Juniper Secure Analytics DSM Configuration Guide Netsight Jsa Configuring

User Manual: Netsight

Open the PDF directly: View PDF PDF.
Page Count: 808

DownloadJuniper Secure Analytics DSM Configuration Guide Netsight Jsa-configuring-dsm
Open PDF In BrowserView PDF
Juniper Secure Analytics

Configuring DSMs

Release 2014.1

Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000

www.juniper.net
Published: 2014-11-27

Copyright Notice
Copyright © 2014 Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and
other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks,
registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.
The following terms are trademarks or registered trademarks of other companies:
JavaTM and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and
used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following
information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it
is not installed in accordance with Juniper Networks’ installation instructions, it may cause interference with radio and television reception. This
equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC
rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no
guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception,
which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following
measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an
experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT, SUBJECT TO THE MODIFICTAIONS SET FORTH
BELOW ON THIS PAGE, ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED
HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR
JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
Juniper Secure Analytics Configuring DSMs
Release 2014.1
Copyright © 2014, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History
November 2014—Juniper Secure Analytics Configuring DSMs
The information in this document is current as of the date listed in the revision history.

END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use
of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula.html,
as modified by the following text, which shall be treated under the EULA as an Entitlement Document taking precedence over any conflicting provisions
of such EULA as regards such software:
As regards software accompanying the STRM products (the “Program”), such software contains software licensed by Q1Labs and is further
accompanied by third-party software that is described in the applicable documentation or materials provided by Juniper Networks.

2



CONTENTS
ABOUT THIS GUIDE
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Technical Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1

OVERVIEW

2

INSTALLING DSMS
Scheduling Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Viewing Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Manually Installing a DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3

3COM 8800 SERIES SWITCH

4

AMBIRON TRUSTWAVE IPANGEL

5

APACHE HTTP SERVER
Configuring Apache HTTP Server with Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Configuring Apache HTTP Server with Syslog-ng . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

6

APC UPS

7

AMAZON AWS CLOUDTRAIL
AWS CloudTrail DSM Integration Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Enabling Communication between JSA and AWS CloudTrail . . . . . . . . . . . . . . . . . . 40
Configuring an Amazon AWS CloudTrail Log Source in JSA . . . . . . . . . . . . . . . . . . 40

7

APPLE MAC OS X

8

APPLICATION SECURITY DBPROTECT

9

ARBOR NETWORKS PEAKFLOW

10

ARBOR NETWORKS PRAVAIL
Arbor Networks Pravail DSM Integration Process . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Configuring your Arbor Networks Pravail system for Communication with JSA. . . . .54
Configuring an Arbor Networks Pravail Log Source in Configuring DSMs . . . . . . . . .55

10

ARPEGGIO SIFT-IT

11

ARRAY NETWORKS SSL VPN

12

ARUBA MOBILITY CONTROLLERS

13

AVAYA VPN GATEWAY
Avaya VPN Gateway DSM Integration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Configuring your Avaya VPN Gateway System for Communication with JSA . . . . . .66
Configuring an Avaya VPN Gateway Log Source in JSA. . . . . . . . . . . . . . . . . . . . . .67

13

BALABIT IT SECURITY
Configuring BalaBIt IT Security for Microsoft Windows Events . . . . . . . . . . . . . . . . .69
Configuring BalaBit IT Security for Microsoft ISA or TMG Events . . . . . . . . . . . . . . .73

14

BARRACUDA
Barracuda Spam & Virus Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Barracuda Web Application Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Barracuda Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

15

BIT9 PARITY

16

BLUECAT NETWORKS ADONIS

17

BLUE COAT SG
Creating a Custom Event Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Retrieving Blue Coat Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Creating Additional Custom Format Key-Value Pairs. . . . . . . . . . . . . . . . . . . . . . . . .99

18

BRIDGEWATER

19

BROCADE FABRIC OS

20

CA TECHNOLOGIES
CA ACF2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
CA SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
CA Top Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

21

CHECK POINT
Check Point FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Check Point Provider-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

22

CILASOFT QJRN/400

23

CISCO
Cisco ACE Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Cisco Aironet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Cisco ACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Cisco ASA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Cisco CallManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Cisco CatOS for Catalyst Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Cisco CSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Cisco FWSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Cisco IDS/IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Cisco IronPort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Cisco NAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Cisco Nexus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Cisco IOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Cisco Pix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Cisco VPN 3000 Concentrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Cisco Wireless Services Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Cisco Wireless LAN Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Cisco Identity Services Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

24

CITRIX
Citrix NetScaler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Citrix Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

25

CRYPTOCARD CRYPTO-SHIELD

26

CYBER-ARK VAULT

27

CYBERGUARD FIREWALL/VPN APPLIANCE

28

DAMBALLA FAILSAFE

29

DIGITAL CHINA NETWORKS (DCN)

30

ENTERASYS
Enterasys Dragon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
Enterasys HiGuard Wireless IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Enterasys HiPath Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Enterasys Stackable and Standalone Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Enterasys XSR Security Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Enterasys Matrix Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Enterasys NetSight Automatic Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . .224
Enterasys Matrix K/N/S Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Enterasys NAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
Enterasys 800-Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227

31

EXTREME NETWORKS EXTREMEWARE

32

F5 NETWORKS
F5 Networks BIG-IP AFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
F5 Networks BIG-IP APM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
F5 Networks BIG-IP ASM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
F5 Networks BIG-IP LTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
F5 Networks FirePass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241

33

FAIR WARNING

34

FIDELIS XPS

35

FIREEYE

36

FORESCOUT COUNTERACT

37

FORTINET FORTIGATE
Fortinet FortiGate DSM Integration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257

Configuring a Fortinet FortiGate Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

38

FOUNDRY FASTIRON

39

GENERIC FIREWALL

40

GENERIC AUTHORIZATION SERVER

41

GREAT BAY BEACON

42

HBGARY ACTIVE DEFENSE

43

HONEYCOMB LEXICON FILE INTEGRITY MONITOR (FIM)

44

HP
HP ProCurve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
HP Tandem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Hewlett Packard UNIX (HP-UX). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

45

HUAWEI
Huawei AR Series Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Huawei S Series Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

46

IBM
IBM AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
IBM AS/400 iSeries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
IBM CICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
IBM Lotus Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
IBM Proventia Management SiteProtector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
IBM ISS Proventia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
IBM RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
IBM DB2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
IBM WebSphere Application Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
IBM Informix Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
IBM IMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
IBM Guardium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
IBM Security Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
IBM Tivoli Access Manager for E-business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
IBM z/Secure Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
IBM Tivoli Endpoint Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
IBM zSecure Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
IBM Security Network Protection (XGS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
IBM Security Network IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368

47

ISC BIND

48

IMPERVA SECURESPHERE

49

INFOBLOX NIOS

50

IT-CUBE AGILESI

51

ITRON SMART METER

52

JUNIPER NETWORKS
Juniper Networks AVT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389
Juniper DDoS Secure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Juniper DX Application Acceleration Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Juniper EX Series Ethernet Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
Juniper IDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
Juniper Networks Secure Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
Juniper Infranet Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
Juniper Networks Firewall and VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399
Juniper Networks Network and Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . .399
Juniper Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
Juniper Steel-Belted Radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
Juniper Networks vGW Virtual Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406
Juniper Security Binary Log Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Juniper Junos WebApp Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411
Juniper Networks WLC Series Wireless LAN Controller . . . . . . . . . . . . . . . . . . . . .414

53

KASPERSKY SECURITY CENTER

54

LIEBERMAN RANDOM PASSWORD MANAGER

55

LINUX
Linux DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427
Linux IPtables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428
Linux OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .430

56

MCAFEE
McAfee Intrushield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
McAfee ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440
McAfee Application / Change Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
McAfee Web Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452
McAfee Web Gateway DSM Integration Process. . . . . . . . . . . . . . . . . . . . . . . . . . .455

57

METAINFO METAIP

58

MICROSOFT
Microsoft Exchange Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Microsoft IAS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Microsoft DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Microsoft IIS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Microsoft ISA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Microsoft Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Microsoft SQL Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Microsoft SharePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Microsoft Windows Security Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Microsoft Operations Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Microsoft System Center Operations Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Microsoft Endpoint Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

59

MOTOROLA SYMBOL AP

60

NETAPP DATA ONTAP

61

NAME VALUE PAIR
NVP Log Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

62

NIKSUN

63

NOKIA FIREWALL
Integrating with a Nokia Firewall Using Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Integrating With a Nokia Firewall Using OPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . 512

64

NOMINUM VANTIO

65

NORTEL NETWORKS
Nortel Multiprotocol Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Nortel Application Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Nortel Contivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Nortel Ethernet Routing Switch 2500/4500/5500. . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Nortel Ethernet Routing Switch 8300/8600 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Nortel Secure Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Nortel Secure Network Access Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Nortel Switched Firewall 5100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Nortel Switched Firewall 6000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Nortel Threat Protection System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530

Nortel VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531

66

NOVELL EDIRECTORY

67

OBSERVEIT

68

OPENBSD

69

OPEN LDAP

70

OPEN SOURCE SNORT

71

ORACLE
Oracle Audit Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555
Oracle DB Listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .559
Oracle Audit Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .563
Oracle OS Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .564
Oracle BEA WebLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .566
Oracle Acme Packet Session Border Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . .571
Oracle Fine Grained Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .574

72

OSSEC

73

PALO ALTO NETWORKS

74

PIREAN ACCESS: ONE

75

POSTFIX MAIL TRANSFER AGENT

76

PROFTPD

77

PROOFPOINT ENTERPRISE PROTECTION AND ENTERPRISE PRIVACY

78

RADWARE DEFENSEPRO

79

RAZ-LEE ISECURITY

80

REDBACK ASE

81

RSA AUTHENTICATION MANAGER
Configuring Syslog for RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Configuring the Log File Protocol for RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609

82

SAFENET DATASECURE

83

SAMHAIN LABS
Configuring Syslog to Collect Samhain Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Configuring JDBC to Collect Samhain Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616

84

SENTRIGO HEDGEHOG

85

SECURE COMPUTING SIDEWINDER

86

SOLARWINDS ORION

87

SONICWALL

88

SOPHOS
Sophos Enterprise Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Sophos PureMessage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634

Sophos Astaro Security Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .641
Sophos Web Security Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .642

89

SOURCEFIRE
Sourcefire Defense Center (DC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643
Sourcefire Intrusion Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .649

90

SPLUNK
Collect Windows Events Forwarded from Splunk Appliances . . . . . . . . . . . . . . . . .651

91

SQUID WEB PROXY

92

STARENT NETWORKS

93

STEALTHBITS STEALTHINTERCEPT
STEALTHbits StealthINTERCEPT DSM Integration Process. . . . . . . . . . . . . . . . . .663
Configuring your STEALTHbits StealthINTERCEPT System for Communication with
JSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .664
Configuring a STEALTHbits StealthINTERCEPT Log Source in JSA . . . . . . . . . . .665

94

STONESOFT MANAGEMENT CENTER

95

SUN SOLARIS
Sun Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .671
Sun Solaris DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .672
Sun Solaris Sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .674
Sun Solaris Basic Security Mode (BSM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .675
Sun ONE LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .680

96

SYBASE ASE

97

SYMANTEC
Symantec Endpoint Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687
Symantec SGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .688
Symantec System Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .688
Symantec Data Loss Prevention (DLP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .692
Symantec PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .696

98

SYMARK

99

THREATGRID MALWARE THREAT INTELLIGENCE PLATFORM

100

TIPPING POINT
Tipping Point Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Tipping Point X505/X506 Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712

101

TOP LAYER IPS

102

TREND MICRO
Trend Micro InterScan VirusWall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Trend Micro Control Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716
Trend Micro Office Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
Trend Micro Deep Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721

103

TRIPWIRE

104

TROPOS CONTROL

105

TRUSTEER APEX LOCAL EVENT AGGREGATOR

106

UNIVERSAL DSM

107

UNIVERSAL LEEF
Configuring a Universal LEEF Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733
Forwarding Events to JSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737
Creating a Universal LEEF Event Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737

108

VENUSTECH VENUSENSE

109

VERDASYS DIGITAL GUARDIAN

110

VERICEPT CONTENT 360 DSM

111

VMWARE
VMware ESX and ESXi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751
VMware vCenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756
VMware vCloud Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
VMware vShield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760

112

VORMETRIC DATA SECURITY
Vormetric Data Security DSM Integration Process. . . . . . . . . . . . . . . . . . . . . . . . . .763
Configuring your Vormetric Data Security Systems for Communication with JSA . .764
Configuring a Vormetric Data Security Log Source in JSA. . . . . . . . . . . . . . . . . . . .766

113

WEBSENSE V-SERIES
Websense TRITON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .767
Websense V-Series Data Security Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .769
Websense V-Series Content Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .771

114

ZSCALER NANOLOG STREAMING SERVICE

115

SUPPORTED DSMS
INDEX

ABOUT THIS GUIDE

The Juniper Secure Analytics Configuring DSMs guide provides you with
information for configuring Device Support Modules (DSMs).
DSMs allow Juniper Secure Analytics (JSA) to integrate events from security
appliances, software, and devices in your network that forward events to JSA or
Log Analytics. All references to JSA or JSA is intended to refer both the JSA and
Log Analytics product.

Audience

This guide is intended for the system administrator responsible for setting up event
collection for JSA in your network.
This guide assumes that you have administrative access and a knowledge of your
corporate network and networking technologies.

Documentation
Conventions

Table 2-1 lists conventions that are used throughout this guide.
Table 2-1 Icons

Icon

Technical
Documentation

Type

Description

Information note

Information that describes important features or
instructions.

Caution

Information that alerts you to potential loss of
data or potential damage to an application,
system, device, or network.

Warning

Information that alerts you to potential personal
injury.

You can access technical documentation, technical notes, and release notes
directly from the Juniper Customer Support website at
https://www.juniper.net/support/. Once you access the Juniper Customer Support

Configuring DSMs

16

ABOUT THIS GUIDE

website, locate the product and software release for which you require
documentation.
Your comments are important to us. Please send your e-mail comments about this
guide or any of the Juniper Networks documentation to:
techpubs-comments@juniper.net.
Include the following information with your comments:

Requesting
Technical Support

•

Document title

•

Page number

Technical product support is available through the Juniper Networks Technical
Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC
support contract, or are covered under warranty, and need post-sales technical
support, you can access our tools and resources online or open a case with JTAC.
•

JTAC policies—For a complete understanding of our JTAC procedures and
policies, review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

•

Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.

•

JTAC Hours of Operation —The JTAC centers have resources available 24
hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you
with the following features:
•

Find CSC offerings: http://www.juniper.net/customers/support/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base:
http://kb.juniper.net/

•

Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/

•

Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Management tool:
http://www.juniper.net/cm/

Configuring DSMs

Requesting Technical Support

17

To verify service entitlement by product serial number, use our Serial Number
Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
•

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and
Mexico).

For international or direct-dial options in countries without toll-free numbers, visit
us at http://www.juniper.net/support/requesting-support.html.

Configuring DSMs

18

ABOUT THIS GUIDE

Configuring DSMs

1

OVERVIEW

The DSM Configuration guide is intended to assist with device configurations for
systems, software, or appliances that provide events to Juniper Secure Analytics
(JSA).
Device Support Modules (DSMs) parse event information for JSA products to log
and correlate events received from external sources such as security equipment
(for example, firewalls), and network equipment (for example, switches and
routers).
Events forwarded from your log sources are displayed in the Log Activity tab. All
events are correlated and security and policy offenses are created based on
correlation rules. These offenses are displayed on the Offenses tab. For more
information, see the Juniper Secure Analytics Users Guide.

NOTE

Note: Information found in this documentation about configuring Device Support
Modules (DSMs) is based on the latest RPM files located on the Juniper Customer
Support website at http://www.juniper.net/customer/support/.
To configure JSA to receive events from devices, you must:

1 Configure the device to send events to JSA.
2 Configure log sources for JSA to receive events from specific devices. For more

information, see the Log Sources Users Guide.

Configuring DSMs

2

INSTALLING DSMS

You can download and install weekly automatic software updates for DSMs,
protocols, and scanner modules.
After Device Support Modules (DSMs) are installed the Juniper Secure Analytics
(JSA) console provides any rpm file updates to managed hosts after the
configuration changes are deployed. If you are using high availability (HA), DSMs,
protocols, and scanners are installed during replication between the primary and
secondary host. During this installation process, the secondary displays the status
Upgrading. For more information, see Managing High Availability in the Juniper
Secure Analytics Administration Guide.

CAUTION
CAUTION: Uninstalling a Device Support Module (DSM) is not supported in JSA. If
you need technical assistance, contact Juniper Customer Support. For more
information, see Requesting Technical Support.

Scheduling
Automatic Updates

You can schedule when automatic updates are downloaded and installed on your
JSA console.
JSA performs automatic updates on a recurring schedule according to the settings
on the Update Configuration page; however, if you want to schedule an update or a
set of updates to run at a specific time, you can schedule an update using the
Schedule the Updates window. Scheduling your own automatic updates is useful
when you want to schedule a large update to run during off-peak hours, thus
reducing any performance impacts on your system.
If no updates are displayed in the Updates window, either your system has not
been in operation long enough to retrieve the weekly updates or no updates have
been issued. If this occurs, you can manually check for new updates
Procedure

Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration.

Configuring DSMs

22

INSTALLING DSMS
Step 3 Click the Auto Update icon.
Step 4 Optional. If you want to schedule specific updates, select the updates you want to

schedule.
Step 5 From the Schedule list box, select the type of update you want to schedule.

Options include:

NOTE

•

All Updates

•

Selected Updates

•

DSM, Scanner, Protocol Updates

•

Minor Updates

Note: Protocol updates installed automatically require you to restart Tomcat. For
more information on manually restarting Tomcat, see the Log Sources Users
Guide.

Step 6 Using the calendar, select the start date and time of when you want to start your

scheduled updates.
Step 7 Click OK.

The selected updates are now scheduled.

Viewing Updates

You can view or install any pending software updates for JSA through the Admin
tab.
Procedure

Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration.
Step 3 Click the Auto Update icon.

The Updates window is displayed. The window automatically displays the Check
for Updates page, providing the following information:
Table 2-1 Check for Updates Window Parameters

Parameter

Description

Updates were
installed

Specifies the date and time the last update was installed.

Next Update install
is scheduled

Specifies the date and time the next update is scheduled to be
installed. If there is no date and time indicated, the update is not
scheduled to run.

Name

Specifies the name of the update.

Type

Specifies the type of update. Types include:
•

DSM, Scanner, Protocol Updates

•

Minor Updates

Configuring DSMs

Viewing Updates

23

Table 2-1 Check for Updates Window Parameters (continued)

Parameter

Description

Status

Specifies the status of the update. Status types include:

Date to Install

•

New - The update is not yet scheduled to be installed.

•

Scheduled - The update is scheduled to be installed.

•

Installing - The update is currently installing.

•

Failed - The updated failed to install.

Specifies the date on which this update is scheduled to be
installed.

The Check for Updates page toolbar provides the following functions:
Table 2-2 Auto Updates Toolbar

Function

Description

Hide

Select one or more updates, and then click Hide to remove the
selected updates from the Check for Updates page. You can
view and restore the hidden updates on the Restore Hidden
Updates page. For more information, see the Juniper Secure
Analytics Administrator Guide.

Install

From this list box, you can manually install updates. When you
manually install updates, the installation process starts within a
minute.

Schedule

From this list box, you can configure a specific date and time to
manually install selected updates on your console. This is useful
when you want to schedule the update installation during
off-peak hours.

Unschedule

From this list box, you can remove preconfigured schedules for
manually installing updates on your console.

Search By Name

In this text box, you can type a keyword and then press Enter to
locate a specific update by name.

Next Refresh

This counter displays the amount of time until the next automatic
refresh. The list of updates on the Check for Updates page
automatically refreshes every 60 seconds. The timer is
automatically paused when you select one or more updates.

Pause

Click this icon to pause the automatic refresh process. To
resume automatic refresh, click the Play icon.

Refresh

Click this icon to manually refresh the list of updates.

Step 4 To view details on an update, select the update.

The description and any error messages are displayed in the right pane of the
window.

Configuring DSMs

24

INSTALLING DSMS

Manually Installing
a DSM

You can use the Juniper Customer Support website to download and manually
install the latest RPM files for JSA.
http://www.juniper.net/customer/support/
Most users do not need to download updated DSMs as auto updates installs the
latest rpm files on a weekly basis. If your system is restricted from the Internet, you
might need to install rpm updates manually. The DSMs provided on the Juniper
Customer Support website, or through auto updates contain improved event
parsing for network security products and enhancements for event categorization
in the JSA Identifier Map (QID map).

CAUTION
CAUTION: Uninstalling a Device Support Module (DSM) is not supported in JSA. If
you need technical assistance, contact Juniper Customer Support. For more
information, see Requesting Technical Support.
Installing a Single
DSM

The Juniper Customer Support website contain individual DSMs that you can
download and install using the command-line.
Procedure

Step 1 Download the DSM file to your system hosting JSA.
Step 2 Using SSH, log in to JSA as the root user.

Username: root
Password: 
Step 3 Navigate to the directory that includes the downloaded file.
Step 4 Type the following command:

rpm -Uvh 

Where  is the name of the downloaded file. For example:
rpm -Uvh DSM-CheckPointFirewall-7.0-209433.noarch.rpm
Step 5 Log in to JSA.

https://
Where  is the IP address of the JSA console or Event Collector.
Step 6 On the Admin tab, click Deploy Changes.

The installation is complete.

Configuring DSMs

Manually Installing a DSM

Installing a DSM
Bundle

25

The Juniper Customer Support website contains a DSM bundle which is updated
daily with the latest DSM versions that you can install.
Procedure

Step 1 Download the DSM bundle to your system hosting JSA.
Step 2 Using SSH, log in to JSA as the root user.

Username: root
Password: 
Step 3 Navigate to the directory that includes the downloaded file.
Step 4 Type the following command to extract the DSM bundle:

tar -zxvf JSA_bundled-DSM-.tar.gz

Where  is your release of JSA.
Step 5 Type the following command:

for FILE in *Common*.rpm DSM-*.rpm; do rpm -Uvh "$FILE"; done

The installation of the DSM bundle can take several minutes to complete.
Step 6 Log in to JSA.

https://
Where  is the IP address of JSA.
Step 7 On the Admin tab, click Deploy Changes.

The installation is complete.

Configuring DSMs

3

3COM 8800 SERIES SWITCH

The 3COM 8800 Series Switch DSM for Juniper Secure Analytics (JSA) accepts
events using syslog.
Supported Event
Types
Configure Your
3COM 8800 Series
Switch

JSA records all relevant status and network condition events forwarded from your
3Com 8800 Series Switch using syslog.
You can configure your 3COM 8800 Series Switch to forward syslog events to
JSA.
Procedure

Step 1 Log in to the 3Com 8800 Series Switch user interface.
Step 2 Enable the information center.

info-center enable
Step 3 Configure the host with the IP address of your JSA system as the loghost, the

severity level threshold value as informational, and the output language to English.
info-center loghost  facility  language
english

Where:
 is the IP address of your JSA.
 is the facility severity.
Step 4 Configure the ARP and IP information modules to log.

info-center source arp channel loghost log level informational
info-center source ip channel loghost log level informational

The configuration is complete. The log source is added to JSA as 3COM 8800
Series Switch events are automatically discovered. Events forwarded to JSA by
3COM 880 Series Switches are displayed on the Log Activity tab.

