on page 115•
• Viewing the Status of a Log Source Extension on page 116.
• Adding a Log Source Extension on page 117.
• Editing a Log Source Extension on page 118.
• Enabling or Disabling a Log Source Extension on page 121.
• Deleting a Log Source Extension on page 121.
Enabling or Disabling a Log Source Extension
Administrators can enable or disable a log source extensions. Enabled log source
extensions are listed in the Status column as True. Disabled log source extension are
listed in the Status column as False.
To enable or disable a log source extension:
1. Click the Admin tab.
2. Click the Log Source Extensions icon.
3. From the list of log source extensions, select the log source extension that you want
to delete.
4. Click Enable/Disable.
The status column is updated with the current status of the log source extension. Any
change to the status of an extension is applied immediately to the log source and
managed hosts or consoles enforce the new event parsing parameters in the log source
extension.
RelatedDocumentation
Log Source Extensions Overview on page 115•
• Viewing the Status of a Log Source Extension on page 116.
• Adding a Log Source Extension on page 117.
• Editing a Log Source Extension on page 118.
• Copying a Log Source Extension on page 119.
• Deleting a Log Source Extension on page 121.
Deleting a Log Source Extension
Administrators can delete a log source extension to remove any event parsing
enhancements or overrides for a log source. If an administrator deletes a log source
extension, the parsing changes are applied immediately to the incoming events for the
log source.
121Copyright © 2017, Juniper Networks, Inc.
Chapter 6: Managing Log Source Extensions
To delete a log source extension:
1. Click the Admin tab.
2. Click the Log Source Extensions icon.
3. From the list of log source extensions, select the log source extension that you want
to delete.
4. Click Delete.
5. Click Yes to confirm the deletion of the extension.
Neweventsarewritten todiskbasedon thedefault patternsof thedevice supportmodule
(DSM) or another extension that might be applied to the log source.
RelatedDocumentation
• Log Source Extensions Overview on page 115
• Viewing the Status of a Log Source Extension on page 116.
• Adding a Log Source Extension on page 117.
• Editing a Log Source Extension on page 118.
• Copying a Log Source Extension on page 119.
• Enabling or Disabling a Log Source Extension on page 121.
Copyright © 2017, Juniper Networks, Inc.122
Juniper Secure Analytics Log Sources Users Guide
PART 2
Index
• Index on page 125
123Copyright © 2017, Juniper Networks, Inc.
Copyright © 2017, Juniper Networks, Inc.124
Juniper Secure Analytics Log Sources Users Guide
Index
Symbols#, comments in configuration statements.....................ix
( ), in syntax descriptions.......................................................ix
< >, in syntax descriptions.....................................................ix
[ ], in configuration statements...........................................ix
{ }, in configuration statements..........................................ix
| (pipe), in syntax descriptions............................................ix
Bbraces, in configuration statements..................................ix
brackets
angle, in syntax descriptions........................................ix
square, in configuration statements.........................ix
Ccomments, in configuration statements.........................ix
conventions
text and syntax................................................................viii
curly braces, in configuration statements.......................ix
customer support......................................................................x
contacting JTAC.................................................................x
Ddocumentation
comments on....................................................................ix
Ffont conventions.....................................................................viii
Mmanuals
comments on....................................................................ix
Pparentheses, in syntax descriptions..................................ix
Ssupport, technical See technical support
syntax conventions................................................................viii
Ttechnical support
contacting JTAC.................................................................x
125Copyright © 2017, Juniper Networks, Inc.