Configuring DSMs

28

3COM 8800 SERIES SWITCH

Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from
3COM 8800 Series Switches. These configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select 3Com 8800 Series Switch.
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 3-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your 3COM 8800 Series Switch.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

4

AMBIRON TRUSTWAVE ipANGEL

The Ambiron TrustWave ipAngel DSM for Juniper Secure Analytics (JSA) accepts
events using syslog.
Supported Event
Types
Before You Begin

Configure a Log
Source

JSA records all Snort-based events from the ipAngel console.

Before you configure JSA to integrate with ipAngel, you must forward your cache
and access logs to your JSA. The events in your cache and access logs that are
forwarded from Ambiron TrustWave ipAngel are not automatically discovered. For
information on forwarding device logs to JSA, see your vendor documentation.
To integrate Ambiron TrustWave ipAngel events with JSA, you must manually
configure a log source.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Ambiron TrustWave ipAngel

Intrusion Prevention System (IPS).
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 4-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Ambiron TrustWave ipAngel
appliance.

Configuring DSMs

30

AMBIRON TRUSTWAVE IPANGEL
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. Events forwarded to JSA by Ambiron TrustWave
ipAngel are displayed on the Log Activity tab.

Configuring DSMs

5

APACHE HTTP SERVER

The Apache HTTP Server DSM for Juniper Secure Analytics (JSA) accepts
Apache events using syslog or syslog-ng.
JSA records all relevant HTTP status events. The procedure in this section applies
to Apache DSMs operating on UNIX/Linux platforms only.

CAUTION
CAUTION: Do not run both syslog and syslog-ng at the same time.
Select one of the following configuration methods:

Configuring
Apache HTTP
Server with Syslog

•

Configuring Apache HTTP Server with Syslog

•

Configuring Apache HTTP Server with Syslog-ng

You can configure your Apache HTTP Server to forward events with the syslog
protocol.
Procedure

Step 1 Log in to the server hosting Apache, as the root user.
Step 2 Edit the Apache configuration file httpd.conf.
Step 3 Add the following information in the Apache configuration file to specify the custom

log format:
LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" 

Where  is a variable name you provide to define the log
format.
Step 4 Add the following information in the Apache configuration file to specify a custom

path for the syslog events:
CustomLog “|/usr/bin/logger -t httpd -p
.
Where:
 is a syslog facility, for example, local0.

Configuring DSMs

32

APACHE HTTP SERVER

 is a syslog priority, for example, info or notice.
 is a variable name you provide to define the custom log
format. The log format name must match the log format defined in Step 4.

For example,
CustomLog “|/usr/bin/logger -t httpd -p local1.info”
MyApacheLogs
Step 5 Type the following command to disabled hostname lookup:

HostnameLookups off
Step 6 Save the Apache configuration file.
Step 7 Edit the syslog configuration file.

/etc/syslog.conf
Step 8 Add the following information to your syslog configuration file:

. @

Where:
 is the syslog facility, for example, local0. This value must match the
value you typed in Step 4.
 is the syslog priority, for example, info or notice. This value must
match the value you typed in Step 4.
 indicates you must press the Tab key.
 is the IP address of the JSA console or Event Collector.
Step 9 Save the syslog configuration file.
Step 10 Type the following command to restart the syslog service:

/etc/init.d/syslog restart
Step 11 Restart Apache to complete the syslog configuration.

The configuration is complete. The log source is added to JSA as syslog events
from Apache HTTP Servers are automatically discovered. Events forwarded to
JSA by Apache HTTP Servers are displayed on the Log Activity tab of JSA.
Configuring a Log
Source in JSA

You can configure a log source manually for Apache HTTP Server events in JSA.
JSA automatically discovers and creates a log source for syslog events from
Apache HTTP Server. However, you can manually create a log source for JSA to
receive syslog events. These configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.

Configuring DSMs

Configuring Apache HTTP Server with Syslog-ng

33

Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Apache HTTP Server.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 5-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Apache installations.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete. For more information on Apache, see
http://www.apache.org/.

Configuring
Apache HTTP
Server with
Syslog-ng

You can configure your Apache HTTP Server to forward events with the syslog-ng
protocol.
Procedure
Step 1 Log in to the server hosting Apache, as the root user.
Step 2 Edit the Apache configuration file.

/etc/httpd/conf/httpd.conf
Step 3 Add the following information to the Apache configuration file to specify the

LogLevel:
LogLevel info

The LogLevel might already be configured to the info level depending on your
Apache installation.
Step 4 Add the following to the Apache configuration file to specify the custom log format:

LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" 

Where  is a variable name you provide to define the custom
log format.
Step 5 Add the following information to the Apache configuration file to specify a custom

path for the syslog events:
CustomLog "|/usr/bin/logger -t 'httpd' -u
/var/log/httpd/apache_log.socket" 
The log format name must match the log format defined in Step 4.

Configuring DSMs

34

APACHE HTTP SERVER
Step 6 Save the Apache configuration file.
Step 7 Edit the syslog-ng configuration file.

/etc/syslog-ng/syslog-ng.conf
Step 8 Add the following information to specify the destination in the syslog-ng

configuration file:
source s_apache {
unix-stream("/var/log/httpd/apache_log.socket"
max-connections(512)
keep-alive(yes));
};
destination auth_destination { (""
port(514)); };
log{
source(s_apache);
destination(auth_destination);
};

Where:
 is the IP address of the JSA console or Event Collector.
 is the protocol you select to forward the syslog event.
Step 9 Save the syslog-ng configuration file.
Step 10 Type the following command to restart syslog-ng:

service syslog-ng restart
Step 11 You are now ready to configure the log source in JSA.

The configuration is complete. The log source is added to JSA as syslog events
from Apache HTTP Servers are automatically discovered. Events forwarded to
JSA by Apache HTTP Servers are displayed on the Log Activity tab of JSA.
Configuring a Log
Source

You can configure a log source manually for Apache HTTP Server events in JSA.
JSA automatically discovers and creates a log source for syslog-ng events from
Apache HTTP Server. However, you can manually create a log source for JSA to
receive syslog events. These configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.

Configuring DSMs

Configuring Apache HTTP Server with Syslog-ng

35

Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Apache HTTP Server.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 5-2 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Apache installations.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete. For more information on Apache, see
http://www.apache.org/.

Configuring DSMs

6

APC UPS

The APC UPS DSM for Juniper Secure Analytics (JSA) accepts syslog events
from the APC Smart-UPS family of products.

NOTE

Supported Event
Types

Before You Begin

Note: Events from the RC-Series Smart-UPS are not supported.
JSA supports the following APC Smart-UPS syslog events:
•

UPS events

•

Battery events

•

Bypass events

•

Communication events

•

Input power events

•

Low battery condition events

•

SmartBoost events

•

SmartTrim events

To integrate Smart-UPS events with JSA, you must manually create a log source
to receive syslog events.
Before you can receive events in JSA, you must configure a log source, then
configure your APC UPS to forward syslog events. Syslog events forwarded from
APC Smart-UPS series devices are not automatically discovered. JSA can receive
syslog events on port 514 for both TCP and UDP.

Configuring a Log
Source in JSA

JSA does not automatically discover or create log sources for syslog events from
APC Smart-UPS series appliances.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

Configuring DSMs

38

APC UPS
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select APC UPS.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 6-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your APC Smart-UPS series
appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. You are now ready to configure your APC
Smart-UPS to forward syslog events to JSA.
Configuring Your
APC UPD to Forward
Syslog Events

You can configure syslog event forwarding on your APC UPS.
Procedure

Step 1 Log in to the APC Smart-UPS web interface.
Step 2 In the navigation menu, select Network > Syslog.
Step 3 From the Syslog list box, select Enable.
Step 4 From the Facility list box, select a facility level for your syslog messages.
Step 5 In the Syslog Server field, type the IP address of your JSA console or Event

Collector.
Step 6 From the Severity list box, select Informational.
Step 7 Click Apply.

The syslog configuration is complete. Events forwarded to JSA by your APC UPS
are displayed on the Log Activity tab.

Configuring DSMs

7

AMAZON AWS CLOUDTRAIL

The Juniper Secure Analytics (JSA) DSM for Amazon AWS CloudTrail can collect
audit events from your Amazon AWS CloudTrail S3 bucket.
Table 7-1 provides the specifications of the Amazon AWS CloudTrail DSM.
Table 7-1 Amazon AWS CloudTrail DSM Specifications
Specification

Value

Manufacturer

Amazon

DSM

Amazon AWS CloudTrail

Supported
versions

1.0

Protocol

Log File

JSA recorded
events

All relevant events

Automatically
discovered

No

Includes identity

No

More information http://docs.aws.amazon.com/awscloudtrail/latest/use
rguide/whatisawscloudtrail.html

Configuring DSMs

40

AMAZON AWS CLOUDTRAIL

AWS CloudTrail
DSM Integration
Process

To integrate Amazon AWS CloudTrail with JSA, use the following procedure:

1 Obtain and install a certificate to enable communication between your Amazon

AWS CloudTrail S3 bucket and JSA.
2 Install the most recent version of the Log File Protocol RPM on your JSA consolev.

You can install a protocol by using the procedure to manually install a DSM.
3 Install the Amazon AWS CloudTrail DSM on your JSA console.
4 Configure the Amazon AWS CloudTrail log source in JSA.

Related tasks

Enabling
Communication
between JSA and
AWS CloudTrail

•

Manually Installing a DSM

•

Enabling Communication between JSA and AWS CloudTrail

•

Configuring an Amazon AWS CloudTrail Log Source in JSA

A certificate is required for the HTTP connection between JSA and Amazon AWS
CloudTrail.
Procedure
To enable communication between JSA and AWS CloudTrail:

Step 1 Access your Amazon AWS CloudTrail S3 bucket.
Step 2 Export the certificate as a DER-encoded binary certificate to your desktop system.

The file extension must be .DER.
Step 3 Copy the certificate to the /opt/qradar/conf/trusted_certificates

directory on the JSA host on which you plan to configure the log source.

Configuring an
Amazon AWS
CloudTrail Log
Source in JSA

To collect Amazon AWS CloudTrail events, you must configure a log source in
JSA. When you configure the log source, use the location and keys that are
required to access your Amazon AWS CloudTrail S3 bucket.
Before you begin
Ensure that the following components are installed and deployed on your JSA
host:
•

PROTOCOL-LogFileProtocol-build_number.noarch.rpm

•

DSM-AmazonAWSCloudTrail-build_number.noarch.rpm

Also ensure that audit logging is enabled on your Amazon AWS CloudTrail S3
bucket. For more information, see your vendor documentation.

Configuring DSMs

Configuring an Amazon AWS CloudTrail Log Source in JSA

41

About this task
Table 7-2 provides more information about some of the extended parameters.
Table 7-2 Amazon AWS CloudTrail Log source Parameters
Parameter

Description

Bucket Name

The name of the AWS CloudTrail S3 bucket where
the log files are stored.

AWS Access Key The public access key required to access the AWS
CloudTrail S3 bucket.

AWS Secret Key

The private access key required to access the AWS
CloudTrail S3 bucket.

Remote Directory The root directory location on the AWS CloudTrail S3
bucket from which the files are retrieved, for
example, \user_account_name

FTP File Pattern

.*?\.json\.gz

Processor

GZIP

Event Generator

Amazon AWS JSON
Applies additional processing to the retrieved event
files.

Recurrence

Defines how often the Log File Protocol connects to
the Amazon cloud API, checks for new files, and
retrieves them if they exist. Every access to an AWS
S3 bucket incurs a cost to the account that owns the
bucket. Therefore, a smaller recurrence value
increases the cost.

Procedure
To configure Amazon AWS CloudTrail log source in JSA:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 In the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 From the Log Source Type list, select Amazon AWS CloudTrail.
Step 7 From the Protocol Configuration list, select Log File.
Step 8 From the Service Type field, select AWS.
Step 9 Configure the remaining parameters.
Step 10 Click Save.
Step 11 On the Admin tab, click Deploy Changes.

Configuring DSMs

7

APPLE MAC OS X

The Apple Mac OS X DSM for Juniper Secure Analytics (JSA) accepts events
using syslog.
Supported Event
Types
Before You Begin

JSA records all relevant firewall, web server access, web server error, privilege
escalation, and informational events.
To integrate Mac OS X events with JSA, you must manually create a log source to
receive syslog events.
To complete this integration, you must configure a log source, then configure your
Mac OS X to forward syslog events. Syslog events forwarded from Mac OS X
devices are not automatically discovered. It is recommended that you create a log
source, then forward events to JSA. Syslog events from Mac OS X can be
forwarded to JSA on TCP port 514 or UDP port 514.

Configuring a Log
Source

JSA does not automatically discover or create log sources for syslog events from
Apple Mac OS X.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Mac OS X.
Step 9 Using the Protocol Configuration list box, select Syslog.

Configuring DSMs

44

APPLE MAC OS X
Step 10 Configure the following values:

Table 8-1 Mac OS X Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Apple Mac OS X device.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. You are now ready to configure your Apple Mac
OS X device to forward syslog events to JSA.
Configuring Syslog
on Your Apple Mac
OS X

You can configure syslog on systems running Mac OS X operating systems.
Procedure

Step 1 Using SSH, log in to your Mac OS X device as a root user.
Step 2 Open the /etc/syslog.conf file.
Step 3 Add the following line to the top of the file. Make sure all other lines remain intact:

*.*

@

Where  is the IP address of the JSA.
Step 4 Save and exit the file.
Step 5 Send a hang-up signal to the syslog daemon to make sure all changes are

enforced:
sudo killall - HUP syslogd

The syslog configuration is complete. Events forwarded to JSA by your Apple Mac
OS X are displayed on the Log Activity tab. For more information on configuring
Mac OS X, see your Mac OS X vendor documentation.

Configuring DSMs

8

APPLICATION SECURITY
DBPROTECT
You can integrate Application Security DbProtect with Juniper Secure Analytics
(JSA).

Supported Event
Types

The Application Security DbProtect DSM for JSA accepts syslog events from
DbProtect devices installed with the Log Enhanced Event Format (LEEF) Service.

Before You Begin

To forward syslog events from Application Security DbProtect to JSA requires the
LEEF Relay module.
The LEEF Relay module for DbProtect translates the default events messages to
Log Enhanced Event Format (LEEF) messages for JSA, enabling JSA to record all
relevant DbProtect events. Before you can receive events in JSA, you must install
and configure the LEEF Service for your DbProtect device to forward syslog
events. The DbProtect LEEF Relay requires that you install the .NET 4.0
Framework, which is bundled with the LEEF Relay installation.

Installing the
DbProtect LEEF
Relay Module

NOTE

The DbProtect LEEF Relay module for DbProtect must be installed on the same
server as the DbProtect console. This allows the DbProtect LEEF Relay to work
alongside an existing installation using the standard hardware and software
prerequisites for a DbProtect console.
Note: Windows 2003 hosts require the Windows Imaging Components
(wic_x86.exe). The Windows Imaging Components are located on the Windows
Server Installation CD and must be installed before you continue. For more
information, see your Windows 2003 Operating System documentation.
Procedure

Step 1 Download the DbProtect LEEF Relay module for DbProtect from the Application

Security, Inc. customer portal.
http://www.appsecinc.com
Step 2 Save the setup file to the same host as your DbProtect console.
Step 3 Double click setup.exe to start the DbProtect LEEF Relay installation.

The Microsoft .NET Framework 4 Client Profile is displayed.

Configuring DSMs

46

APPLICATION SECURITY DBPROTECT
Step 4 Click Accept, if you agree with the Microsoft .NET Framework 4 End User License

Agreement.
The Microsoft .NET Framework 4 is installed on your DbProtect console. After the
installation is complete, the DbProtect LEEF Relay module installation Wizard is
displayed.
Step 5 Click Next.

The Installation Folder window is displayed.
Step 6 To select the default installation path, click Next.

If you change the default installation directory, make note of the file location as it is
required later. The Confirm Installation window is displayed.
Step 7 Click Next.

The DbProtect LEEF Relay module is installed.
Step 8 Click Close.

You are now ready to configure the DbProtect LEEF Relay module.
Configuring the
DbProtect LEEF
Relay

NOTE

After the installation of the DbProtect LEEF Relay is complete, you can configure
the service to forward events to JSA.

Note: The DbProtect LEEF Relay must be stopped before you edit any
configuration values.
Procedure

Step 1 Navigate to the DbProtect LEEF Relay installation directory.

C:\Program Files (x86)\AppSecInc\AppSecLEEFConverter
Step 2 Edit the DbProtect LEEF Relay configuration file:

AppSecLEEFConverter.exe.config
Step 3 Configure the following values:

Table 9-1 DbProtect LEEF Relay Configuration Parameters

Parameter

Description

SyslogListenerPort

Optional. Type the listen port number the DbProtect LEEF
Relay uses to listen for syslog messages from the
DbProtect console. By default, the DbProtect LEEF Relay
listens on port 514.

SyslogDestinationHost

Type the IP address of your JSA console or Event
Collector.

SyslogDestinationPort

Type 514 as the destination port for LEEF formatted syslog
messages forwarded to JSA.

Configuring DSMs

47

Table 9-1 DbProtect LEEF Relay Configuration Parameters (continued)

Parameter

Description

LogFileName

Optional. Type a file name for the DbProtect LEEF Relay to
write debug and log messages. The LocalSystem user
account that runs the DbProtect LEEF Relay service must
have write privileges to the file path you specify.

Step 4 Save the configuration changes to the file.
Step 5 On your desktop of the DbProtect console, select Start > Run.

The Run window is displayed.
Step 6 Type the following:

services.msc
Step 7 Click OK.

The Services window is displayed.
Step 8 In the details pane, verify the DbProtect LEEF Relay is started and set to automatic

startup.
Step 9 To change a service property, right-click on the service name, and then click

Properties.
Step 10 Using the Startup type list box, select Automatic.
Step 11 If the DbProtect LEEF Relay is not started, click Start.

You are now ready to configure alerts for your DbProtect console.
Configure DbProtect
alerts

You can configure sensors on your DbProtect console to generate alerts.
Procedure

Step 1 Log in to your DbProtect console.
Step 2 Click the Activity Monitoring tab.
Step 3 Click the Sensors tab.
Step 4 Select a sensor and click Reconfigure.

Any database instances that are configured for your database are displayed.
Step 5 Select any database instances and click Reconfigure.
Step 6 Click Next until the Sensor Manager Policy window is displayed.
Step 7 Select the Syslog check box and click Next.
Step 8 The Syslog Configuration window is displayed.
Step 9 In the Send Alerts to the following Syslog console field, type the IP address of

your DbProtect console.
Step 10 In the Port field, type the port number you configured in the SyslogListenerPort

field of the DbProtect LEEF Relay.

Configuring DSMs

48

APPLICATION SECURITY DBPROTECT

By default, 514 is the default Syslog listen port for the DbProtect LEEF Relay. For
more information, see Configuring the DbProtect LEEF Relay, Step 3.
Step 11 Click Add.
Step 12 Click Next until you reach the Deploy to Sensor window.
Step 13 Click Deploy to Sensor.

The configuration is complete. Events forwarded to JSA by your DbProtect console
are added as a log source and automatically displayed on the Log Activity tab.
Configuring a Log
Source

JSA automatically discovers and creates a log source for syslog events from
Application Security DbProtect. These configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Application Security DbProtect.
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 9-2 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Application Security DbProtect
device.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA.

Configuring DSMs

9

ARBOR NETWORKS PEAKFLOW

Juniper Secure Analytics (JSA) can collect and categorize syslog events from
Arbor Networks Peakflow SP appliances that are in your network.
Configuration
Overview

Arbor Networks Peakflow SP appliances store the syslog events locally.
To collect local syslog events, you must configure your Peakflow SP appliance to
forward the syslog events to a remote host. JSA automatically discovers and
creates log sources for syslog events that are forwarded from Arbor Networks
Peakflow SP appliances. JSA supports syslog events that are forwarded from
Peakflow V5.8.
To configure Arbor Networks Peakflow SP, complete the following tasks:
1 On your Peakflow SP appliance, create a notification group for JSA.
2 On your Peakflow SP appliance, configure the global notification settings.
3 On your Peakflow SP appliance, configure your alert notification rules.
4 On your JSA system, verify that the forwarded events are automatically

discovered.
Supported Event
Types for Arbor
Networks Peakflow
SP

The Arbor Networks Peakflow DSM for JSA collects events from several
categories.
Each event category contains low-level events that describe the action that is
taken within the event category. For example, authentication events can have
low-level categories of login successful or login failure.
The following list defines the event categories that are collected by JSA from
Peakflow SP appliances:
•

Denial of Service (DoS) events

•

Authentication events

•

Exploit events

•

Suspicious activity events

•

System events

Configuring DSMs

50

ARBOR NETWORKS PEAKFLOW

Configuring Remote
Syslog in Peakflow
SP

To collect events, you must configure a new notification group or edit existing
groups to add JSA as a remote syslog destination.
Procedure
To configure Remote Syslog in Peakflow SP:

Step 1 Log in to the configuration interface for your Peakflow SP appliance as an

administrator.
Step 2 In the navigation menu, select Administration > Notification > Groups.
Step 3 Click Add Notification Group.
Step 4 In the Destinations field, type the IP address of your JSA system.
Step 5 In the Port field, type 514 as the port for your syslog destination.
Step 6 From the Facility list, select a syslog facility.
Step 7 From the Severity list, select info.

The informational severity collects all event messages at the informational event
level and higher severity.
Step 8 Click Save.
Step 9 Click Configuration Commit.

Configuring Global
Notifications Settings
for Alerts in Peakflow
SP

Global notifications in Peakflow SP provide system notifications that are not
associated with rules. This procedure defines how to add JSA as the default
notification group and enable system notifications.
Procedure

Step 1 Log in to the configuration interface for your Peakflow SP appliance as an

administrator.
Step 2 In the navigation menu, select Administration > Notification > Global Settings.
Step 3 In the Default Notification Group field, select the notification group that you

created for JSA syslog events.
Step 4 Click Save.
Step 5 Click Configuration Commit to apply the configuration changes.
Step 6 Log in to the Peakflow SP command-line interface as an administrator.
Step 7 Type the following command to list the current alert configuration:

services sp alerts system_errors show
Step 8 Optional. Type the following command to list the fields names that can be

configured:
services sp alerts system_errors ?
Step 9 Type the following command to enable a notification for a system alert:

services sp alerts system_errors  notifications enable

Where  is the field name of the notification.
Configuring DSMs

51

Step 10 Type the following command to commit the configuration changes:

config write

Configuring Alert
Notification Rules in
Peakflow SP

To generate events, you must edit or add rules to use the notification group that
JSA as a remote syslog destination.
Procedure

Step 1 Log in to the configuration interface for your Peakflow SP appliance as an

administrator.
Step 2 In the navigation menu, select Administration > Notification > Rules.
Step 3 Select one of the following options:

•

Click a current rule to edit the rule.

•

Click Add Rule to create a new notification rule.

Step 4 Configure the following values:

Table 10-3 Notification Rule Parameters

Parameter

Description

Name

Type the IP address or host name as an identifier for events
from your Peakflow SP installation.
The log source identifier must be unique value.

Resource

Type a CIDR address or select a managed object from the
list of Peakflow resources.

Importance

Select the importance of the rule.

Notification Group

Select the notification group that you assigned to forward
syslog events to JSA.

Step 5 Repeat these steps to configure any other rules you want to forward to JSA.
Step 6 Click Save.
Step 7 Click Configuration Commit to apply the configuration changes.

JSA automatically discovers and creates a log source for Peakflow SP appliances.
Events that are forwarded to JSA are displayed on the Log Activity tab.
Configuring a
Peakflow SP Log
Source

JSA automatically discovers and creates a log source for syslog events forwarded
from Arbor Peakflow. These configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 In the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Configuring DSMs

52

ARBOR NETWORKS PEAKFLOW
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 Optional. In the Log Source Description field, type a description for your log

source.
Step 8 From the Log Source Type list box, select Arbor Networks Peakflow.
Step 9 From the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 10-4 Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name as an identifier for events
from your Peakflow SP installation.
The log source identifier must be unique value.

Enabled

Select this check box to enable the log source. By default,
the check box is selected.

Credibility

Select the credibility of the log source. The range is 0 - 10.
The credibility indicates the integrity of an event or offense
as determined by the credibility rating from the source
devices. Credibility increases if multiple sources report the
same event. The default is 5.

Target Event Collector Select the Event Collector to use as the target for the log
source.
Coalescing Events

Select this check box to enable the log source to coalesce
(bundle) events.
By default, automatically discovered log sources inherit the
value of the Coalescing Events list box from the System
Settings in JSA. When you create a log source or edit an
existing configuration, you can override the default value by
configuring this option for each log source.

Incoming Event
Payload

From the list box, select the incoming payload encoder for
parsing and storing the logs.

Store Event Payload

Select this check box to enable the log source to store event
payload information.
By default, automatically discovered log sources inherit the
value of the Store Event Payload list box from the System
Settings in JSA. When you create a log source or edit an
existing configuration, you can override the default value by
configuring this option for each log source.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

Configuring DSMs

10

ARBOR NETWORKS PRAVAIL

The Juniper Secure Analytics (JSA) DSM for Arbor Networks Pravail can collect
event logs from your Arbor Networks Pravail servers.
Table 11-1 provides the specifications of the Arbor Networks Pravail DSM.

Table 11-1 Arbor Networks Pravail DSM Specifications
Specification

Value

Manufacturer

Arbor Networks

DSM

Arbor Networks Pravail

RPM file name

DSM-ArborNetworksPravail-build_number.noarch.rpm

Supported
versions
Protocol

Syslog

Configuring
DSMs recorded
events

All relevant events

Automatically
discovered

Yes

Includes identity

No

More information http://www.stealthbits.com/resources

Configuring DSMs

54

ARBOR NETWORKS PRAVAIL

Arbor Networks
Pravail DSM
Integration Process

To integrate Arbor Networks Pravail DSM with JSA, use the following procedure:

1 If automatic updates are not enabled, download and install the most recent Arbor

Networks Pravail RPM on your JSA console.
2 For each instance of Arbor Networks Pravail, configure your Arbor Networks

Pravail system to enable communication with JSA.
3 If Configuring DSMs automatically discovers the DSM, for each Arbor Networks

Pravail server you want to integrate, create a log source on the JSA console.
Related tasks

Configuring your
Arbor Networks
Pravail system for
Communication
with JSA

•

Manually Installing a DSM

•

Configuring your Arbor Networks Pravail system for Communication with
JSA

•

Configuring an Arbor Networks Pravail Log Source in Configuring DSMs

To collect all audit logs and system events from Arbor Networks Pravail, you must
add a destination that specifies JSA as the syslog server.
Procedure
To configure Arbor Networks Prevail System for communication with JSA:

Step 1 Log in to your Arbor Networks Pravail server.
Step 2 Click Settings & Reports.
Step 3 Click Administration > Notifications.
Step 4 On the Configure Notifications page, click Add Destinations.
Step 5 Select Syslog.
Step 6 Configure the following parameters:

Table 11-2 Parameters to Configure Arbor Networks Pravail System

Parameter

Description

Host

The IP address for the
Configuring DSMs Console

Port

514

Severity

Info

Alert Types

The alert types that you want to
send to the Configuring DSMs
Console

Step 7 Click Save.

Configuring DSMs

Configuring an Arbor Networks Pravail Log Source in Configuring DSMs

Configuring an
Arbor Networks
Pravail Log Source
in Configuring
DSMs

55

To collect Arbor Networks Pravail events, configure a log source in JSA.
Procedure
To configure an Arbor Networks Pravail log source in configuring DSMs:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 In the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 From the Log Source Type list, select Arbor Networks Pravail.
Step 7 From the Protocol Configuration list, select Syslog.
Step 8 Configure the remaining parameters.
Step 9 Click Save.
Step 10 On the Admin tab, click Deploy Changes.

Configuring DSMs

10

ARPEGGIO SIFT-IT

The Juniper Secure Analytics (JSA) SIFT-IT DSM accepts syslog events from
Arpeggio SIFT-IT running on IBM iSeries® that are formatted using the Log
Enhanced Event Protocol (LEEF).
Supported Versions

Supported Events

JSA supports events from Arpeggio SIFT-IT 3.1 and above installed on IBM iSeries
version 5 revision 3 (V5R3) and above.
Arpeggio SIFT-IT supports syslog events from the journal QAUDJRN in LEEF
format.
For example,
Jan 29 01:33:34 RUFUS LEEF:1.0|Arpeggio|SIFT-IT|3.1|PW_U|sev=3
usrName=ADMIN src=100.100.100.114 srcPort=543 jJobNam=QBASE
jJobUsr=ADMIN jJobNum=1664 jrmtIP=100.100.100.114 jrmtPort=543
jSeqNo=4755 jPgm=QWTMCMNL jPgmLib=QSYS jMsgId=PWU0000 jType=U
jUser=ROOT jDev=QPADEV000F jMsgTxt=Invalid user id ROOT. Device
QPADEV000F.

Events SIFT-IT forwards to JSA are determined with a configuration rule set file.
SIFT-IT includes a default configuration rule set file that you can edit to meet your
security or auditing requirements. For more information on configuring rule set
files, see your SIFT-IT User Guide.
Configuring a SIFT-IT
Agent

Arpeggio SIFT-IT is capable of forwarding syslog events in LEEF format with
SIFT-IT agents.
A SIFT-IT agent configuration defines the location of your JSA installation, the
protocol and formatting of the event message, and the configuration rule set.
Procedure

Step 1 Log in to your IBM iSeries.
Step 2 Type the following command and press Enter to add SIFT-IT to your library list:

ADDLIBLE SIFTITLIB0
Step 3 Type the following command and press Enter to access the SIFT-IT main menu:

GO SIFTIT

Configuring DSMs

58

ARPEGGIO SIFT-IT
Step 4 From the main menu, select 1. Work with SIFT-IT Agent Definitions.
Step 5 Type 1 to add an agent definition for JSA and press Enter.
Step 6 Configure the following agent parameters:
a

In the SIFT-IT Agent Name field, type a name.
For example, JSA.

b

In the Description field, type a description for the agent.
For example, Arpeggio agent for JSA.

c

In the Server host name or IP address field, type the location of your JSA
console or Event Collector.

d

In the Connection type field, type either *TCP, *UDP, or *SECURE.
The *SECURE option requires the TLS protocol. For more information, see the
Log Sources Users Guide.

e

In the Remote port number field, type 514.
By default, JSA supports both TCP and UDP syslog messages on port 514.

f

In the Message format options field, type *JSA.

g

Optional. Configure any additional parameters for attributes that are not JSA
specific.
The additional operational parameters are described in the SIFT-IT User Guide.

h

Press F3 to exit to the Work with SIFT-IT Agents Description menu.

Step 7 Type 9 and press Enter to load a configuration rule set for JSA.
Step 8 In the Configuration file field, type the path to your JSA configuration rule set file.

For example,
/sifitit/JSAconfig.txt
Step 9 Press F3 to exit to the Work with SIFT-IT Agents Description menu.
Step 10 Type 11 to start the JSA agent.

The configuration is complete.
Next steps
Syslog events forwarded by Arpeggio SIFT-IT in LEEF format are automatically
discovered by JSA. In most cases, the log source is automatically created in JSA
after a small number of events are detected. If the event rate is extremely low, then
you might be required to manually create a log source for Arpeggio SIFT-IT in JSA.
Until the log source is automatically discovered and identified, the event type
displays as Unknown on the Log Activity tab of JSA. Automatically discovered log
sources can be viewed on the Admin tab of JSA by clicking the Log Sources icon.

Configuring DSMs

59

Configuring a Log
Source

JSA automatically discovers and creates a log source for system authentication
events forwarded from Arpeggio SIFT-IT. This procedure is optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Arpeggio SIFT-IT.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 12-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Arpeggio SIFT-IT installation.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.
Additional
Information

After you create your JSA agent definition, you can use your Arpeggio SIFT-IT
software and JSA integration to customize your security and auditing
requirements.
This can include:
•

Creating custom configurations in Apreggio SIFT-IT with granular filtering on
event attributes.
For example, filtering on job name, user, file or object name, system objects, or
ports. All events forwarded from SIFT-IT and the contents of the event payload
in JSA are easily searchable.

•

Configuring rules in JSA to generate alerts or offenses for your security team to
identify potential security threats, data loss, or breaches in real-time.

•

Configuring processes in Apreggio SIFT-IT to trigger real-time remediation of
issues on your IBM iSeries.

•

Creating offenses for your security team from Arpeggio SIFT-IT events in JSA
with the Offenses tab or configuring email job logs in SIFT-IT for your IBM
iSeries administrators.
Configuring DSMs

60

ARPEGGIO SIFT-IT

•

Creating multiple configuration rule sets for multiple agents that run
simultaneously to handle specific security or audit events.
For example, you can configure one JSA agent with a specific rule sets for
forwarding all IBM iSeries events, then develop multiple configuration rule sets
for specific compliance purposes. This allows you to easily manage
configuration rule sets for compliance regulations, such as FISMA, PCI. HIPPA,
SOX, or ISO 27001. All of the events forwarded by SIFT-IT JSA agents is
contained in a single log source and categorized to be easily searchable.

Configuring DSMs

11

ARRAY NETWORKS SSL VPN

The Array Networks SSL VPN DSM for Juniper Secure Analytics (JSA) collects
events from an ArrayVPN appliance using syslog.
Supported Event
Types

JSA records all relevant SSL VPN events forwarded using syslog on TCP port 514
or UDP port 514.

Configuring a Log
Source

To integrate Array Networks SSL VPN events with JSA, you must manually create
a log source.
JSA does not automatically discover or create log sources for syslog events from
Array Networks SSL VPN.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Array Networks SSL VPN Access

Gateways.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 13-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Array Networks SSL VPN
appliance.

Step 11 Click Save.

Configuring DSMs

62

ARRAY NETWORKS SSL VPN
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. Events forwarded to JSA by Array Networks SSL
VPN are displayed on the Log Activity tab.
Next Steps
You are now ready to configure your Array Networks SSL VPN appliance to
forward remote syslog events to JSA. For more information on configuring Array
Networks SSL VPN appliances for remote syslog, please consult your Array
Networks documentation.

Configuring DSMs

12

ARUBA MOBILITY CONTROLLERS

The Aruba Mobility Controllers DSM for Juniper Secure Analytics (JSA) accepts
events using syslog.
Supported Event
Types
Configure Your
Aruba Mobility
Controller

JSA records all relevant events forwarded using syslog on TCP port 514 or UDP
port 514.
You can configure the Aruba Wireless Networks (Mobility Controller) device to
forward syslog events to JSA.
Procedure

Step 1 Log in to the Aruba Mobility Controller user interface.
Step 2 From the top menu, select Configuration.
Step 3 From the Switch menu, select Management.
Step 4 Click the Logging tab.
Step 5 From the Logging Servers menu, select Add.
Step 6 Type the IP address of the JSA server that you want to collect logs.
Step 7 Click Add.
Step 8 Optional. Change the logging level for a module:
a

Select the check box next to the name of the logging module.

b

Choose the logging level you want to change from the list box that is displayed
at the bottom of the window.

Step 9 Click Done.
Step 10 Click Apply.

The configuration is complete. The log source is added to JSA as Aruba Mobility
Controller events are automatically discovered. Events forwarded to JSA by Aruba
Mobility Controller are displayed on the Log Activity tab of JSA.

Configuring DSMs

64

ARUBA MOBILITY CONTROLLERS

Configuring a Log
Source

JSA automatically discovers and creates a log source for syslog events from Aruba
Mobility Controllers. These configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Aruba Mobility Controller .
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 14-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Aruba Mobility Controller.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. Events forwarded to JSA by Aruba Mobility
Controller appliances are displayed on the Log Activity tab.

Configuring DSMs

13

AVAYA VPN GATEWAY

The Juniper Secure Analytics (JSA) DSM for Avaya VPN Gateway can collect
event logs from your Avaya VPN Gateway servers.
Table 15-1 identifies the specifications for the Avaya VPN Gateway DSM.

Table 15-1 Avaya VPN Gateway DSM Specifications
Specification

Value

Manufacturer

Avaya Inc.

DSM

Avaya VPN Gateway

RPM file name

DSM-AvayaVPNGateway-7.1-799033.noarch.rpm
DSM-AvayaVPNGateway-7.2-799036.noarch.rpm

Supported
versions

9.0.7.2

Protocol

syslog

JSA recorded
events

OS, System Control Process, Traffic Processing, Startup,
Configuration Reload, AAA Subsystem, IPsec Subsystem

Automatically
discovered

Yes

Includes identity

Yes

More information http://www.avaya.com

Configuring DSMs

66

AVAYA VPN GATEWAY

Avaya VPN
Gateway DSM
Integration Process

To integrate Avaya VPN Gateway DSM with JSA, use the following procedure:

1 If automatic updates are not enabled, download and install the most recent version

of the following RPMs on your JSA console:
•

Syslog protocol RPM

•

DSMCommon RPM

•

Avaya VPN Gateway RPM

2 For each instance of Avaya VPN Gateway, configure your Avaya VPN Gateway

system to enable communication with JSA.
3 If JSA automatically discovers the log source, for each Avaya VPN Gateway server

you want to integrate, create a log source on the JSA console.
Related tasks

Configuring your
Avaya VPN
Gateway System
for Communication
with JSA

•

Manually Installing a DSM

•

Configuring your Avaya VPN Gateway System for Communication with JSA

•

Configuring an Avaya VPN Gateway Log Source in JSA

To collect all audit logs and system events from Avaya VPN Gateway, you must
specify JSA as the syslog server and configure the message format.
Procedure
To configure your Avaya VPN Gateway system for communication with JSA:

Step 1 Log in to your Avaya VPN Gateway command-line interface (CLI).
Step 2 Type the following command:

/cfg/sys/syslog/add
Step 3 At the prompt, type the IP address of your JSA system.
Step 4 To apply the configuration, type the following command:

apply
Step 5 To verify that the IP address of your JSA system is listed, type the following

command:
/cfg/sys/syslog/list

Configuring DSMs

Configuring an Avaya VPN Gateway Log Source in JSA

Configuring an
Avaya VPN
Gateway Log
Source in JSA

67

To collect Avaya VPN Gateway events, configure a log source in JSA.
Procedure
To configure an Avaya VPN Gateway log source in JSA:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 In the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 From the Log Source Type list, select Avaya VPN Gateway.
Step 7 From the Protocol Configuration list, select Syslog.
Step 8 Configure the remaining parameters.
Step 9 Click Save.
Step 10 On the Admin tab, click Deploy Changes.

Configuring DSMs

13

BALABIT IT SECURITY

The BalaBit Syslog-ng Agent application can collect and forward syslog events for
the Microsoft Security Event Log DSM and the Microsoft ISA DSM in Juniper
Secure Analytics (JSA).
To configure a BalaBIt IT Security agent, select a configuration:

Configuring BalaBIt
IT Security for
Microsoft Windows
Events
Supported Event
Types

•

Configuring BalaBIt IT Security for Microsoft Windows Events

•

Configuring BalaBit IT Security for Microsoft ISA or TMG Events

The Microsoft Windows Security Event Log DSM in JSA can accept Log Extended
Event Format (LEEF) events from BalaBit’s Syslog-ng Agent.

The BalaBit Syslog-ng Agent forwards Windows events to JSA using syslog.
•

Windows security

•

Application

•

System

•

DNS

•

DHCP

•

Custom container event logs

Configuring DSMs

70

BALABIT IT SECURITY

Before You Begin

Before you can receive events from BalaBit IT Security Syslog-ng Agents, you
must install and configure the agent to forward events.
Review the following configuration steps before you attempt to configure the
BalaBit Syslog-ng Agent:
1 Install the BalaBit Syslog-ng Agent in your Windows host. For more information,

see your BalaBit Syslog-ng Agent documentation.
2 Configure Syslog-ng Agent Events.
3 Configure JSA as a destination for the Syslog-ng Agent.
4 Restart the Syslog-ng Agent service.
5 Optional. Configure the log source in JSA.

Configuring the
Syslog-ng Agent
Event Source

Before you can forward events to JSA, you must specify what Windows-based
events the Syslog-ng Agent collects.
Procedure

Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows >

Configure syslog-ng Agent for Windows.
The Syslog-ng Agent window is displayed.
Step 2 Expand the syslog-ng Agent Settings pane, and select Eventlog Sources.
Step 3 Double-click on Event Containers.

The Event Containers Properties window is displayed.
Step 4 From the Event Containers pane, select the Enable radio button.
Step 5 Select a check box for each event type you want to collect:

NOTE

•

Application - Select this check box if you want the device to monitor the
Windows application event log.

•

Security - Select this check box if you want the device to monitor the Windows
security event log.

•

System - Select this check box if you want the device to monitor the Windows
system event log.

Note: BalaBit’s Syslog-ng Agent supports additional event types, such as DNS or
DHCP events using custom containers. For more information, see your BalaBit
Syslog-ng Agent documentation.

Step 6 Click Apply, and then click OK.

The event configuration for your BalaBit Syslog-ng Agent is complete. You are now
ready to configure JSA as a destination for Syslog-ng Agent events.

Configuring DSMs

Configuring BalaBIt IT Security for Microsoft Windows Events

Configuring a Syslog
Destination

71

The Syslog-ng Agent allows you to configure multiple destinations for your
Windows-based events.
To configure JSA as a destination, you must specify the IP address for JSA, and
then configure a message template for the LEEF format.
Procedure

Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows >

Configure syslog-ng Agent for Windows.
The Syslog-ng Agent window is displayed.
Step 2 Expand the syslog-ng Agent Settings pane, and click Destinations.
Step 3 Double-click on Add new sever.

The Server Property window is displayed.
Step 4 On the Server tab, click Set Primary Server.
Step 5 Configure the following parameters:
a

Server Name - Type the IP address of your JSA console or Event Collector.

b

Server Port - Type 514 as the TCP port number for events forwarded to JSA.

Step 6 Click the Messages tab.
Step 7 From the Protocol list box, select Legacy BSD Syslog Protocol.
Step 8 In the Template field, define a custom template message for the protocol by

typing:
<${PRI}>${BSDDATE} ${HOST} LEEF:${MSG}

The information typed in this field is space delimited.
Step 9 From the Event Message Format pane, in the Message Template field, type the

following to define the format for the LEEF events:
1.0|Microsoft|Windows|2k8r2|${EVENT_ID}|devTime=${R_YEAR}-${R_M
ONTH}-${R_DAY}T
${R_HOUR}:${R_MIN}:${R_SEC}GMT${TZOFFSET}
devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz cat=${EVENT_TYPE}
sev=${EVENT_LEVEL} resource=${HOST} usrName=${EVENT_USERNAME}
application=${EVENT_SOURCE} message=${EVENT_MSG}

NOTE

Note: The LEEF format uses tab as a delimiter to separate event attributes from
each other. However, the delimiter does not start until after the last pipe character
for {Event_ID}. The following fields must include a tab before the event name:
devTime, devTimeFormat, cat, sev, resource, usrName, application, and message.
You might need to use a text editor to copy and paste the LEEF message format
into the Message Template field.

Configuring DSMs

72

BALABIT IT SECURITY
Step 10 Click OK.

The destination configuration is complete. You are now ready to restart the
Syslog-ng Agent service.
Restart the Syslog-ng
Agent Service

Before the Syslog-ng Agent can forward LEEF formatted events, you must restart
the Syslog-ng Agent service on the Windows host.
Procedure

Step 1 From the Start menu, select Start > Run.

The Run window is displayed.
Step 2 Type the following:

services.msc
Step 3 Click OK.

The Services window is displayed.
Step 4 In the Name column, right-click on Syslog-ng Agent for Windows, and select

Restart.
After the Syslog-ng Agent for Windows service restarts, the configuration is
complete. Syslog events from the BalaBit Syslog-ng Agent are automatically
discovered by JSA. The Windows events that are automatically discovered are
displayed as Microsoft Windows Security Event Logs on the Log Activity tab.
Configuring a Log
Source

JSA automatically discovers and creates a log source for syslog events from LEEF
formatted messages. These configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your BalaBit Syslog-ng Agent log

source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Microsoft Windows Security Event

Log.
Step 9 Using the Protocol Configuration list box, select Syslog.

Configuring DSMs

Configuring BalaBit IT Security for Microsoft ISA or TMG Events

73

Step 10 Configure the following values:

Table 16-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or hostname for the log source as an
identifier for events from the BalaBit Syslog-ng Agent.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring BalaBit
IT Security for
Microsoft ISA or
TMG Events

You can integrate the BalaBit Syslog-ng Agent application to forward syslog events
to JSA.

Supported Event
Types

The BalaBit Syslog-ng Agent reads Microsoft ISA or Microsoft TMG event logs and
forwards syslog events using the Log Extended Event Format (LEEF).
The events forwarded by BalaBit IT Security are parsed and categorized by the
Microsoft Internet and Acceleration (ISA) DSM for JSA. The DSM accepts both
Microsoft ISA and Microsoft Threat Management Gateway (TMG) events.

Before You Begin

NOTE

Before you can receive events from BalaBit IT Security Syslog-ng Agents, you
must install and configure the agent to forward events.
Note: This integration uses BalaBit’s Syslog-ng Agent for Windows and BalaBit’s
Syslog-ng PE to parse and forward events to JSA for the DSM to interpret.
Review the following configuration steps before you attempt to configure the
BalaBit Syslog-ng Agent:

Configuring DSMs

74

BALABIT IT SECURITY

To configure the BalaBit Syslog-ng Agent, you must:
1 Install the BalaBit Syslog-ng Agent in your Windows host. For more information,

see your BalaBit Syslog-ng Agent vendor documentation.
2 Configure the BalaBit Syslog-ng Agent.
3 Install a BalaBit Syslog-ng PE for Linux or Unix in relay mode to parse and forward

events to JSA. For more information, see your BalaBit Syslog-ng PE vendor
documentation.
4 Configure syslog for BalaBit Syslog-ng PE.
5 Optional. Configure the log source in JSA.

Configure the BalaBit
Syslog-ng Agent

Before you can forward events to JSA, you must specify the file source for
Microsoft ISA or Microsoft TMG events in the Syslog-ng Agent collects.
If your Microsoft ISA or Microsoft TMG appliance is generating event files for the
Web Proxy Server and the Firewall Service, both files can be added.
Configure the file source
File sources allow you to define the base log directory and files monitored by the
Syslog-ng Agent.
Procedure

Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows >

Configure syslog-ng Agent for Windows.
The Syslog-ng Agent window is displayed.
Step 2 Expand the syslog-ng Agent Settings pane, and select File Sources.
Step 3 Select the Enable radio button.
Step 4 Click Add to add your Microsoft ISA and TMG event files.
Step 5 From the Base Directory field, click Browse and select the folder for your

Microsoft ISA or Microsoft TMG log files.
Step 6 From the File Name Filter field, click Browse and select a log file containing your

Microsoft ISA or Microsoft TMG events.

NOTE

Note: The File Name Filter field supports the wildcard (*) and question mark (?)
characters to follow log files that are replaced after reaching a specific file size or
date.

Step 7 In the Application Name field, type a name to identify the application.
Step 8 From the Log Facility list box, select Use Global Settings.
Step 9 Click OK.
Step 10 To add additional file sources, click Add and repeat this process from Step 4.

Microsoft ISA and TMG store Web Proxy Service events and Firewall Service
events in individual files.
Configuring DSMs

Configuring BalaBit IT Security for Microsoft ISA or TMG Events

75

Step 11 Click Apply, and then click OK.

The event configuration is complete. You are now ready to configure a syslog
destinations and formatting for your Microsoft TMG and ISA events.
Configuring a syslog destination
The event logs captured by Microsoft ISA or TMG cannot be parsed by the BalaBit
Syslog-ng Agent for Windows, so you must forward your logs to a BalaBit
Syslog-ng Premium Edition (PE) for Linux or Unix.
To forward your TMG and ISA event logs, you must specify the IP address for your
PE relay and configure a message template for the LEEF format. The BalaBit
Syslog-ng PE acts as an intermediate syslog server to parse the events and
forward the information to JSA.
Procedure
Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows >

Configure syslog-ng Agent for Windows.
The Syslog-ng Agent window is displayed.
Step 2 Expand the syslog-ng Agent Settings pane, and click Destinations.
Step 3 Double-click on Add new sever.
Step 4 On the Server tab, click Set Primary Server.
Step 5 Configure the following parameters:
a

Server Name - Type the IP address of your BalaBit Syslog-ng PE relay.

b

Server Port - Type 514 as the TCP port number for events forwarded to your
BalaBit Syslog-ng PE relay.

Step 6 Click the Messages tab.
Step 7 From the Protocol list box, select Legacy BSD Syslog Protocol.
Step 8 From the File Message Format pane, in the Message Template field, type the

following format command:
${FILE_MESSAGE}${TZOFFSET}
Step 9 Click Apply, and then click OK.

The destination configuration is complete. You are now ready to filter comment
lines from the event log.
Filtering the log file for comment lines
The event log file for Microsoft ISA or Microsoft TMG can contain comment
markers, these comments must be filtered from the event message.
Procedure
Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows >

Configure syslog-ng Agent for Windows.
The Syslog-ng Agent window is displayed.
Configuring DSMs

76

BALABIT IT SECURITY
Step 2 Expand the syslog-ng Agent Settings pane, and select Destinations.
Step 3 Right-click on your JSA syslog destination and select Event Filters > Properties.

The Global event filters Properties window is displayed.
Step 4 Configure the following values:

•

From the Global file filters pane, select Enable.

•

From the Filter Type pane, select Black List Filtering.

Step 5 Click OK.
Step 6 From the filter list menu, double-click Message Contents.

The Message Contents Properties window is displayed.
Step 7 From the Message Contents pane, select the Enable radio button.
Step 8 In the Regular Expression field, type the following regular expression:

^#
Step 9 Click Add.
Step 10 Click Apply, and then click OK.

The event messages containing comments are no longer forwarded.

NOTE

Configuring a BalaBit
Syslog-ng PE Relay

Note: You might be required to restart Syslog-ng Agent for Windows service to
begin syslog forwarding. For more information, see your BalaBit Syslog-ng Agent
documentation.
The BalaBit Syslog-ng Agent for Windows sends Microsoft TMG and ISA event
logs to a Balabit Syslog-ng PE installation, which is configured in relay mode.
The relay mode installation is responsible for receiving the event log from the
BalaBit Syslog-ng Agent for Windows, parsing the event logs in to the LEEF
format, then forwarding the events to JSA using syslog.
To configure your BalaBit Syslog-ng PE Relay, you must:

1 Install BalaBit Syslog-ng PE for Linux or Unix in relay mode. For more information,

see your BalaBit Syslog-ne PE vendor documentation.
2 Configure syslog on your Syslog-ng PE relay.

NOTE

Note: For a sample syslog.conf file you can use to configure Microsoft TMG and
ISA logs using your BalaBit Syslog-ng PE relay, see
http://www.juniper.net/customers/support/.
The BalaBit Syslog-ng PE formats the TMG and ISA events in the LEEF format
based on the configuration of your syslog.conf file. The syslog.conf file is
responsible for parsing the event logs and forwarding the events to JSA.

Configuring DSMs

Configuring BalaBit IT Security for Microsoft ISA or TMG Events

77

Procedure
Step 1 Using SSH, log in to your BalaBit Syslog-ng PE relay command-line interface

(CLI).
Step 2 Edit the following file:

/etc/syslog-ng/etc/syslog.conf
Step 3 From the destinations section, add an IP address and port number for each relay

destination.
For example,
######
# destinations
destination d_messages { file("/var/log/messages"); };
destination d_remote_tmgfw { tcp("JSA_IP" port(JSA_PORT)
log_disk_fifo_size(10000000) template(t_tmgfw)); };
destination d_remote_tmgweb { tcp("JSA_IP" port(JSA_PORT)
log_disk_fifo_size(10000000) template(t_tmgweb)); };

Where:
JSA_IP is the IP address of your JSA console or Event Collector.
JSA_PORT is the port number required for JSA to receive syslog events. By default,

JSA receives syslog events on port 514.
Step 4 Save the syslog configuration changes.
Step 5 Restart Syslog-ng PE to force the configuration file to be read.

The BalaBit Syslog-ng PE configuration is complete. Syslog events forwarded from
the BalaBit Syslog-ng relay are automatically discovered by JSA as Microsoft
Windows Security Event Log on the Log Activity tab. For more information, see
the Juniper Secure Analytics Users Guide.

NOTE

Configuring a Log
Source

Note: When using multiple syslog destinations, messages are considered
delivered after they successfully arrived at the primary syslog destination.
JSA automatically discovers and creates a log source for syslog events from LEEF
formatted messages provided by your BalaBit Syslog-ng relay. The following
configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Configuring DSMs

Configuring BalaBit IT Security for Microsoft ISA or TMG Events

78

Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for the log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Microsoft ISA.
Step 9 From the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 16-2 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or hostname for the log source as an
identifier for Microsoft ISA or Microsoft Threat Management
Gateway events from the BalaBit Syslog-ng Agent.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The BalaBit IT Security configuration for Microsoft ISA and Microsoft TMG events
is complete.

Configuring DSMs

14

BARRACUDA

This section includes information on configuring the following DSMs:

Barracuda Spam &
Virus Firewall
Supported Event
Types

•

Barracuda Spam & Virus Firewall

•

Barracuda Web Application Firewall

•

Barracuda Web Filter

You can integrate Barracuda Spam & Virus Firewall with Juniper Secure Analytics
(JSA).
The Barracuda Spam & Virus Firewall DSM for JSA accepts both Mail syslog
events and Web syslog events from Barracuda Spam & Virus Firewall appliances.
Mail syslog events contain the event and action taken when the firewall processes
email. Web syslog events record information on user activity and configuration
changes on your Barracuda Spam & Virus Firewall appliance.

Before You Begin

Configuring Syslog
Event Forwarding

Before you can receive events in JSA, you must configure your Barracuda Spam &
Virus Firewall to forward syslog events. Syslog messages are sent to JSA from
Barracuda Spam & Virus Firewall using UDP port 514. You must verify any
firewalls between JSA and your Barracuda Spam & Virus Firewall appliance allow
UDP traffic on port 514.
You can configure syslog forwarding for Barracuda Spam & Virus Firewall.
Procedure

Step 1 Log in to the Barracuda Spam & Virus Firewall web interface.
Step 2 Click the Advanced tab.
Step 3 From the Advanced menu, select Advanced Networking.
Step 4 From the Mail Syslog field, type IP address of your JSA console or Event

Collector.
Step 5 Click Add.JSA
Step 6 From the Web Interface Syslog field, type IP address of your JSA console or

Event Collector.
Configuring DSMs

80

BARRACUDA
Step 7 Click Add.

The syslog configuration is complete.
Configuring a Log
Source

JSA automatically discovers and creates a log source for syslog events from
Barracuda Spam & Virus Firewall appliances. The following configuration steps are
optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Barracuda Spam & Virus Firewall.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 17-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Barracuda Spam & Virus
Firewall appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. Events forwarded to JSA by Barracuda Spam &
Virus Firewall are displayed on the Log Activity tab.

Barracuda Web
Application
Firewall
Supported Event
Types

You can integrate Barracuda Web Application Firewall with JSA.

The Barracuda Web Application Firewall DSM for JSA accepts system, web
firewall log, access log, and audit log events using syslog.
Barracuda Web Application Firewall to forward syslog events to JSA in a custom
name-value pair event format. Syslog events from Barracuda Web Application
Firewall appliances are provided to JSA using UDP port 514.

Configuring DSMs

Barracuda Web Application Firewall

81

Before You Begin

Before you begin you must create a log source for JSA. JSA does not
automatically discover events for Barracuda Web Application Firewall. After you
configure this DSM, we recommend you verify any firewalls between Barracuda
Web Application Firewall appliance and JSA allow UDP traffic on port 514.

Configuring a Log
Source

To integrate Barracuda Web Application Firewall with JSA, you must manually
create a log source to receive Barracuda Web Application Firewall events.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Barracuda Web Application Firewall.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 17-2 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Barracuda Web Application
Firewall appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA.
Configuring Syslog
Event Forwarding

You configure syslog forwarding for Barracuda Web Application Firewall.
Procedure

Step 1 Log in to the Barracuda Web Application Firewall web interface.
Step 2 Click the Advanced tab.
Step 3 From the Advanced menu, select Export Logs.
Step 4 Click Syslog Settings.
Step 5 Configure a syslog facility value for the following options:

•

Web Firewall Logs Facility - Select a syslog facility between Local0 and
Local7.

Configuring DSMs

82

BARRACUDA

•

Access Logs Facility - Select a syslog facility between Local0 and Local7.

•

Audit Logs Facility - Select a syslog facility between Local0 and Local7.

•

System Logs Facility - Select a syslog facility between Local0 and Local7.

Setting a syslog unique facility for each log type allows the Barracuda Web
Application Firewall to divide the logs in to different files.
Step 6 Click Save Changes.

The Export Log window is displayed.
Step 7 In the Name field, type name of the syslog server.
Step 8 In the Syslog field, type IP address of your JSA console or Event Collector.
Step 9 From the Log Time Stamp option, select Yes.
Step 10 From the Log Unit Name option, select Yes.
Step 11 Click Add.
Step 12 From the Web Firewall Logs Format list box, select Custom Format.
Step 13 In the Web Firewall Logs Format field, type the following custom event format:

t=%t|ad=%ad|ci=%ci|cp=%cp|au=%au
Step 14 From the Access Logs Format list box, select Custom Format.
Step 15 In the Access Logs Format field, type the following custom event format:

t=%t|p=%p|s=%s|id=%id|ai=%ai|ap=%ap|ci=%ci|cp=%cp|si=%si|sp=%sp
|cu=%cu
Step 16 From the Access Logs Format list box, select Custom Format.
Step 17 In the Access Logs Format field, type the following custom event format:

t=%t|trt=%trt|an=%an|li=%li|lp=%lp
Step 18 Click Save Changes.
Step 19 From the navigation menu, select Basic > Administration.
Step 20 From the System/Reload/Shutdown pane, click Restart.

The syslog configuration is complete after your Barracuda Web Application
Firewall restarts. Events forwarded to JSA by Barracuda Web Application Firewall
are displayed on the Log Activity tab.

Barracuda Web
Filter
Supported Event
Types

You can integrate Barracuda Web Filter appliance events with JSA.

The Barracuda Web Filter DSM for JSA accepts web traffic and web interface
events in syslog format forwarded by Barracuda Web Filter appliances.
Web traffic events contain the event and action taken when the appliance
processes web traffic. Web interface events contain user login activity and
configuration changes to the Web Filter appliance.
Configuring DSMs

Barracuda Web Filter

Before You Begin

83

Before you can receive events in JSA, you must configure your Barracuda Web
Filter to forward syslog events.
Syslog messages are forward to JSA using UDP port 514. You must verify any
firewalls between JSA and your Barracuda Web Filter appliance allow UDP traffic
on port 514.

Configuring Syslog
Event Forwarding

You can configure syslog forwarding for Barracuda Web Filter.
Procedure

Step 1 Log in to the Barracuda Web Filter web interface.
Step 2 Click the Advanced tab.
Step 3 From the Advanced menu, select Syslog.
Step 4 From the Web Traffic Syslog field, type IP address of your JSA console or Event

Collector.
Step 5 Click Add.
Step 6 From the Web Interface Syslog field, type IP address of your JSA console or

Event Collector.
Step 7 Click Add.

The syslog configuration is complete.
Configuring a Log
Source

JSA automatically discovers and creates a log source for syslog events from
Barracuda Web Filter appliances. The following configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Barracuda Web Filter.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 17-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Barracuda Web Filter
appliance.

Configuring DSMs

84

BARRACUDA
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. Events forwarded by Barracuda Web Filter are
displayed on the Log Activity tab of JSA.

Configuring DSMs

15

BIT9 PARITY

You can integrate Bit9 Parity events with Juniper Secure Analytics (JSA).
Supported Event
Types

The Bit9 Parity DSM for JSA accepts syslog events using the Log Enhanced Event
Format (LEEF), enabling JSA to record all relevant appliance events.

Configuring Bit9
Parity

To collect events, you must configure your Bit9 Parity device to forward syslog
events in the LEEF format.
Procedure

Step 1 Log in to the Bit9 Parity console with Administrator or PowerUser privileges.
Step 2 From the navigation menu on the left side of the console, select Administration >

System Configuration.
The System Configuration window is displayed.
Step 3 Click Server Status.

The Server Status window is displayed.
Step 4 Click Edit.
Step 5 In the Syslog address field, type the IP address of your JSA.
Step 6 From the Syslog format list box, select LEEF (Q1 Labs).
Step 7 Select the Syslog enabled check box.
Step 8 Click Update.

The configuration is complete. The log source is added to JSA as Bit9 Parity
events are automatically discovered. Events forwarded to JSA by Bit9 Parity are
displayed on the Log Activity tab of JSA.
Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from Bit9
Parity. These configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

Configuring DSMs

86

BIT9 PARITY
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Bit9 Parity.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 18-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Bit9 Parity device.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

16

BLUECAT NETWORKS ADONIS

The BlueCat Networks Adonis DSM for Juniper Secure Analytics (JSA) accepts
events forwarded in Log Enhanced Event Protocol (LEEF) using syslog from
BlueCat Adonis appliances managed with BlueCat Proteus.
Supported Versions

JSA supports BlueCat Networks Adonis appliances using version 6.7.1-P2 and
above.
You might be required to include a patch on your BlueCat Networks Adonis to
integrate DNS and DHCP events with JSA. For more information, see KB-4670
and your BlueCat Networks documentation.

Supported Event
Types

Event Type Format

JSA is capable of collecting all relevant events related to DNS and DHCP queries.
This includes the following events:
•

DNS IPv4 and IPv6 query events

•

DNS name server query events

•

DNS mail exchange query events

•

DNS text record query events

•

DNS record update events

•

DHCP discover events

•

DHCP request events

•

DHCP release events

The LEEF format consists of a pipe ( | ) delimited syslog header and a space
delimited event payload.
For example,
Aug 10 14:55:30 adonis671-184
LEEF:1.0|BCN|Adonis|6.7.1|DNS_Query|cat=A_record
src=10.10.10.10 url=test.example.com

If the syslog events forwarded from your BlueCat Adonis appliance are not
formatted similarly to the sample above, you must examine your device
configuration. Properly formatted LEEF event messages are automatically
Configuring DSMs

88

BLUECAT NETWORKS ADONIS

discovered by the BlueCat Networks Adonis DSM and added as a log source to
JSA.
Before You Begin

BlueCat Adonis must be configured to generate events in Log Enhanced Event
Protocol (LEEF) and redirect the event output by way of syslog to JSA.
BlueCat Networks provides a script on their appliance to assist you with
configuring syslog. To complete the syslog redirection, you must have
administrative or root access to the command-line interface of the BlueCat Adonis
or your BlueCat Proteus appliance. If the syslog configuration script is not present
on your appliance, you can contact your BlueCat Networks representative.

Configuring BlueCat
Adonis

You can configure your BlueCat Adonis appliance to forward DNS and DHCP
events to JSA.
Procedure

Step 1 Using SSH, log in to your BlueCat Adonis appliance command-line interface.
Step 2 Type the following command to start the syslog configuration script:

/usr/local/bluecat/qradar/setup-qradar.sh
Step 3 Type the IP address of your JSA console or Event Collector.
Step 4 Type yes or no to confirm the IP address.

The configuration is complete when a success message is displayed.
The log source is added to JSA as BlueCat Networks Adonis syslog events are
automatically discovered. Events forwarded to JSA are displayed on the Log
Activity tab. If the events are not automatically discovered, you can manually
configure a log source.
Configuring a Log
Source in JSA

JSA automatically discovers and creates a log source for syslog events from
BlueCat Networks Adonis. However, you can manually create a log source for JSA
to receive syslog events. The following configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select BlueCat Networks Adonis.
Step 9 Using the Protocol Configuration list box, select Syslog.

Configuring DSMs

89

Step 10 Configure the following values:

Table 19-2 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your BlueCat Networks Adonis
appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

17

BLUE COAT SG

The Blue Coat SG DSM for Juniper Secure Analytics (JSA) allows you to integrate
events from a Blue Coat SG appliance with JSA.
JSA records all relevant and available information from name-value events that are
separated by pipe (|) characters.
JSA can receive events from your Blue Coat SG appliance using syslog or can
retrieve events from the Blue Coat SG appliance using the Log File protocol. The
instructions provided describe how to configure Blue Coat SG using a custom
name-value pair format. However, JSA supports the following formats:
•

Custom Format

•

SQUID

•

NCSA

•

main

•

IM

•

Streaming

•

smartreporter

•

bcereportermain_v1

•

bcreporterssl_v1

•

p2p

•

SSL

•

bcreportercifs_v1

•

CIFS

•

MAPI

For more information about your Blue Coat SG Appliance, see your vendor
documentation.

Configuring DSMs

92

BLUE COAT SG

Creating a Custom
Event Format

The Blue Coat SG DSM for JSA accepts custom formatted events from a Blue
Coat SG appliance.
Procedure

Step 1 Using a web browser, log in to the Blue Coat Management console.
Step 2 Select Configuration > Access Logging > Formats.
Step 3 Select New.
Step 4 Type a format name for the custom format.
Step 5 Select Custom format string.
Step 6 Type the following custom format for JSA:

Bluecoat|src=$(c-ip)|srcport=$(c-port)|dst=$(cs-uri-address)|ds
tport=$(cs-uri-port)|username=$(cs-username)|devicetime=$(gmtti
me)|s-action=$(s-action)|sc-status=$(sc-status)|cs-method=$(csmethod)|time-taken=$(time-taken)|sc-bytes=$(sc-bytes)|cs-bytes=
$(cs-bytes)|cs-uri-scheme=$(cs-uri-scheme)|cs-host=$(cs-host)|c
s-uri-path=$(cs-uri-path)|cs-uri-query=$(cs-uri-query)|cs-uri-e
xtension=$(cs-uri-extension)|cs-auth-group=$(cs-auth-group)|rs(
Content-Type)=$(rs(Content-Type))|cs(User-Agent)=$(cs(User-Agen
t))|cs(Referer)=$(cs(Referer))|sc-filter-result=$(sc-filter-res
ult)|filter-category=$(sc-filter-category)|cs-uri=$(cs-uri)
Step 7 Select Log Last Header from the list box.
Step 8 Click OK.
Step 9 Click Apply.

NOTE

Note: The custom format for JSA supports additional key-value pairs using the
Blue Coat ELFF format. For more information, see Creating Additional Custom
Format Key-Value Pairs.
You are ready to enable access logging on your Blue Coat device.

Creating a Log
Facility

To use the custom log format created for JSA, you must associate the custom log
format for JSA to a facility.
Procedure

Step 1 Select Configuration > Access Logging > Logs.
Step 2 Click New.
Step 3 Configure the following parameters:

•

Log Name - Type a name for the log facility.

•

Log Format - Select the custom format you created in Creating a Custom
Event Format,Step 4.

•

Description - Type a description for the log facility.
Configuring DSMs

Retrieving Blue Coat Events

93

Step 4 Click OK.
Step 5 Click Apply.

You are ready to enable logging on the Blue Coat device. For more information,
see Enabling Access Logging.
Enabling Access
Logging

You must enable access logging on your Blue Coat SG device.
Procedure

Step 1 Select Configuration > Access Logging > General.
Step 2 Select the Enable Access Logging check box.

If the Enable Access Logging check box is not selected, logging is disabled
globally for all of the formats listed.
Step 3 Click Apply.

You are ready to configure the Blue Coat upload client. For more information, see
Retrieving Blue Coat Events.

Retrieving Blue
Coat Events

Events from your Blue Coat SG appliance are forwarded using the Blue Coat
upload client.
JSA can receive forwarded events using FTP or syslog.

Log File Protocol
Configuration

•

If you are using FTP, see Log File Protocol Configuration.

•

If you are using syslog, see Syslog Configuration.

To use FTP, you must configure the Blue Coat upload client.
Procedure

Step 1 Select Configuration > Access Logging > Logs > Upload Client.
Step 2 From the Log list box, select the log containing your custom format.
Step 3 From the Client type list box, select FTP Client.
Step 4 Select the text file option.

If you select the gzip file option on your Blue Coat appliance, you must configure a
Processor for your log source with the GZIP option.
Step 5 Click Settings.
Step 6 From the Settings For list box, select Primary FTP Server.
Step 7 Configure the following values:
a

Host - Type the IP address of the FTP server receiving the Blue Coat events.

b

Port - Type the FTP port number.

c

Path - Type a directory path for the log files.

d

Username - Type the username required to access the FTP server.
Configuring DSMs

94

BLUE COAT SG
Step 8 Click OK.
Step 9 Select the Upload Schedule tab.
Step 10 From the Upload the access log option, select periodically.
Step 11 Configure the Wait time between connect attempts.
Step 12 Select if you want to upload the log file to the FTP daily or on an interval.
Step 13 Click Apply.

Configuring a Log Source in JSA
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 From the Log Source Type list box, select the Bluecoat SG Appliance option.
Step 8 From the Protocol Configuration list box, select the Log File option.
Step 9 Configure the following values:

Table 20-1 Blue Coat SG log file protocol parameters

Parameter

Description

Log Source Identifier

Type an IP address, host name, or name to identify the event
source. IP addresses or host names are recommended as
they allow JSA to identify a log file to a unique event source.

Service Type

From the list box, select the protocol you want to use when
retrieving log files from a remote server. The default is SFTP.
•

SFTP - SSH File Transfer Protocol

•

FTP - File Transfer Protocol

•

SCP - Secure Copy

Note: The underlying protocol used to retrieve log files for the
SCP and SFTP service type requires that the server specified
in the Remote IP or Hostname field has the SFTP subsystem
enabled.
Remote IP or
Hostname

Type the IP address or host name of the device storing your
event log files.

Configuring DSMs

Retrieving Blue Coat Events

95

Table 20-1 Blue Coat SG log file protocol parameters (continued)

Parameter

Description

Remote Port

Type the TCP port on the remote host that is running the
selected Service Type. The valid range is 1 to 65535.
The options include:
•

FTP - TCP Port 21

•

SFTP - TCP Port 22

•

SCP - TCP Port 22

Note: If the host for your event files is using a non-standard
port number for FTP, SFTP, or SCP, you must adjust the port
value accordingly.
Remote User

Type the user name necessary to log in to the host containing
your event files.
The username can be up to 255 characters in length.

Remote Password

Type the password necessary to log in to the host.

Confirm Password

Confirm the password necessary to log in to the host.

SSH Key File

If you select SCP or SFTP as the Service Type, this
parameter allows you to define an SSH private key file. When
you provide an SSH Key File, the Remote Password field is
ignored.

Remote Directory

Type the directory location on the remote host from which the
files are retrieved, relative to the user account you are using
to log in.
Note: For FTP only. If your log files reside in the remote user’s
home directory, you can leave the remote directory blank. This
is to support operating systems where a change in the
working directory (CWD) command is restricted.

Recursive

Select this check box if you want the file pattern to search sub
folders in the remote directory. By default, the check box is
clear.
The Recursive option is ignored if you configure SCP as the
Service Type.

FTP File Pattern

If you select SFTP or FTP as the Service Type, this option
allows you to configure the regular expression (regex)
required to filter the list of files specified in the Remote
Directory. All matching files are included in the processing.
The FTP file pattern you specify must match the name you
assigned to your event files. For example, to collect files
ending with .log, type the following:
.*\.log
Use of this parameter requires knowledge of regular
expressions (regex). For more information, see the following
website:
http://download.oracle.com/javase/tutorial/essential/regex/

Configuring DSMs

96

BLUE COAT SG

Table 20-1 Blue Coat SG log file protocol parameters (continued)

Parameter

Description

FTP Transfer Mode

This option only appears if you select FTP as the Service
Type. The FTP Transfer Mode parameter allows you to define
the file transfer mode when retrieving log files over FTP.
From the list box, select the transfer mode you want to apply
to this log source:
•

Binary - Select Binary for log sources that require binary
data files or compressed zip, gzip, tar, or tar+gzip archive
files.

•

ASCII - Select ASCII for log sources that require an ASCII
FTP file transfer.
You must select NONE for the Processor parameter and
LINEBYLINE the Event Generator parameter when using
ASCII as the FTP Transfer Mode.

SCP Remote File

If you select SCP as the Service Type you must type the file
name of the remote file.

Start Time

Type the time of day you want the processing to begin. For
example, type 00:00 to schedule the Log File protocol to
collect event files at midnight.
This parameter functions with the Recurrence value to
establish when and how often the Remote Directory is
scanned for files. Type the start time, based on a 24 hour
clock, in the following format: HH:MM.

Recurrence

Type the frequency, beginning at the Start Time, that you
want the remote directory to be scanned. Type this value in
hours (H), minutes (M), or days (D).
For example, type 2H if you want the remote directory to be
scanned every 2 hours from the start time. The default is 1H.

Run On Save

Select this check box if you want the log file protocol to run
immediately after you click Save.
After the Run On Save completes, the log file protocol follows
your configured start time and recurrence schedule.
Selecting Run On Save clears the list of previously processed
files for the Ignore Previously Processed File parameter.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not
want this protocol to exceed. The valid range is 100 to 5000.

Processor

If the files located on the remote host are stored in a zip, gzip,
tar, or tar+gzip archive format, select the processor that
allows the archives to be expanded and contents processed.

Configuring DSMs

Retrieving Blue Coat Events

97

Table 20-1 Blue Coat SG log file protocol parameters (continued)

Parameter

Description

Ignore Previously
Processed File(s)

Select this check box to track and ignore files that have
already been processed by the log file protocol.
JSA examines the log files in the remote directory to
determine if a file has been previously processed by the log
file protocol. If a previously processed file is detected, the log
file protocol does not download the file for processing. All files
that have not been previously processed are downloaded.
This option only applies to FTP and SFTP Service Types.

Change Local
Directory?

Select this check box to define a local directory on your JSA
system for storing downloaded files during processing.
We recommend that you leave this check box clear. When
this check box is selected, the Local Directory field is
displayed, which allows you to configure the local directory to
use for storing files.

Event Generator

From the Event Generator list box, select LineByLine.
The Event Generator applies additional processing to the
retrieved event files. Each line of the file is a single event. For
example, if a file has 10 lines of text, 10 separate events are
created.

Step 10 Click Save.
Step 11 On the Admin tab, click Deploy Changes.

The log file protocol configuration for Blue Coat SG is complete.
Syslog Configuration

To allow syslog event collection, you must configure your Blue Coat appliance to
forward syslog events.

CAUTION
CAUTION: If your Blue Coat SG appliance is reporting events using syslog (rather
than a file transfer protocol) and the destination syslog server becomes
unavailable, it is possible that other syslog destinations can stop receiving data
until all syslog destinations are again available. This creates the potential for some
syslog data to not be sent at all. If you are sending to multiple syslog destinations,
a disruption in availability in one syslog destination might interrupt the stream of
events to other syslog destinations from your Blue Coat SG appliance.
Procedure
Step 1 Select Configuration > Access Logging > Logs > Upload Client.
Step 2 From the Log list box, select the log containing your custom format.
Step 3 From the Client type drop-down list bow, select Custom Client.
Step 4 Click Settings.

Configuring DSMs

98

BLUE COAT SG
Step 5 From the Settings For list box, select Primary Custom Server.
Step 6 Configure the following values:
a

Host - Type the IP address for your JSA.

b

Port - Type 514 as the syslog port for JSA.

Step 7 Click OK.
Step 8 Select the Upload Schedule tab.
Step 9 From the Upload the access log, select continuously.
Step 10 Click Apply.

You are now ready to configure a log source for Blue Coat SG events.
Configure a log source
To integrate Barracuda Web Application Firewall with JSA, you must manually
create a log source to receive Blue Coat SG events.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Blue Coat SG Appliance.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 20-2 Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Blue Coat SG appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. Events forwarded to JSA by Blue Coat SG are
displayed on the Log Activity tab.

Configuring DSMs

Creating Additional Custom Format Key-Value Pairs

Creating Additional
Custom Format
Key-Value Pairs

99

The custom format allows you to forward specific Blue Coat data or events to JSA
using the Extended Log File Format (ELFF).
The custom format is a series of pipe delimited fields starting with Bluecoat| and
containing $(Blue Coat ELFF Parameter). Custom format fields for JSA must
be separated by the pipe character.
For example:
Bluecoat|src=$(c-ip)|srcport=$(c-port)|dst=$(cs-uri-address)|ds
tport=$(cs-uri-port)|username=$(cs-username)|devicetime=$(gmtti
me)|s-action=$(s-action)|sc-status=$(sc-status)|cs-method=$(csmethod)
Table 20-3 JSA Custom Format Examples

Blue Coat ELFF Parameter

JSA Custom Format Example

sc-bytes

$(sc-bytes)

rs(Content-type)

$(rs(Content-Type))

For more information on the available Blue Coat ELFF parameters, see your Blue
Coat appliance documentation.

Configuring DSMs

18

BRIDGEWATER

The Bridgewater Systems DSM for Juniper Secure Analytics (JSA) accepts events
using syslog.
Supported Event
Types
Configuring Syslog
for Your Bridgewater
Systems Device

JSA records all relevant events forwarded from Bridgewater AAA Service
Controller devices using syslog.
You must configure your Bridgewater Systems appliance to send syslog events to
JSA.
Procedure

Step 1 Log in to your Bridgewater Systems device command-line interface (CLI).
Step 2 To log operational messages to the RADIUS and Diameter servers, open the

following file:
/etc/syslog.conf
Step 3 To log all operational messages, uncomment the following line:

local1.info /WideSpan/logs/oplog
Step 4 To log error messages only, change the local1.info /WideSpan/logs/oplog

line to the following:
local1.err /WideSpan/logs/oplog

NOTE

Note: RADIUS and Diameter system messages are stored in the
/var/adm/messages file.

Step 5 Add the following line:

local1.*@

Where  is the IP address your JSA console.
Step 6 The RADIUS and Diameter server system messages are stored in the

/var/adm/messages file. Add the following line for the system messages:
.*@

Where:
 is the facility used for logging to the /var/adm/messages file.

Configuring DSMs

102

BRIDGEWATER

 is the IP address of your JSA console.
Step 7 Save and exit the file.
Step 8 Send a hang-up signal to the syslog daemon to make sure all changes are

enforced:
kill -HUP `cat /var/run/syslog.pid`

The configuration is complete. The log source is added to JSA as Bridgewater
Systems appliance events are automatically discovered. Events forwarded to JSA
by your Bridgewater Systems appliance are displayed on the Log Activity tab.
Configuring a Log
Source

JSA automatically discovers and creates a log source for syslog events from a
Bridgewater Systems appliance. The following configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Bridgewater Systems AAA Service

Controller.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 21-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Bridgewater Systems
appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

19

BROCADE FABRIC OS

Juniper Secure Analytics (JSA) can collect and categorize syslog system and audit
events from Brocade switches and appliances that use Fabric OS V7.x.
To collect syslog events, you must configure your switch to forward syslog events.
Each switch or appliance must be configured to forward events.
Events that you forward from Brocade switches are automatically discovered. A
log source is configured for each switch or appliance that forwards events to JSA.
Brocade switches or appliance that run Fabric OS V7.x.
Configuring Syslog
for Brocade Fabric
OS Appliances

To collect events, you must configure syslog on your Brocade appliance to forward
events to JSA.
Procedure
To configure syslog for Brocade Fabric OS appliances:

Step 1 Log in to your appliance as an admin user.
Step 2 To configure an address to forward syslog events, type the following command:

syslogdipadd 

Where  is the IP address of the JSA console, Event Processor,
Event Collector, or all-in-one system.
Step 3 To verify the address, type the following command:

syslogdipshow

Result
As events are generated by the Brocade switch, they are forwarded to the syslog
destination you specified. The log source is automatically discovered after enough
events are forwarded by the Brocade appliance. It typically takes a minimum of 25
events to automatically discover a log source.
What to do next
Administrators can log in to the JSA console and verify that the log source is
created on the console and that the Log Activity tab displays events from the
Brocade appliance.

Configuring DSMs

20

CA TECHNOLOGIES

This section provides information on the following DSMs:

CA ACF2

Integrate CA ACF2
with JSA Using IBM
Security zSecure

•

CA ACF2

•

CA SiteMinder

•

CA Top Secret

Juniper Secure Analytics (JSA) includes two options for integrating CA Access
Control Facility (ACF2) events:
•

Integrate CA ACF2 with JSA Using IBM Security zSecure

•

Integrate CA ACF2 with JSA Using Audit Scripts

The CA ACF2 DSM allows you to integrate LEEF events from an ACF2 image on
an IBM z/OS mainframe using IBM Security zSecure.
Using a zSecure process, events from the System Management Facilities (SMF)
are recorded to an event file in the Log Enhanced Event format (LEEF). JSA
retrieves the LEEF event log files using the log file protocol and processes the
events. You can schedule JSA to retrieve events on a polling interval, which allows
JSA to retrieve the events on the schedule you have defined.
To integrate CA ACF2 events:
1 Confirm your installation meets any prerequisite installation requirements.
2 Configure your CA ACF2 z/OS image to write events in LEEF format. For more

information, see the IBM Security zSecure Suite: CARLa-Driven Components
Installation and Deployment Guide.
3 Create a log source in JSA for CA ACF2 to retrieve your LEEF formatted event

logs.
4 Optional. Create a custom event property for CA ACF2 in JSA. For more

information, see the Custom Event Properties for IBM z/OS technical note.
Before You begin
Before you can configure the data collection process, you must complete the basic
zSecure installation process.

Configuring DSMs

106

CA TECHNOLOGIES

The following installation prerequisites are required:
•

You must ensure parmlib member IFAPRDxx is not disabled for IBM Security
zSecure Audit on your z/OS image.

•

The SCKRLOAD library must be APF-authorized.

•

You must configure a process to periodically refresh your CKFREEZE and
UNLOAD data sets.

•

You must configure an SFTP, FTP, or SCP server on your z/OS image for JSA
to download your LEEF event files.

•

You must allow SFTP, FTP, or SCP traffic on firewalls located between JSA and
your z/OS image.

After installing the software, you must also perform the post-installation activities to
create and modify the configuration. For instructions on installing and configuring
zSecure, see the IBM Security zSecure Suite: CARLa-Driven Components
Installation and Deployment Guide.
Create a log source for ACF2 in JSA
You can use the Log File protocol to retrieve archived log files containing events
from a remote host.
Log files are transferred, one at a time, to JSA for processing. The log file protocol
can manage plain text event logs, compressed files, or archives. Archives must
contain plain-text files that can be processed one line at a time. Multi-line event
logs are not supported by the log file protocol. IBM z/OS with zSecure writes log
files to a specified directory as gzip archives. JSA extracts the archive and
processes the events, which are written as one event per line in the file.
To retrieve these events, you must create a log source using the Log File protocol.
JSA requires credentials to log in to the system hosting your LEEF formatted event
files and a polling interval.
To configure a log source in JSA for CA ACF2:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for the log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select CA ACF2.
Step 9 From the Protocol Configuration list box, select Log File.

Configuring DSMs

CA ACF2

107

Step 10 Configure the following values:

Table 23-1 CA ACF2 Log File Parameters

Parameter

Description

Log Source Identifier

Type an IP address, host name, or name to identify the event
source. IP addresses or host names are recommended as
they allow JSA to identify a log file to a unique event source.
For example, if your network contains multiple devices, such
as multiple z/OS images or a file repository containing all of
your event logs, you should specify the IP address or host
name of the device that uniquely identifies the log source.
This allows events to be identified at the device level in your
network, instead of identifying the event for the file repository.

Service Type

From the list box, select the protocol you want to use when
retrieving log files from a remote server. The default is SFTP.
•

SFTP - SSH File Transfer Protocol

•

FTP - File Transfer Protocol

•

SCP - Secure Copy

Note: The underlying protocol used to retrieve log files for the
SCP and SFTP service type requires that the server specified
in the Remote IP or Hostname field has the SFTP subsystem
enabled.
Remote IP or
Hostname

Type the IP address or host name of the device storing your
event log files.

Remote Port

Type the TCP port on the remote host that is running the
selected Service Type. The valid range is 1 to 65535.
The options include:
•

FTP - TCP Port 21

•

SFTP - TCP Port 22

•

SCP - TCP Port 22

Note: If the host for your event files is using a non-standard
port number for FTP, SFTP, or SCP, you must adjust the port
value accordingly.
Remote User

Type the user name necessary to log in to the host containing
your event files.
The username can be up to 255 characters in length.

Remote Password

Type the password necessary to log in to the host.

Confirm Password

Confirm the password necessary to log in to the host.

SSH Key File

If you select SCP or SFTP as the Service Type, this
parameter allows you to define an SSH private key file. When
you provide an SSH Key File, the Remote Password field is
ignored.

Configuring DSMs

108

CA TECHNOLOGIES

Table 23-1 CA ACF2 Log File Parameters (continued)

Parameter

Description

Remote Directory

Type the directory location on the remote host from which the
files are retrieved, relative to the user account you are using
to log in.
Note: For FTP only. If your log files reside in the remote user’s
home directory, you can leave the remote directory blank. This
is to support operating systems where a change in the
working directory (CWD) command is restricted.

Recursive

Select this check box if you want the file pattern to search sub
folders in the remote directory. By default, the check box is
clear.
The Recursive option is ignored if you configure SCP as the
Service Type.

FTP File Pattern

If you select SFTP or FTP as the Service Type, this option
allows you to configure the regular expression (regex)
required to filter the list of files specified in the Remote
Directory. All matching files are included in the processing.
IBM z/OS mainframe using IBM Security zSecure Audit writes
event files using the pattern ACF2..gz
The FTP file pattern you specify must match the name you
assigned to your event files. For example, to collect files
starting with ACF2 and ending with .gz, type the following:
ACF2.*\.gz
Use of this parameter requires knowledge of regular
expressions (regex). For more information, see the following
website:
http://download.oracle.com/javase/tutorial/essential/regex/

FTP Transfer Mode

This option only displays if you select FTP as the Service
Type. From the list box, select Binary.
The binary transfer mode is required for event files stored in a
binary or compressed format, such as zip, gzip, tar, or
tar+gzip archive files.

SCP Remote File

If you select SCP as the Service Type you must type the file
name of the remote file.

Start Time

Type the time of day you want the processing to begin. For
example, type 00:00 to schedule the Log File protocol to
collect event files at midnight.
This parameter functions with the Recurrence value to
establish when and how often the Remote Directory is
scanned for files. Type the start time, based on a 24 hour
clock, in the following format: HH:MM.

Configuring DSMs

CA ACF2

109

Table 23-1 CA ACF2 Log File Parameters (continued)

Parameter

Description

Recurrence

Type the frequency, beginning at the Start Time, that you
want the remote directory to be scanned. Type this value in
hours (H), minutes (M), or days (D).
For example, type 2H if you want the remote directory to be
scanned every 2 hours from the start time. The default is 1H.

Run On Save

Select this check box if you want the log file protocol to run
immediately after you click Save.
After the Run On Save completes, the log file protocol follows
your configured start time and recurrence schedule.
Selecting Run On Save clears the list of previously processed
files for the Ignore Previously Processed File parameter.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not
want this protocol to exceed. The valid range is 100 to 5000.

Processor

From the list box, select gzip.
Processors allow event file archives to be expanded and
contents processed for events. Files are only processed after
they are downloaded to JSA. JSA can process files in zip,
gzip, tar, or tar+gzip archive format.

Ignore Previously
Processed File(s)

Select this check box to track and ignore files that have
already been processed by the log file protocol.
JSA examines the log files in the remote directory to
determine if a file has been previously processed by the log
file protocol. If a previously processed file is detected, the log
file protocol does not download the file for processing. All files
that have not been previously processed are downloaded.
This option only applies to FTP and SFTP Service Types.

Change Local
Directory?

Select this check box to define a local directory on your JSA
for storing downloaded files during processing.
We recommend that you leave this check box clear. When
this check box is selected, the Local Directory field is
displayed, which allows you to configure the local directory to
use for storing files.

Event Generator

From the Event Generator list box, select LineByLine.
The Event Generator applies additional processing to the
retrieved event files. Each line of the file is a single event. For
example, if a file has 10 lines of text, 10 separate events are
created.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The CA ACF2 configuration is complete. If your configuration requires custom
event properties, see the Custom Event Properties for IBM z/OS technical note.

Configuring DSMs

110

CA TECHNOLOGIES

Integrate CA ACF2
with JSA Using Audit
Scripts

The CA Access Control Facility (ACF2) DSM allows you to use an IBM mainframe
to collect events and audit transactions with the log file protocol.
Configuration overview
QexACF2.load.trs is a TERSED file containing a PDS loadlib with the QEXACF2
program. A tersed file is similar to a zip file and requires you to use the TRSMAIN
program to uncompress the contents. The TRSMAIN program is available from
www.juniper.net/customers/support/.
To upload a TRS file from a workstation, you must pre-allocate a file with the
following DCB attributes: DSORG=PS, RECFM=FB, LRECL= 1024,
BLKSIZE=6144. The file transfer type must be BINARY APPEND. If the transfer
type is TEXT or TEXT APPEND, then the file cannot properly uncompress.
After you upload the file to the mainframe into the preallocated dataset the tersed
file can be UNPACKED using the TRSMAIN utility using the sample JCL also
included in the tar package. A return code of 0008 from the TRSMAIN utility
indicates the dataset is not recognized as a valid TERSED file. This error might be
the result of the file not being uploaded to a file with the correct DCB attributes or
due to the fact that the transfer was not performed using the BINARY APPEND
transfer mechanism.
After you have successfully UNPACKED the loadlib file, you can run the QEXACF2
program with the sample JCL file. The sample JCL file is contained in the tar
collection. To run the QEXACF2 program, you must modify the JCL to your local
naming conventions and JOB card requirements. You might also need to use the
STEPLIB DD if the program is not placed in a LINKLISTED library.
To integrate CA ACF2 events into JSA:
1 The IBM mainframe records all security events as Service Management

Framework (SMF) records in a live repository.
2 The CA ACF2 data is extracted from the live repository using the SMF dump utility.

The SMF file contains all of the events and fields from the previous day in raw SMF
format.
3 The QexACF2.load.trs program pulls data from the SMF formatted file. The

QexACF2.load.trs program only pulls the relevant events and fields for JSA and
writes that information in a condensed format for compatibility. The information is
saved in a location accessible by JSA.
4 JSA uses the log file protocol source to retrieve the output file information on a

scheduled basis. JSA then imports and processes this file.
Configure CA ACF2 to integrate with JSA
JSA uses scripts to write audit events to from CA ACF2 installations., which are
retrieved by JSA using the Log File protocol.

Configuring DSMs

CA ACF2

111

Procedure
Step 1 From the Juniper Networks support website

(http://www.juniper.net/customers/support/), download the following compressed
file:
qexacf2_bundled.tar.gz
Step 2 On a Linux-based operating system, extract the file:

tar -zxvf qexacf2_bundled.tar.gz

The following files are contained in the archive:
QexACF2.JCL.txt - Job Control Language file
QexACF2.load.trs - Compressed program library (requires IBM TRSMAIN)
trsmain sample JCL.txt - Job Control Language for TRSMAIN to decompress the
.trs file
Step 3 Load the files onto the IBM mainframe using the following methods:

NOTE

a

Upload the sample QexACF2_trsmain_JCL.txt and QexACF2.JCL.txt files
using the TEXT protocol.

b

Upload the QexACF2.load.trs file using a BINARY mode transfer and
append to a pre-allocated data set. The QexACF2.load.trs file is a tersed file
containing the executable (the mainframe program QexACF2). When you
upload the .trs file from a workstation, pre-allocate a file on the mainframe with
the following DCB attributes: DSORG=PS, RECFM=FB, LRECL=1024,
BLKSIZE=6144. The file transfer type must be binary mode and not text.

Note: QexACF2 is a small C mainframe program that reads the output of the
TSSUTIL (EARLOUT data) line by line. QexACF2 adds a header to each record
containing event information, for example, record descriptor, the date, and time.
The program places each field into the output record, suppresses trailing blank
characters, and delimits each field with the pipe character. This output file is
formatted for JSA and the blank suppression reduces network traffic to JSA. This
program does not consume CPU or I/O disk resources.

Step 4 Customize the trsmain sample_JCL.txt file according to your

installation-specific parameters.
For example, jobcard, data set naming conventions, output destinations, retention
periods, and space requirements.
The trsmain sample_JCL.txt file uses the IBM utility TRSMAIN to extract the
program stored in the QexACF2.load.trs file.
An example of the QexACF2_trsmain_JCL.txt file includes:
//TRSMAIN
JOB (yourvalidjobcard),Q1 labs,
// MSGCLASS=V
//DEL
EXEC PGM=IEFBR14
//D1
DD
DISP=(MOD,DELETE),DSN=.QEXACF2.LOAD.TRS
//
UNIT=SYSDA,
Configuring DSMs

112

CA TECHNOLOGIES

//
SPACE=(CYL,(10,10))
//TRSMAIN EXEC PGM=TRSMAIN,PARM='UNPACK'
//SYSPRINT DD SYSOUT=*,DCB=(LRECL=133,BLKSIZE=12901,RECFM=FBA)
//INFILE
DD DISP=SHR,DSN=.QEXACF2.LOAD.TRS
//OUTFILE
DD DISP=(NEW,CATLG,DELETE),
//
DSN=.LOAD,
//
SPACE=(CYL,(10,10,5),RLSE),UNIT=SYSDA
//

The .trs input file is an IBM TERSE formatted library and is extracted by running
the JCL, which calls the TRSMAIN. This tersed file, when extracted, creates a PDS
linklib with the QexACF2 program as a member.
Step 5 You can STEPLIB to this library or choose to move the program to one of the

LINKLIBs that are in LINKLST. The program does not require authorization.
Step 6 After uploading, copy the program to an existing link listed library or add a

STEPLIB DD statement with the correct dataset name of the library that will
contain the program.
Step 7 The QexACF2_jcl.txt file is a text file containing a sample JCL. You must

configure the job card to meet your configuration.
The QexACF2_jcl.txt sample file includes:
//QEXACF2 JOB (T,JXPO,JKSD0093),DEV,NOTIFY=Q1JACK,
// MSGCLASS=P,
// REGION=0M
//*
//*QEXACF2 JCL VERSION 1.0 OCTOBER, 2010
//*
//************************************************************
//* Change below dataset names to sites specific datasets names*
//************************************************************
//SET1 SET SMFIN='MVS1.SMF.RECORDS(0)',
// QEXOUT='Q1JACK.QEXACF2.OUTPUT',
// SMFOUT='Q1JACK.ACF2.DATA'
//************************************************************
//* Delete old datasets
*
//************************************************************
//DEL EXEC PGM=IEFBR14
//DD1 DD DISP=(MOD,DELETE),DSN=&SMFOUT,
// UNIT=SYSDA,
// SPACE=(CYL,(10,10)),
// DCB=(RECFM=FB,LRECL=80)
//DD2 DD DISP=(MOD,DELETE),DSN=&QEXOUT,
// UNIT=SYSDA,
// SPACE=(CYL,(10,10)),
// DCB=(RECFM=FB,LRECL=80)
//*************************************************************
//* Allocate new dataset
*
//*************************************************************
//ALLOC EXEC PGM=IEFBR14

Configuring DSMs

CA ACF2

113

//DD1 DD DISP=(NEW,CATLG),DSN=&QEXOUT,
// SPACE=(CYL,(100,100)),
// DCB=(RECFM=VB,LRECL=1028,BLKSIZE=6144)
//*************************************************************
//* Execute ACFRPTPP (Report Preprocessor GRO) to extract ACF2*
//* SMF records
*
//*************************************************************
//PRESCAN EXEC PGM=ACFRPTPP
//SYSPRINT DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//RECMAN1 DD DISP=SHR,DSN=&SMFIN
//SMFFLT DD DSN=&SMFOUT,SPACE=(CYL,(100,100)),DISP=(,CATLG),
// DCB=(RECFM=FB,LRECL=8192,BLKSIZE=40960),
// UNIT=SYSALLDA
//************************************************************
//* execute QEXACF2
*
//************************************************************
//EXTRACT EXEC PGM=QEXACF2,DYNAMNBR=10,
// TIME=1440
//STEPLIB DD DISP=SHR,DSN=Q1JACK.C.LOAD
//SYSTSIN DD DUMMY
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//CFG DD DUMMY
//ACFIN DD DISP=SHR,DSN=&SMFOUT
//ACFOUT DD DISP=SHR,DSN=&QEXOUT
//************************************************************
//FTP EXEC PGM=FTP,REGION=3800K
//INPUT DD *



PUT '' EARL_/
QUIT
//OUTPUT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//*
Step 8 After the output file is created, you must choose one of the following options:
a

Schedule a job to a transfer the output file to an interim FTP server.
Each time the job completes, the output file is forwarded to an interim FTP
server. You must configure the following parameters in the sample JCL to
successfully forward the output to an interim FTP server:
For example:
//FTP EXEC PGM=FTP,REGION=3800K
//INPUT DD *


Configuring DSMs

114

CA TECHNOLOGIES


PUT '' EARL_/
QUIT
//OUTPUT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*

Where:
 is the IP address or host name of the interim FTP server to receive

the output file.
 is the user name required to access the interim FTP server.
 is the password required to access the interim FTP server.
 is the destination of the mainframe or
interim FTP server receiving the output.

For example:
PUT 'Q1JACK.QEXACF2.OUTPUT.C320' /192.168.1.101/ACF2/QEXACF2.
OUTPUT.C320
 is the name of the output file saved to the interim FTP server.

You are now ready to create a log source in JSA. For more information, see
Create a log source.
b

Schedule JSA to retrieve the output file from CA ACF2.
If the zOS platform is configured to serve files through FTP, SFTP, or allow SCP,
then no interim FTP server is required and JSA can pull the output file directly
from the mainframe. The following text must be commented out using //* or
deleted from the QexACF2_jcl.txt file:
//FTP EXEC PGM=FTP,REGION=3800K
//INPUT DD *



PUT '' EARL_/
QUIT
//OUTPUT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*

You are now ready to configure the a log source in JSA.
Create a log source
A log file protocol source allows JSA to retrieve archived log files from a remote
host.
The CA ACF2 DSM supports the bulk loading of log files using the log file protocol
source. When configuring your CA ACF2 DSM to use the log file protocol, make
sure the hostname or IP address configured in the CA ACF2 is the same as
configured in the Remote Host parameter in the Log File protocol configuration.

Configuring DSMs

CA ACF2

115

To configure a log source in JSA for CA ACF2:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for the log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select CA ACF2.
Step 9 From the Protocol Configuration list box, select Log File.
Step 10 Configure the following values:

Table 23-2 CA ACF2 Log File Parameters

Parameter

Description

Log Source Identifier

Type an IP address, host name, or name to identify the event
source. IP addresses or host names are recommended as
they allow JSA to identify a log file to a unique event source.
For example, if your network contains multiple devices, such
as multiple z/OS images or a file repository containing all of
your event logs, you should specify the IP address or host
name of the device that uniquely identifies the log source.
This allows events to be identified at the device level in your
network, instead of identifying the event for the file repository.

Service Type

From the list box, select the protocol you want to use when
retrieving log files from a remote server. The default is SFTP.
•

SFTP - SSH File Transfer Protocol

•

FTP - File Transfer Protocol

•

SCP - Secure Copy

Note: The underlying protocol used to retrieve log files for the
SCP and SFTP service type requires that the server specified
in the Remote IP or Hostname field has the SFTP subsystem
enabled.
Remote IP or
Hostname

Type the IP address or host name of the device storing your
event log files.

Configuring DSMs

116

CA TECHNOLOGIES

Table 23-2 CA ACF2 Log File Parameters (continued)

Parameter

Description

Remote Port

Type the TCP port on the remote host that is running the
selected Service Type. The valid range is 1 to 65535.
The options include:
•

FTP - TCP Port 21

•

SFTP - TCP Port 22

•

SCP - TCP Port 22

Note: If the host for your event files is using a non-standard
port number for FTP, SFTP, or SCP, you must adjust the port
value accordingly.
Remote User

Type the user name necessary to log in to the host containing
your event files.
The username can be up to 255 characters in length.

Remote Password

Type the password necessary to log in to the host.

Confirm Password

Confirm the password necessary to log in to the host.

SSH Key File

If you select SCP or SFTP as the Service Type, this
parameter allows you to define an SSH private key file. When
you provide an SSH Key File, the Remote Password field is
ignored.

Remote Directory

Type the directory location on the remote host from which the
files are retrieved, relative to the user account you are using
to log in.
Note: For FTP only. If your log files reside in the remote user’s
home directory, you can leave the remote directory blank. This
is to support operating systems where a change in the
working directory (CWD) command is restricted.

Recursive

Select this check box if you want the file pattern to search sub
folders in the remote directory. By default, the check box is
clear.
The Recursive option is ignored if you configure SCP as the
Service Type.

Configuring DSMs

CA ACF2

117

Table 23-2 CA ACF2 Log File Parameters (continued)

Parameter

Description

FTP File Pattern

If you select SFTP or FTP as the Service Type, this option
allows you to configure the regular expression (regex)
required to filter the list of files specified in the Remote
Directory. All matching files are included in the processing.
IBM z/OS mainframe using IBM Security zSecure Audit writes
event files using the pattern zOS..gz
The FTP file pattern you specify must match the name you
assigned to your event files. For example, to collect files
starting with zOS and ending with .gz, type the following:
ACF2.*\.gz
Use of this parameter requires knowledge of regular
expressions (regex). For more information, see the following
website:
http://download.oracle.com/javase/tutorial/essential/regex/

FTP Transfer Mode

This option only displays if you select FTP as the Service
Type. From the list box, select Binary.
The binary transfer mode is required for event files stored in a
binary or compressed format, such as zip, gzip, tar, or
tar+gzip archive files.

SCP Remote File

If you select SCP as the Service Type you must type the file
name of the remote file.

Start Time

Type the time of day you want the processing to begin. For
example, type 00:00 to schedule the Log File protocol to
collect event files at midnight.
This parameter functions with the Recurrence value to
establish when and how often the Remote Directory is
scanned for files. Type the start time, based on a 24 hour
clock, in the following format: HH:MM.

Recurrence

Type the frequency, beginning at the Start Time, that you
want the remote directory to be scanned. Type this value in
hours (H), minutes (M), or days (D).
For example, type 2H if you want the remote directory to be
scanned every 2 hours from the start time. The default is 1H.

Run On Save

Select this check box if you want the log file protocol to run
immediately after you click Save.
After the Run On Save completes, the log file protocol follows
your configured start time and recurrence schedule.
Selecting Run On Save clears the list of previously processed
files for the Ignore Previously Processed File parameter.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not
want this protocol to exceed. The valid range is 100 to 5000.

Configuring DSMs

118

CA TECHNOLOGIES

Table 23-2 CA ACF2 Log File Parameters (continued)

Parameter

Description

Processor

From the list box, select gzip.
Processors allow event file archives to be expanded and
contents processed for events. Files are only processed after
they are downloaded to JSA. JSA can process files in zip,
gzip, tar, or tar+gzip archive format.

Ignore Previously
Processed File(s)

Select this check box to track and ignore files that have
already been processed by the log file protocol.
JSA examines the log files in the remote directory to
determine if a file has been previously processed by the log
file protocol. If a previously processed file is detected, the log
file protocol does not download the file for processing. All files
that have not been previously processed are downloaded.
This option only applies to FTP and SFTP Service Types.

Change Local
Directory?

Select this check box to define a local directory on your JSA
for storing downloaded files during processing.
We recommend that you leave this check box clear. When
this check box is selected, the Local Directory field is
displayed, which allows you to configure the local directory to
use for storing files.

Event Generator

From the Event Generator list box, select LineByLine.
The Event Generator applies additional processing to the
retrieved event files. Each line of the file is a single event. For
example, if a file has 10 lines of text, 10 separate events are
created.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The CA ACF2 configuration is complete. If your configuration requires custom
event properties, see the Custom Event Properties for IBM z/OS technical note.

CA SiteMinder

The CA SiteMinder DSM collects and categorizes authorization events from CA
SiteMinder appliances using syslog-ng.

Supported Event
Types

The CA SiteMinder DSM accepts access and authorization events logged in
smaccess.log and forwards the events to JSA using syslog-ng.

Configure a Log
Source

CA SiteMinder with JSA does not automatically discover authorization events
forwarded using syslog-ng from CA SiteMinder appliances.
To manually create a CA SiteMinder log source:

Step 1 Click the Admin tab.

Configuring DSMs

CA SiteMinder

119

Step 2 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 3 Click the Log Sources icon.

The Log Sources window is displayed.
Step 4 In the Log Source Name field, type a name for your CA SiteMinder log source.
Step 5 In the Log Source Description field, type a description for the log source.
Step 6 From the Log Source Type list box, select CA SiteMinder.
Step 7 From the Protocol Configuration list box, select Syslog.

The syslog protocol parameters are displayed.

NOTE

Note: The Log File protocol is displayed in the Protocol Configuration list box,
however, polling for log files is not a recommended configuration method.

Step 8 Configure the following values:

Table 23-3 Adding a Syslog Log Source

Parameter

Description

Log Source Identifier

Type the IP address or hostname for your CA SiteMinder
appliance.

Enabled

Select this check box to enable the log source. By default,
this check box is selected.

Credibility

From the list box, select the credibility of the log source. The
range is 0 to 10.
The credibility indicates the integrity of an event or offense as
determined by the credibility rating from the source device.
Credibility increases if multiple sources report the same
event. The default is 5.

Target Event Collector From the list box, select the Event Collector to use as the
target for the log source.
Coalescing Events

Select this check box to enable the log source to coalesce
(bundle) events.
Automatically discovered log sources use the default value
configured in the Coalescing Events list box in the System
Settings window, which is accessible on the Admin tab.
However, when you create a new log source or update the
configuration for an automatically discovered log source you
can override the default value by configuring this check box
for each log source. For more information on Settings, see
the Juniper Secure Analytics Administration Guide.

Configuring DSMs

120

CA TECHNOLOGIES

Table 23-3 Adding a Syslog Log Source (continued)

Parameter

Description

Store Event Payload

Select this check box to enable or disable JSA from storing
the event payload.
Automatically discovered log sources use the default value
from the Store Event Payload list box in the System
Settings window, which is accessible on the Admin tab.
However, when you create a new log source or update the
configuration for an automatically discovered log source you
can override the default value by configuring this check box
for each log source. For more information on Settings, see
the Juniper Secure Analytics Administration Guide.

Step 9 Click Save.

The Admin tab toolbar detects log source changes and displays a messages to
indicate when you need to deploy a change.
Step 10 On the Admin tab, click Deploy Changes.

You are now ready to configure syslog-ng on your CA SiteMinder appliance to
forward events to JSA.
Configure Syslog-ng
for CA SiteMinder

You must configure your CA SiteMinder appliance to forward syslog-ng events to
your JSA console or Event Collector.
JSA can collect syslog-ng events from TCP or UDP syslog sources on port 514.
To configure syslog-ng for CA SiteMinder:

Step 1 Using SSH, log in to your CA SiteMinder appliance as a root user.
Step 2 Edit the syslog-ng configuration file.

/etc/syslog-ng.conf
Step 3 Add the following information to specify the access log as the event file for

syslog-ng:
source s_siteminder_access {
file("/opt/apps/siteminder/sm66/siteminder/log/smaccess.log");
};
Step 4 Add the following information to specify the destination and message template:

destination d_remote_q1_siteminder {
udp("" port(514) template ("$PROGRAM $MSG\n"));
};

Where  is the IP address of the JSA console or Event Collector.

Configuring DSMs

CA Top Secret

121

Step 5 Add the following log entry information:

log {
source(s_siteminder_access);
destination(d_remote_q1_siteminder);
};
Step 6 Save the syslog-ng.conf file.
Step 7 Type the following command to restart syslog-ng:

service syslog-ng restart

After the syslog-ng service restarts, the CA SiteMinder configuration is complete.
Events forwarded to JSA by CA SiteMinder are display on the Log Activity tab.

CA Top Secret

Integrate CA Top
Secret with JSA
using IBM Security
zSecure

JSA includes two options for integrating CA Top Secret events:
•

Integrate CA Top Secret with JSA using IBM Security zSecure

•

Integrate CA Top Secret with JSA Using Audit Scripts

The CA Top Secret DSM allows you to integrate LEEF events from a Top Secret
image on an IBM z/OS mainframe using IBM Security zSecure.
Using a zSecure process, events from the System Management Facilities (SMF)
are recorded to an event file in the Log Enhanced Event format (LEEF). JSA
retrieves the LEEF event log files using the log file protocol and processes the
events. You can schedule JSA to retrieve events on a polling interval, which allows
JSA to retrieve the events on the schedule you have defined.
To integrate CA Top Secret events:
1 Confirm your installation meets any prerequisite installation requirements.
2 Configure your CA Top Secret z/OS image to write events in LEEF format. For

more information, see the IBM Security zSecure Suite: CARLa-Driven
Components Installation and Deployment Guide.
3 Create a log source in JSA for CA Top Secret to retrieve your LEEF formatted

event logs.
4 Optional. Create a custom event property for CA Top Secret in JSA. For more

information, see the Custom Event Properties for IBM z/OS technical note.
Before you begin
Before you can configure the data collection process, you must complete the basic
zSecure installation process.
The following prerequisites are required:
•

You must ensure parmlib member IFAPRDxx is not disabled for IBM Security
zSecure Audit on your z/OS image.

•

The SCKRLOAD library must be APF-authorized.
Configuring DSMs

122

CA TECHNOLOGIES

•

You must configure a process to periodically refresh your CKFREEZE and
UNLOAD data sets.

•

You must configure an SFTP, FTP, or SCP server on your z/OS image for JSA
to download your LEEF event files.

•

You must allow SFTP, FTP, or SCP traffic on firewalls located between JSA and
your z/OS image.

After installing the software, you must also perform the post-installation activities to
create and modify the configuration. For instructions on installing and configuring
zSecure, see the IBM Security zSecure Suite: CARLa-Driven Components
Installation and Deployment Guide.
Create a log source
The Log File protocol allows JSA to retrieve archived log files from a remote host.
Log files are transferred, one at a time, to JSA for processing. The log file protocol
can manage plain text event logs, compressed files, or archives. Archives must
contain plain-text files that can be processed one line at a time. Multi-line event
logs are not supported by the log file protocol. IBM z/OS with zSecure writes log
files to a specified directory as gzip archives. JSA extracts the archive and
processes the events, which are written as one event per line in the file.
To retrieve these events, you must create a log source using the Log File protocol.
JSA requires credentials to log in to the system hosting your LEEF formatted event
files and a polling interval.
To configure a log source in JSA for CA Top Secret:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for the log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select CA Top Secret.
Step 9 From the Protocol Configuration list box, select Log File.

Configuring DSMs

CA Top Secret

123

Step 10 Configure the following values:

Table 23-4 CA Top Secret Log File Parameters

Parameter

Description

Log Source Identifier

Type an IP address, host name, or name to identify the event
source. IP addresses or host names are recommended as
they allow JSA to identify a log file to a unique event source.
For example, if your network contains multiple devices, such
as multiple z/OS images or a file repository containing all of
your event logs, you should specify the IP address or host
name of the device that uniquely identifies the log source.
This allows events to be identified at the device level in your
network, instead of identifying the event for the file repository.

Service Type

From the list box, select the protocol you want to use when
retrieving log files from a remote server. The default is SFTP.
•

SFTP - SSH File Transfer Protocol

•

FTP - File Transfer Protocol

•

SCP - Secure Copy

Note: The underlying protocol used to retrieve log files for the
SCP and SFTP service type requires that the server specified
in the Remote IP or Hostname field has the SFTP subsystem
enabled.
Remote IP or
Hostname

Type the IP address or host name of the device storing your
event log files.

Remote Port

Type the TCP port on the remote host that is running the
selected Service Type. The valid range is 1 to 65535.
The options include:
•

FTP - TCP Port 21

•

SFTP - TCP Port 22

•

SCP - TCP Port 22

Note: If the host for your event files is using a non-standard
port number for FTP, SFTP, or SCP, you must adjust the port
value accordingly.
Remote User

Type the user name necessary to log in to the host containing
your event files.
The username can be up to 255 characters in length.

Remote Password

Type the password necessary to log in to the host.

Confirm Password

Confirm the password necessary to log in to the host.

SSH Key File

If you select SCP or SFTP as the Service Type, this
parameter allows you to define an SSH private key file. When
you provide an SSH Key File, the Remote Password field is
ignored.

Configuring DSMs

124

CA TECHNOLOGIES

Table 23-4 CA Top Secret Log File Parameters (continued)

Parameter

Description

Remote Directory

Type the directory location on the remote host from which the
files are retrieved, relative to the user account you are using
to log in.
Note: For FTP only. If your log files reside in the remote user’s
home directory, you can leave the remote directory blank. This
is to support operating systems where a change in the
working directory (CWD) command is restricted.

Recursive

Select this check box if you want the file pattern to search sub
folders in the remote directory. By default, the check box is
clear.
The Recursive option is ignored if you configure SCP as the
Service Type.

FTP File Pattern

If you select SFTP or FTP as the Service Type, this option
allows you to configure the regular expression (regex)
required to filter the list of files specified in the Remote
Directory. All matching files are included in the processing.
IBM z/OS mainframe using IBM Security zSecure Audit writes
event files using the pattern TSS..gz
The FTP file pattern you specify must match the name you
assigned to your event files. For example, to collect files
starting with TSS and ending with .gz, type the following:
TSS.*\.gz
Use of this parameter requires knowledge of regular
expressions (regex). For more information, see the following
website:
http://download.oracle.com/javase/tutorial/essential/regex/

FTP Transfer Mode

This option only displays if you select FTP as the Service
Type. From the list box, select Binary.
The binary transfer mode is required for event files stored in a
binary or compressed format, such as zip, gzip, tar, or
tar+gzip archive files.

SCP Remote File

If you select SCP as the Service Type you must type the file
name of the remote file.

Start Time

Type the time of day you want the processing to begin. For
example, type 00:00 to schedule the Log File protocol to
collect event files at midnight.
This parameter functions with the Recurrence value to
establish when and how often the Remote Directory is
scanned for files. Type the start time, based on a 24 hour
clock, in the following format: HH:MM.

Configuring DSMs

CA Top Secret

125

Table 23-4 CA Top Secret Log File Parameters (continued)

Parameter

Description

Recurrence

Type the frequency, beginning at the Start Time, that you
want the remote directory to be scanned. Type this value in
hours (H), minutes (M), or days (D).
For example, type 2H if you want the remote directory to be
scanned every 2 hours from the start time. The default is 1H.

Run On Save

Select this check box if you want the log file protocol to run
immediately after you click Save.
After the Run On Save completes, the log file protocol follows
your configured start time and recurrence schedule.
Selecting Run On Save clears the list of previously processed
files for the Ignore Previously Processed File parameter.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not
want this protocol to exceed. The valid range is 100 to 5000.

Processor

From the list box, select gzip.
Processors allow event file archives to be expanded and
contents processed for events. Files are only processed after
they are downloaded to JSA. JSA can process files in zip,
gzip, tar, or tar+gzip archive format.

Ignore Previously
Processed File(s)

Select this check box to track and ignore files that have
already been processed by the log file protocol.
JSA examines the log files in the remote directory to
determine if a file has been previously processed by the log
file protocol. If a previously processed file is detected, the log
file protocol does not download the file for processing. All files
that have not been previously processed are downloaded.
This option only applies to FTP and SFTP Service Types.

Change Local
Directory?

Select this check box to define a local directory on your JSA
for storing downloaded files during processing.
We recommend that you leave this check box clear. When
this check box is selected, the Local Directory field is
displayed, which allows you to configure the local directory to
use for storing files.

Event Generator

From the Event Generator list box, select LineByLine.
The Event Generator applies additional processing to the
retrieved event files. Each line of the file is a single event. For
example, if a file has 10 lines of text, 10 separate events are
created.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The CA Top Secret configuration is complete. If your configuration requires custom
event properties, see the Custom Event Properties for IBM z/OS technical note.

Configuring DSMs

126

CA TECHNOLOGIES

Integrate CA Top
Secret with JSA
Using Audit Scripts

The CA Top Secret DSM allows you to integrate with an IBM zOS mainframe to
collect events and audit transactions.
JSA records all relevant and available information from the event.
To integrate CA Top Secret events into JSA:
1 The IBM mainframe records all security events as Service Management

Framework (SMF) records in a live repository.
2 At midnight, the CA Top Secret data is extracted from the live repository using the

SMF dump utility. The SMF file contains all of the events and fields from the
previous day in raw SMF format.
3 The qextopsloadlib program pulls data from the SMF formatted file. The

qextopsloadlib program only pulls the relevant events and fields for JSA and

writes that information in a condensed format for compatibility. The information is
saved in a location accessible by JSA.
4 JSA uses the log file protocol source to retrieve the output file information on a

scheduled basis. JSA then imports and processes this file.
Configure CA Top Secret to integrate with JSA
To integrate CA Top Secret with JSA:
Step 1 From the Juniper Networks support website

(http://www.juniper.net/customers/support/), download the following compressed
file:
qextops_bundled.tar.gz
Step 2 On a Linux-based operating system, extract the file:

tar -zxvf qextops_bundled.tar.gz

The following files are contained in the archive:
qextops_jcl.txt
qextopsloadlib.trs
qextops_trsmain_JCL.txt
Step 3 Load the files onto the IBM mainframe using any terminal emulator file transfer

method.
a

Upload the sample qextops_trsmain_JCL.txt and qextops_jcl.txt files
using the TEXT protocol.

b

Upload the qextopsloadlib.trs file using a BINARY mode transfer. The
qextopsloadlib.trs file is a tersed file containing the executable (the
mainframe program qextops). When you upload the .trs file from a workstation,
pre-allocate a file on the mainframe with the following DCB attributes:
DSORG=PS, RECFM=FB, LRECL=1024, BLKSIZE=6144. The file transfer
type must be binary mode and not text.

Configuring DSMs

CA Top Secret

NOTE

127

Note: Qextops is a small C mainframe program that reads the output of the
TSSUTIL (EARLOUT data) line by line. Qextops adds a header to each record
containing event information, for example, record descriptor, the date, and time.
The program places each field into the output record, suppresses trailing blank
characters, and delimits each field with the pipe character. This output file is
formatted for JSA and the blank suppression reduces network traffic to JSA. This
program does not consume CPU or I/O disk resources.

Step 4 Customize the qextops_trsmain_JCL.txt file according to your

installation-specific requirements.
The qextops_trsmain_JCL.txt file uses the IBM utility TRSMAIN to extract the
program stored in the qextopsloadlib.trs file.
An example of the qextops_trsmain_JCL.txt file includes:
//TRSMAIN
JOB (yourvalidjobcard),Q1 labs,
// MSGCLASS=V
//DEL
EXEC PGM=IEFBR14
//D1
DD
DISP=(MOD,DELETE),DSN=.QEXTOPS.TRS
//
UNIT=SYSDA,
//
SPACE=(CYL,(10,10))
//TRSMAIN EXEC PGM=TRSMAIN,PARM='UNPACK'
//SYSPRINT DD SYSOUT=*,DCB=(LRECL=133,BLKSIZE=12901,RECFM=FBA)
//INFILE
DD DISP=SHR,DSN=.QEXTOPS.TRS
//OUTFILE
DD DISP=(NEW,CATLG,DELETE),
//
DSN=.LOAD,
//
SPACE=(CYL,(10,10,5),RLSE),UNIT=SYSDA
//

You must update the file with your installation specific information for parameters,
for example, jobcard, data set naming conventions, output destinations, retention
periods, and space requirements.
The .trs input file is an IBM TERSE formatted library and is extracted by running
the JCL, which calls the TRSMAIN. This tersed file, when extracted, creates a PDS
linklib with the qextops program as a member.
Step 5 You can STEPLIB to this library or choose to move the program to one of the

LINKLIBs that are in the LINKLST. The program does not require authorization.
Step 6 After uploading, copy the program to an existing link listed library or add a

STEPLIB DD statement with the correct dataset name of the library that will
contain the program.
Step 7 The qextops_jcl.txt file is a text file containing a sample JCL. You must

configure the job card to meet your configuration.
The qextops_jcl.txt sample file includes:
//QEXTOPS JOB (T,JXPO,JKSD0093),DEV,NOTIFY=Q1JACK,
// MSGCLASS=P,
// REGION=0M
//*
Configuring DSMs

128

CA TECHNOLOGIES

//*QEXTOPS JCL version 1.0 September, 2010
//*
//*************************************************************
//* Change below dataset names to sites specific datasets names*
//************************************************************
//SET1 SET TSSOUT='Q1JACK.EARLOUT.ALL',
//
EARLOUT='Q1JACK.QEXTOPS.PROGRAM.OUTPUT'
//************************************************************
//*
Delete old datasets
*
//************************************************************
//DEL
EXEC PGM=IEFBR14
//DD1
DD
DISP=(MOD,DELETE),DSN=&TSSOUT,
//
UNIT=SYSDA,
//
SPACE=(CYL,(10,10)),
//
DCB=(RECFM=FB,LRECL=80)
//DD2
DD
DISP=(MOD,DELETE),DSN=&EARLOUT,
//
UNIT=SYSDA,
//
SPACE=(CYL,(10,10)),
//
DCB=(RECFM=FB,LRECL=80)
//************************************************************
//*
Allocate new dataset
*
//************************************************************
//ALLOC EXEC PGM=IEFBR14
//DD1
DD
DISP=(NEW,CATLG),DSN=&EARLOUT,
//
SPACE=(CYL,(100,100)),
//
DCB=(RECFM=VB,LRECL=1028,BLKSIZE=6144)
//************************************************************
//* Execute Top Secret TSSUTIL utility to extract smf records*
//************************************************************
//REPORT EXEC PGM=TSSUTIL
//SMFIN DD DISP=SHR,DSN=&SMFIN1
//SMFIN1 DD DISP=SHR,DSN=&SMFIN2
//UTILOUT DD DSN=&UTILOUT,
//
DISP=(,CATLG),UNIT=SYSDA,SPACE=(CYL,(50,10),RLSE),
//
DCB=(RECFM=FB,LRECL=133,BLKSIZE=0)
//EARLOUT DD DSN=&TSSOUT,
//
DISP=(NEW,CATLG),UNIT=SYSDA,
//
SPACE=(CYL,(200,100),RLSE),
//
DCB=(RECFM=VB,LRECL=456,BLKSIZE=27816)
//UTILIN DD *
NOLEGEND
REPORT EVENT(ALL) END
/*
//************************************************************
//EXTRACT EXEC PGM=QEXTOPS,DYNAMNBR=10,
//
TIME=1440
//STEPLIB
DD DISP=SHR,DSN=Q1JACK.C.LOAD
//SYSTSIN
DD DUMMY
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*

Configuring DSMs

CA Top Secret

129

//CFG
DD DUMMY
//EARLIN
DD DISP=SHR,DSN=&TSSOUT
//EARLOUT
DD DISP=SHR,DSN=&EARLOUT
//************************************************************
//FTP EXEC PGM=FTP,REGION=3800K
//INPUT DD *



PUT '' EARL_/
QUIT
//OUTPUT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
Step 8 After the output file is created, you must choose one of the following options:
a

Schedule a job to a transfer the output file to an interim FTP server.
Each time the job completes, the output file is forwarded to an intermin FTP
server. You must configure the following parameters in the sample JCL to
successfully forward the output to an interim FTP server:
For example:
//FTP EXEC PGM=FTP,REGION=3800K
//INPUT DD *



PUT '' EARL_/
QUIT
//OUTPUT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*

Where:
 is the IP address or host name of the interim FTP server to receive

the output file.
 is the user name required to access the interim FTP server.
 is the password required to access the interim FTP server.
 is the destination of the mainframe or
interim FTP server receiving the output.

For example:
PUT 'Q1JACK.QEXTOPS.OUTPUT.C320' /192.168.1.101/CA/QEXTOPS.OU
TPUT.C320
 is the name of the output file saved to the interim FTP server.

You are now ready to configure the Log File protocol. See Create a log source.
b

Schedule JSA to retrieve the output file from CA Top Secret.
If the zOS platform is configured to serve files through FTP, SFTP, or allow SCP,
then no interim FTP server is required and JSA can pull the output file directly
Configuring DSMs

130

CA TECHNOLOGIES

from the mainframe. The following text must be commented out using //* or
deleted from the qextops_jcl.txt file:
//FTP EXEC PGM=FTP,REGION=3800K
//INPUT DD *



PUT '' EARL_/
QUIT
//OUTPUT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*

You are now ready to configure the Log File protocol. See Create a log source.
Create a log source
A log file protocol source allows JSA to retrieve archived log files from a remote
host. The CA Top Secret DSM supports the bulk loading of log files using the log
file protocol source.
When configuring your CA Top Secret DSM to use the log file protocol, make sure
the hostname or IP address configured in the CA Top Secret is the same as
configured in the Remote Host parameter in the Log File Protocol configuration.
To configure a log source in JSA for CA Top Secret:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for the log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select CA Top Secret.
Step 9 From the Protocol Configuration list box, select Log File.

Configuring DSMs

CA Top Secret

131

Step 10 Configure the following values:

Table 23-5 CA Top Secret Log File Parameters

Parameter

Description

Log Source Identifier

Type an IP address, host name, or name to identify the event
source. IP addresses or host names are recommended as
they allow JSA to identify a log file to a unique event source.
For example, if your network contains multiple devices, such
as multiple z/OS images or a file repository containing all of
your event logs, you should specify the IP address or host
name of the device that uniquely identifies the log source.
This allows events to be identified at the device level in your
network, instead of identifying the event for the file repository.

Service Type

From the list box, select the protocol you want to use when
retrieving log files from a remote server. The default is SFTP.
•

SFTP - SSH File Transfer Protocol

•

FTP - File Transfer Protocol

•

SCP - Secure Copy

Note: The underlying protocol used to retrieve log files for the
SCP and SFTP service type requires that the server specified
in the Remote IP or Hostname field has the SFTP subsystem
enabled.
Remote IP or
Hostname

Type the IP address or host name of the device storing your
event log files.

Remote Port

Type the TCP port on the remote host that is running the
selected Service Type. The valid range is 1 to 65535.
The options include:
•

FTP - TCP Port 21

•

SFTP - TCP Port 22

•

SCP - TCP Port 22

Note: If the host for your event files is using a non-standard
port number for FTP, SFTP, or SCP, you must adjust the port
value accordingly.
Remote User

Type the user name necessary to log in to the host containing
your event files.
The username can be up to 255 characters in length.

Remote Password

Type the password necessary to log in to the host.

Confirm Password

Confirm the password necessary to log in to the host.

SSH Key File

If you select SCP or SFTP as the Service Type, this
parameter allows you to define an SSH private key file. When
you provide an SSH Key File, the Remote Password field is
ignored.

Configuring DSMs

132

CA TECHNOLOGIES

Table 23-5 CA Top Secret Log File Parameters (continued)

Parameter

Description

Remote Directory

Type the directory location on the remote host from which the
files are retrieved, relative to the user account you are using
to log in.
Note: For FTP only. If your log files reside in the remote user’s
home directory, you can leave the remote directory blank. This
is to support operating systems where a change in the
working directory (CWD) command is restricted.

Recursive

Select this check box if you want the file pattern to search sub
folders in the remote directory. By default, the check box is
clear.
The Recursive option is ignored if you configure SCP as the
Service Type.

FTP File Pattern

If you select SFTP or FTP as the Service Type, this option
allows you to configure the regular expression (regex)
required to filter the list of files specified in the Remote
Directory. All matching files are included in the processing.
The FTP file pattern you specify must match the name you
assigned to your event files.
Use of this parameter requires knowledge of regular
expressions (regex). For more information, see the following
website:
http://download.oracle.com/javase/tutorial/essential/regex/

FTP Transfer Mode

This option only displays if you select FTP as the Service
Type. From the list box, select Binary.
The binary transfer mode is required for event files stored in a
binary or compressed format, such as zip, gzip, tar, or
tar+gzip archive files.

SCP Remote File

If you select SCP as the Service Type you must type the file
name of the remote file.

Start Time

Type the time of day you want the processing to begin. For
example, type 00:00 to schedule the Log File protocol to
collect event files at midnight.
This parameter functions with the Recurrence value to
establish when and how often the Remote Directory is
scanned for files. Type the start time, based on a 24 hour
clock, in the following format: HH:MM.

Recurrence

Type the frequency, beginning at the Start Time, that you
want the remote directory to be scanned. Type this value in
hours (H), minutes (M), or days (D).
For example, type 2H if you want the remote directory to be
scanned every 2 hours from the start time. The default is 1H.

Configuring DSMs

CA Top Secret

133

Table 23-5 CA Top Secret Log File Parameters (continued)

Parameter

Description

Run On Save

Select this check box if you want the log file protocol to run
immediately after you click Save.
After the Run On Save completes, the log file protocol follows
your configured start time and recurrence schedule.
Selecting Run On Save clears the list of previously processed
files for the Ignore Previously Processed File parameter.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not
want this protocol to exceed. The valid range is 100 to 5000.

Processor

From the list box, select gzip.
Processors allow event file archives to be expanded and
contents processed for events. Files are only processed after
they are downloaded to JSA. JSA can process files in zip,
gzip, tar, or tar+gzip archive format.

Ignore Previously
Processed File(s)

Select this check box to track and ignore files that have
already been processed by the log file protocol.
JSA examines the log files in the remote directory to
determine if a file has been previously processed by the log
file protocol. If a previously processed file is detected, the log
file protocol does not download the file for processing. All files
that have not been previously processed are downloaded.
This option only applies to FTP and SFTP Service Types.

Change Local
Directory?

Select this check box to define a local directory on your JSA
for storing downloaded files during processing.
We recommend that you leave this check box clear. When
this check box is selected, the Local Directory field is
displayed, which allows you to configure the local directory to
use for storing files.

Event Generator

From the Event Generator list box, select LineByLine.
The Event Generator applies additional processing to the
retrieved event files. Each line of the file is a single event. For
example, if a file has 10 lines of text, 10 separate events are
created.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The CA Top Secret configuration is complete. If your configuration requires custom
event properties, see the Custom Event Properties for IBM z/OS technical note.

Configuring DSMs

134

CA TECHNOLOGIES

Configuring DSMs

21

CHECK POINT

This section provides information on the following DSMs for JSA:

Check Point
FireWall-1

•

Check Point FireWall-1

•

Check Point Provider-1

You can configure Juniper Secure Analytics (JSA) to integrate with a Check Point
FireWall-1 device using one of the following methods:

NOTE

Integrating Check
Point FireWall-1
Using Syslog

•

Integrating Check Point FireWall-1 Using Syslog

•

Integrating Check Point FireWall-1 Using OPSEC

Note: Depending on your Operating System, the procedures for the Check Point
FireWall-1 device might vary. The following procedures are based on the Check
Point SecurePlatform Operating system.
This section describes how to ensure that the JSA Check Point FireWall-1 DSMs
accepts FireWall-1 events using syslog.
Configuring Syslog for Check Point FireWall-1
Before you configure JSA to integrate with a Check Point FireWall-1 device:

NOTE

Note: If Check Point SmartCenter is installed on Microsoft Windows, you must
integrate Check Point with JSA using OPSEC. For more information, see
Integrating Check Point FireWall-1 Using OPSEC.

Step 1 Type the following command to access the Check Point console as an expert user:

expert

A password prompt is displayed.
Step 2 Type your expert console password. Press the Enter key.
Step 3 Open the following file:

/etc/rc.d/rc3.d/S99local

Configuring DSMs

136

CHECK POINT
Step 4 Add the following lines:

$FWDIR/bin/fw log -ftn | /usr/bin/logger -p
. > /dev/null 2>&1 &

Where:
 is a Syslog facility, for example, local3.
 is a Syslog priority, for example, info.

For example:
$FWDIR/bin/fw log -ftn | /usr/bin/logger -p local3.info >
/dev/null 2>&1 &
Step 5 Save and close the file.
Step 6 Open the syslog.conf file.
Step 7 Add the following line:

. @
Where:
 is the syslog facility, for example, local3. This value must match the
value you typed in Step 4.
 is the syslog priority, for example, info or notice. This value must
match the value you typed in Step 4.
 indicates you must press the Tab key.
 indicates the JSA console or managed host.
Step 8 Save and close the file.
Step 9 Depending on your operating system, type the following command to restart

syslog:
In Linux: service syslog restart
In Solaris: /etc/init.d/syslog start
Step 10 Type the following command:

nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p
. > /dev/null 2>&1 &

Where:
 is a Syslog facility, for example, local3. This value must match the
value you typed in Step 4.
 is a Syslog priority, for example, info. This value must match the
value you typed in Step 4.

The configuration is complete. The log source is added to JSA as Check Point
Firewall-1 syslog events are automatically discovered. Events forwarded to JSA
are displayed on the Log Activity tab.

Configuring DSMs

Check Point FireWall-1

137

Configuring a log source
JSA automatically discovers and creates a log source for syslog events from
Check Point FireWall-1. The following configuration steps are optional.
To manually configure a log source:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Check Point FireWall-1.
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 24-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Check Point FireWall-1
appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.
Integrating Check
Point FireWall-1
Using OPSEC

This section describes how to ensure that JSA accepts Check Point FireWall-1
events using Open Platform for Security (OPSEC/LEA).
To integrate Check Point OPSEC/LEA with JSA, you must create two Secure
Internal Communication (SIC) files and enter the information in to JSA as a Check
Point Firewall-1 log source.

Configuring DSMs

138

CHECK POINT

To integrate Check Point Firewall-1 with JSA, you must complete the following
procedures in sequence:
1 Add JSA as a host for Check Point FireWall-1.
2 Add an OPSEC application to Check Point Firewall-1.
3 Locate the Log Source Secure Internal Communications DN.
4 In JSA, configure the OPSEC LEA protocol.
5 Verify the OPSEC/LEA communications configuration.

Adding a Check Point FireWall-1 Host
To add JSA as a host in Check Point FireWall-1 SmartCenter:
Step 1 Log in to the Check Point SmartDashboard user interface.
Step 2 Select Manage > Network Objects > New > Node > Host.
Step 3 Type parameters for your Check Point Firewall-1 host:

Name: JSA
IP Address: 
Comment: 
Step 4 Click OK.
Step 5 Select Close.

You are now ready to create an OPSEC Application Object for Check Point
Firewall-1.
Creating an OPSEC Application Object
To create the OPSEC Application Object:
Step 1 Open the Check Point SmartDashboard user interface.
Step 2 Select Manage > Servers and OPSEC applications > New > OPSEC

Application Properties.
Step 3 Assign a name to the OPSEC Application Object.

For example:
JSA-OPSEC

The OPSEC Application Object name must be different than the host name you
typed when creating the node in Step 3.
a

From the Host list box, select JSA.

b

From the Vendor list box, select User Defined.

c

In Client Entities, select the LEA check box.

d

To generate a Secure Internal Communication (SIC) DN, click
Communication.

e

Enter an activation key.

Configuring DSMs

Check Point FireWall-1

NOTE

139

Note: The activation key is a password used to generate the SIC DN. When you
configure your Check Point log source in JSA, the activation key is typed into the
Pull Certificate Password parameter.
f

Click Initialize.
The window updates the Trust state from Uninitialized to Initilialized
but trust not established.

g

Click Close.
The OPSEC Application Properties window is displayed.

h

NOTE

Write down or copy the displayed SIC DN to a text file.

Note: The displayed SIC value is required for the OPSEC Application Object SIC
Attribute parameter when you configure the Check Point log source in JSA. The
OPSEC Application Object SIC resembles the following example:
CN=JSA-OPSEC,O=cpmodule..tdfaaz.
You are now ready to locate the log source SIC for Check Point Firewall-1.
Locating the log source SIC
To locate the Log Source SIC from the Check Point SmartDashboard:

Step 1 Select Manage > Network Objects.
Step 2 Select your Check Point Log Host object.

NOTE

Note: You must know if the Check Point Log Host is a separate object in your
configuration from the Check Point Management Server. In most cases, the Check
Point Log Host is the same object as the Check Point Management Server.

Step 3 Click Edit.

The Check Point Host General Properties window is displayed.
Step 4 Copy the Secure Internal Communication (SIC).

NOTE

Note: Depending on your Check Point version, the Communication button might
not be available to display the SIC attribute. You can locate the SIC attribute from
the Check Point Management Server command-line interface. You must use the
cpca_client lscert command from the command-line interface of the
Management Server to display all certificates. The Log Source SIC Attribute
resembles the following example: cn=cp_mgmt,o=cpmodule…tdfaaz. For more
information, see your Check Point Command Line Interface Guide.
You must now install the Security Policy from the Check Point SmartDashboard
user interface.

Configuring DSMs

140

CHECK POINT
Step 5 Select Policy > Install > OK.

You are now ready to configure the OPSEC LEA protocol.
Configuring an OPSEC/LEA log source in JSA
To configure the log source in JSA:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 From the Log Source Type list box, select Check Point FireWall-1.
Step 7 Using the Protocol Configuration list box, select OPSEC/LEA.

The OPSEC/LEA protocol parameters appear.
Step 8 Configure the following values:
a

Log Source Name - Type a name for the log source.

b Log Source Identifier - Type the IP address for the log source. This value must

match the value you typed in the Server IP parameter.
c

Server IP - Type the IP address of the Check Point host or Check Point
Management Server IP.

d

Server Port - Type the port used for OPSEC/LEA. The default is 18184.
You must ensure the existing firewall policy permits the LEA/OPSEC
connection from your JSA.

e

OPSEC Application Object SIC Attribute - Type the SIC DN of the OPSEC
Application Object displayed in Creating an OPSEC Application Object - Step
h.

f

Log Source SIC Attribute - Type the SIC name for the server generating log
sources from Locating the log source SIC - Step 4.
SIC attribute names can be up to 255 characters in length and are case
sensitive.

g

Specify Certificate - Ensure the Specify Certificate check box is clear.

h

Pull Certificate Password - Type the activation key password from Creating
an OPSEC Application Object - Step e.

i

Certificate Authority IP - Type the Check Point Manager Server IP address.

j

OPSEC Application - Type the name of the application requesting a certificate.
For example:
If the value is CN=JSA-OPSEC,O=cpmodule...tdfaaz, the OPSEC
Application value is JSA-OPSEC.

Configuring DSMs

Check Point FireWall-1

141

For more information on the OPSEC/LEA parameters, see the Log Sources Users
Guide.
Step 9 Click Save.
Step 10 On the Admin tab, click Deploy Changes.

You are now ready to verify your OPSEC/LEA communications for Check Point
Firewall-1.
Verifing or Editing
Your OPSEC
Communications
Configuration

This section describes how to modify your Check Point FireWall-1 configuration to
allow OPSEC communications on non-standard ports, configure communications
in a clear text, un-authenticated stream, and verify the configuration in JSA.
Changing your Check Point Custom Log Manager (CLM) IP address
If your Check Point configuration includes a Check Point Custom Log Manager
(CLM), you might eventually need to change the IP address for the CLM, which
impacts any of the automatically discovered Check Point log sources from that
CLM in JSA. This is because when you manually add the log source for the CLM
using the OPSEC/LEA protocol, then all Check Point firewalls that forward logs to
the CLM are automatically discovered by JSA. These automatically discovered log
sources cannot be edited. If the CLM IP address changes, you must edit the
original Check Point CLM log source that contains the OPSEC/LEA protocol
configuration and update the server IP address and log source identifier.
After you update the log source for the new Check Point CLM IP address, then any
new events reported from the automatically discovered Check Point log sources
are updated.

NOTE

Note: Do not delete and recreate your Check Point CLM or automatically
discovered log sources in JSA. Deleting a log source does not delete event data,
but can make finding previously recorded events more difficult to find.
To update your Check Point OPSEC log source:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Select the original Check Point CLM log source containing the OPSEC/LEA

protocol configuration and click Edit.
Step 6 In the Log Source Identifier field, type a new identifying name of your Check

Point CLM.
Step 7 In the Server IP field, type the new IP address of your Check Point CLM.
Step 8 Click Save.

The IP address update for your Check Point CLM in JSA is complete.
Configuring DSMs

142

CHECK POINT

Changing the default port for OPSEC LEA communication
To change the default port on which OPSEC LEA communicates (that is, port
18184):
Step 1 At the command-line prompt of your Check Point SmartCenter Server, type the

following command to stop the firewall services:
cpstop
Step 2 Depending on your Check Point SmartCenter Server operating system, open the

following file:
•

Linux - $FWDIR\conf\fwopsec.conf

•

Windows - %FWDIR%\conf\fwopsec.conf

The default contents of this file are as follows:
# The VPN-1/FireWall-1 default settings are:
#
# sam_server auth_port 0
# sam_server
port
18183
#
# lea_server auth_port
18184
# lea_server
port
0
#
# ela_server auth_port
18187
# ela_server
port
0
#
# cpmi_server auth_port
18190
#
# uaa_server auth_port
19191
# uaa_server
port
0
#
Step 3 Change the default lea_server auth_port from 18184 to another port number.
Step 4 Remove the hash (#) mark from that line.

For example:
lea_server auth_port
18888
# lea_server
port
0
Step 5 Save and close the file.
Step 6 Type the following command to start the firewall services:

cpstart

Configuring OPSEC LEA for un-encrypted communications
To configure the OPSEC LEA protocol for un-encrypted communications:
Step 1 At the command-line prompt of your Check Point SmartCenter Server, stop the

firewall services by typing the following command:
cpstop

Configuring DSMs

Check Point Provider-1

143

Step 2 Depending on your Check Point SmartCenter Server operating system, open the

following file:
•

Linux - $FWDIR\conf\fwopsec.conf

•

Windows - %FWDIR%\conf\fwopsec.conf

Step 3 Change the default lea_server auth_port from 18184 to 0.
Step 4 Change the default lea_server port from 0 to 18184.
Step 5 Remove the hash (#) marks from both lines.

For example:
lea_server
lea_server

auth_port
port

0
18184

Step 6 Save and close the file.
Step 7 Type the following command to start the firewall services:

cpstart
Step 8 You are now ready to configure the log source in JSA.

To configure JSA to receive events from a Check Point Firewall-1 device:
Step 1 From the Log Source Type list box, select Check Point FireWall-1.
Step 2 From the Protocol Configuration list box, select OPSEC/LEA.

For more information on configuring log sources, see the Log Sources Users
Guide.
For more information on configuring your Check Point Firewall-1, see your vendor
documentation.

Check Point
Provider-1

You can configure JSA to integrate with a Check Point Provider-1 device.
All events from Check Point Provider-1 are parsed using the Check Point
FireWall-1 DSM. You can integrate Check Point Provider-1 using one of the
following methods:

NOTE

Integrating Syslog for
Check Point
Provider-1

•

Integrating Syslog for Check Point Provider-1

•

Configuring OPSEC for Check Point Provider-1

Note: Depending on your Operating System, the procedures for the Check Point
Provider-1 device can vary. The following procedures are based on the Check
Point SecurePlatform operating system.
This method ensures the Check Point FireWall-1 DSM for JSA accepts Check
Point Provider-1 events using syslog.
JSA records all relevant Check Point Provider-1 events.
Configuring DSMs

144

CHECK POINT

Configure syslog on Check Point Provider-1
To configure syslog on your Check Point Provider-1 device:
Step 1 Type the following command to access the console as an expert user:

expert

A password prompt is displayed.
Step 2 Type your expert console password. Press Enter.
Step 3 Type the following command:

csh
Step 4 Select the desired customer logs:

mdsenv 
Step 5 Type the following command:

# nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p
. 2>&1 &

Where:
 is a Syslog facility, for example, local3.
 is a Syslog priority, for example, info.

You are now ready to configure the log source in JSA.
The configuration is complete. The log source is added to JSA as Check Point
Firewall-1 syslog events are automatically discovered. Events forwarded to JSA
are displayed on the Log Activity tab.
Configure a log source
JSA automatically discovers and creates a log source for syslog events from
Check Point Provider-1 as Check Point FireWall-1 events. The following
configuration steps are optional.
To manually configure a log source for Check Point Provider-1 syslog events:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.

Configuring DSMs

Check Point Provider-1

145

Step 8 From the Log Source Type list box, select Check Point Firewall-1.
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 24-2 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Check Point Provider-1
appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.
Configuring OPSEC
for Check Point
Provider-1

This method ensures the JSA Check Point FireWall-1 DSM accepts Check Point
Provider-1 events using OPSEC.
Reconfigure Check Point Provider-1 SmartCenter
This section describes how to reconfigure the Check Point Provider-1
SmartCenter.
In the Check Point Provider-1 Management Domain GUI (MDG), create a host
object representing the JSA. The leapipe is the connection between the Check
Point Provider-1 and JSA.
To reconfigure the Check Point Provider-1 SmartCenter (MDG):

Step 1 To create a host object, open the Check Point SmartDashboard user interface and

select Manage > Network Objects > New > Node > Host.
Step 2 Type the Name, IP Address, and optional Comment for your host.
Step 3 Click OK.
Step 4 Select Close.
Step 5 To create the OPSEC connection, select Manage > Servers and OPSEC

Applications New > OPSEC Application Properties.
Step 6 Type a name and optional comment.

The name you type must be different than the name used in Step 2.
Step 7 From the Host drop-down menu, select the JSA host object that you just created.
Step 8 From Application Properties, select User Defined as the Vendor type.
Step 9 From Client Entries, select LEA.
Step 10 Configure the Secure Internal Communication (SIC) certificate, click

Communication and enter an activation key.
Configuring DSMs

146

CHECK POINT
Step 11 Select OK and then Close.
Step 12 To install the Policy on your firewall, select Policy > Install > OK.

Configure an OPSEC log source
To configure the log source in JSA:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 From the Log Source Type list box, select Check Point FireWall-1.
Step 7 Using the Protocol Configuration list box, select OPSEC/LEA.

The OPSEC/LEA protocol parameters appear.
Step 8 Configure the following values:
a

Log Source Name - Type a name for the log source.

b Log Source Identifier - Type the IP address for the log source. This value must

match the value you typed in the Server IP parameter.
c

Server IP - Type the IP address of the Check Point Provider-1.

d

Server Port - Type the port used for OPSEC/LEA. The default is 18184.
You must ensure the existing firewall policy permits the LEA/OPSEC
connection from your JSA.

e

OPSEC Application Object SIC Attribute - Type the SIC DN of the OPSEC
Application Object.

f

Log Source SIC Attribute - Type the SIC name for the server generating the
log source.
SIC attribute names can be up to 255 characters in length and are case
sensitive.

g

Specify Certificate - Ensure the Specify Certificate check box is clear.

h

Pull Certificate Password - Type the activation key password.

i

Certificate Authority IP - Type the Check Point Manager Server IP address.

j

OPSEC Application - Type the name of the application requesting a certificate.
For example:

If the value is CN=JSA-OPSEC,O=cpmodule...tdfaaz, the OPSEC Application
value is JSA-OPSEC.

Configuring DSMs

Check Point Provider-1

147

Step 9 Click Save.
Step 10 On the Admin tab, click Deploy Changes.

The configuration is complete. For detailed information on the OPSEC/LEA
protocol, see the Log Sources Users Guide.

Configuring DSMs

22

CILASOFT QJRN/400

Juniper Secure Analytics (JSA) collects detailed audit events from Cilasoft
QJRN/400 software for IBM i (AS/400, iSeries, System i).
Configuration
Overview

To collect syslog events, you must configure your Cilasoft QJRN/400 to forward
syslog events to JSA. JSA automatically discovers and creates log sources for
syslog events that are forwarded from Cilasoft QJRN/400. JSA supports syslog
events from Cilasoft QJRN/400 V5.14.K and above.
To configure Cilasoft QJRN/400, complete the following tasks:
1 On your Cilasoft QJRN/400 installation, configure the Cilasoft Security Suite to

forward syslog events to JSA.
2 On your JSA system, verify that the forwarded events are automatically

discovered.
Configuring a Syslog
in Cilasoft QJRN/400

To collect events, you must configure queries on your Cilasoft QJRN/400 to
forward syslog events to JSA.
Procedure

Step 1 To start the Cilasoft Security Suite, type the following command:

IJRN/QJRN

The account that is used to make configuration changes must have ADM privileges
or USR privileges with access to specific queries through an Extended Access
parameter.
Step 2 To configure the output type, select one of the following options:
a

To edit several selected queries, type 2EV to access the Execution
Environment and change the Output Type field and type SEM.

b To edit large numbers of queries, type the command CHGQJQRYA and change

the Output Type field and type SEM.

Configuring DSMs

150

CILASOFT QJRN/400
Step 3 On the Additional Parameters screen, configure the following parameters:

Table 25-1 Cilasoft QJRN/400 Output Parameters

Parameter

Description

Format

Type *LEEF to configure the syslog output to write events in
Log Extended Event Format (LEEF).
LEEF is a special event format that is designed to for JSA.

Output

Type *SYSLOG to forward events with the syslog protocol.

IP Address

Type the IP address of your JSA system.
If an IP address for JSA is defined as a special value in the
WRKQJVAL command, you can type *CFG.
Events can be forwarded to either the console, an Event
Collector, an Event Processor, or your JSA all-in-one
appliance.

Port

Type 514 or *CFG as the port for syslog events.
By default, *CFG automatically selects port 514.

Tag

This field is not used by JSA.

Facility

This field is not used by JSA.

Severity

Select a value for the event severity.
For more information on severity that is assigned to *QRY
destinations, see command WRKQJFVAL in your Cilasoft
documentation.

For more information on Cilasoft configuration parameters, see the Cilasoft
QJRN/400 User’s Guide.
Syslog events that are forwarded to JSA are viewable on the Log Activity tab.
Configuring a
Cilasoft QJRN/400
Log Source

JSA automatically discovers and creates a log source for syslog events that are
forwarded from Cilasoft QJRN/400. These configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 Click the Log Sources icon.
Step 4 Click Add.
Step 5 In the Log Source Name field, type a name for your log source.
Step 6 From the Log Source Type list box, select Cilasoft QJRN/400.
Step 7 From the Protocol Configuration list box, select Syslog.

Configuring DSMs

151

Step 8 Configure the following values:

Table 25-2 Syslog protocol parameters

Parameter

Description

Log Source Identifier

Type the IP address as an identifier for events from your
Cilasoft QJRN/400 installation.
The log source identifier must be unique value.

Enabled

Select this check box to enable the log source.
By default, the check box is selected.

Credibility

Select the credibility of the log source. The range is 0 - 10.
The credibility indicates the integrity of an event or offense
as determined by the credibility rating from the source
devices. Credibility increases if multiple sources report the
same event. The default is 5.

Target Event Collector Select the Event Collector to use as the target for the log
source.
Coalescing Events

Select this check box to enable the log source to coalesce
(bundle) events.
By default, automatically discovered log sources inherit the
value of the Coalescing Events list box from the System
Settings in JSA. When you create a log source or edit an
existing configuration, you can override the default value by
configuring this option for each log source.

Incoming Event
Payload

From the list box, select the incoming payload encoder for
parsing and storing the logs.

Store Event Payload

Select this check box to enable the log source to store event
payload information.
By default, automatically discovered log sources inherit the
value of the Store Event Payload list box from the System
Settings in JSA. When you create a log source or edit an
existing configuration, you can override the default value by
configuring this option for each log source.

Step 9 Click Save.
Step 10 On the Admin tab, click Deploy Changes.

Configuring DSMs

23

CISCO

This section provides information on the following DSMs:

Cisco ACE Firewall

•

Cisco ACE Firewall

•

Cisco Aironet

•

Cisco ACS

•

Cisco ASA

•

Cisco CallManager

•

Cisco CatOS for Catalyst Switches

•

Cisco CSA

•

Cisco FWSM

•

Cisco IDS/IPS

•

Cisco IronPort

•

Cisco NAC

•

Cisco Nexus

•

Cisco IOS

•

Cisco Pix

•

Cisco VPN 3000 Concentrator

•

Cisco Wireless Services Module

•

Cisco Wireless LAN Controllers

•

Cisco Identity Services Engine

You can integrate a Cisco ACE firewall with JSA.
Juniper Secure Analytics (JSA) can accept events forwarded from Cisco ACE
Firewalls using syslog. JSA records all relevant events. Before you configure JSA
to integrate with an ACE firewall, you must configure your Cisco ACE Firewall to
forward all device logs to JSA.

Configuring DSMs

154

CISCO

Configure Cisco ACE
Firewall

To forward Cisco ACE device logs to JSA:

Step 1 Log in to your Cisco ACE device.
Step 2 From the shell interface, select Main Menu > Advanced Options > Syslog

Configuration.
Step 3 The Syslog Configuration menu varies depending on whether there are any syslog

destination hosts configured yet. If no syslog destinations have been added, create
one by selecting the Add First Server option. Click OK.
Step 4 Type the hostname or IP address of the destination host and port in the First

Syslog Server field. Click OK.
The system restarts with new settings. When finished, the Syslog server window
displays the host you have configured.
Step 5 Click OK.

The Syslog Configuration menu is displayed. Notice that options for editing the
server configuration, removing the server, or adding a second server are now
available.
Step 6 If you want to add another server, click Add Second Server.

At any time, click the View Syslog options to view existing server configurations.
Step 7 To return to the Advanced Menu, click Return.

The configuration is complete. The log source is added to JSA as Cisco ACE
Firewall events are automatically discovered. Events forwarded to JSA by Cisco
ACE Firewall appliances are displayed on the Log Activity tab of JSA.
Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from Cisco
ACE Firewalls.
However, you can manually create a log source for JSA to receive syslog events.
The following configuration steps are optional.
To manually configure a log source for Cisco ACE Firewall:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.

Configuring DSMs

Cisco Aironet

155

Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cisco ACE Firewall.
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 26-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cisco ACE Firewalls.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Cisco Aironet

You can integrate a Cisco Aironet devices with JSA.
A Cisco Aironet DSM accepts Cisco Emblem Format events using syslog. Before
you configure JSA to integrate with a Cisco Aironet device, you must configure
your Cisco Aironet appliance to forward syslog events.

Configure Cisco
Aironet

To configure Cisco Aironet to forward events:

Step 1 Establish a connection to the Cisco Aironet device using one of the following

methods”
•

Telnet to the wireless access point

•

Access the console

Step 2 Type the following command to access privileged EXEC mode:

enable
Step 3 Type the following command to access global configuration mode:

config terminal
Step 4 Type the following command to enable message logging:

logging on
Step 5 Configure the syslog facility. The default is local7.

logging facility 
Step 6 Type the following command to log messages to your JSA:

logging 

Configuring DSMs

156

CISCO
Step 7 Enable timestamp on log messages:

service timestamp log datatime
Step 8 Return to privileged EXEC mode:

end
Step 9 View your entries:

show running-config
Step 10 Save your entries in the configuration file:

copy running-config startup-config

The configuration is complete. The log source is added to JSA as Cisco Aironet
events are automatically discovered. Events forwarded to JSA by Cisco Aironet
appliances are displayed on the Log Activity tab of JSA.
Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from Cisco
Aironet. The following configuration steps are optional.
To manually configure a log source for Cisco Aironet:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cisco Aironet.
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 26-2 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cisco Aironet appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

Configuring DSMs

Cisco ACS

157

The configuration is complete.

Cisco ACS

The Cisco ACS DSM for JSA accepts syslog ACS events using syslog.
JSA records all relevant and available information from the event. You can
integrate Cisco ACS with JSA using one of the following methods:

NOTE

Configure Syslog for
Cisco ACS v5.x

•

Configure your Cisco ACS device to directly send syslog to JSA for Cisco ACS
v5.x. See Configure Syslog for Cisco ACS v5.x.

•

Configure your Cisco ACS device to directly send syslog to JSA for Cisco ACS
v4.x. See Configure Syslog for Cisco ACS v4.x.

•

A server using the JSA Adaptive Log Exporter (Cisco ACS software version 3.x
or later). See Configure Cisco ACS for the Adaptive Log Exporter.

Note: JSA only supports Cisco ACS versions prior to v3.x using a Universal DSM.
The configure syslog forwarding from a Cisco ACS appliance with software version
5.x, you must:
Create a Remote Log Target
To create a remote log target for your Cisco ACS appliance:

Step 1 Log in to your Cisco ACS appliance.
Step 2 On the navigation menu, click System Administration > Configuration > Log

Configuration > Remote Log Targets.
The Remote Log Targets page is displayed.
Step 3 Click Create.
Step 4 Configure the following parameters:

Table 26-1 Remote Target Parameters

Parameter

Description

Name

Type a name for the remote syslog target.

Description

Type a description for the remote syslog target.

Type

Select Syslog.

IP Address

Type the IP address of JSA or your Event Collector.

Step 5 Click Submit.

You are now ready to configure global policies for event logging on your Cisco
ACS appliance.

Configuring DSMs

158

CISCO

Configure global logging categories
To configure Cisco ACS to forward log failed attempts to JSA:
Step 1 On the navigation menu, click System Administration > Configuration > Log

Configuration > Global.
The Logging Categories window is displayed.
Step 2 Select the Failed Attempts logging category and click Edit.
Step 3 Click Remote Syslog Target.
Step 4 From the Available targets window, use the arrow key to move the syslog target

for JSA to the Selected targets window.
Step 5 Click Submit.

You are now ready to configure the log source in JSA.
Configure a log source
JSA automatically discovers and creates a log source for syslog events from Cisco
ACS v5.x.
However, you can manually create a log source for JSA to receive Cisco ACS
events.
To manually configure a log source for Cisco ACS:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 From the Log Source Type list box, select Cisco ACS.
Step 7 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 8 Configure the following values:

Table 26-2 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or hostname for the log source as an
identifier for Cisco ACS events.

Step 9 Click Save.

Configuring DSMs

Cisco ACS

159

Step 10 On the Admin tab, click Deploy Changes.

The configuration is complete.
Configure Syslog for
Cisco ACS v4.x

To configure syslog forwarding from a Cisco ACS appliance with software version
4.x, you must:
Configure syslog forwarding for Cisco ACS v4.x
To configure an ACS device to forward syslog events to JSA:

Step 1 Log in to your Cisco ACS device.
Step 2 On the navigation menu, click System Configuration.

The System Configuration page opens.
Step 3 Click Logging.

The logging configuration is displayed.
Step 4 In the Syslog column for Failed Attempts, click Configure.

The Enable Logging window is displayed.
Step 5 Select the Log to Syslog Failed Attempts report check box.
Step 6 Add the following Logged Attributes:

•

Message-Type

•

User-Name

•

Nas-IP-Address

•

Authen-Failure-Code

•

Caller-ID

•

NAS-Port

•

Author-Data

•

Group-Name

•

Filter Information

•

Logged Remotely

Step 7 Configure the following syslog parameters:

NOTE

•

IP - Type the IP address of JSA.

•

Port - Type the syslog port number of JSA. The default is port 514.

•

Max message length (Bytes) - Type 1024 as the maximum syslog message
length.

Note: Cisco ACS provides syslog report information for a maximum of two syslog
servers.

Step 8 Click Submit.

Configuring DSMs

160

CISCO

You are now ready to configure the log source in JSA.
Configure a log source for Cisco ACS v4.x
JSA automatically discovers and creates a log source for syslog events from Cisco
ACS v4.x. The following configuration steps are optional.
To manually create a log source for Cisco ACS v4.x:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 From the Log Source Type list box, select Cisco ACS.
Step 7 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 8 Configure the following values:

Table 26-3 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or hostname for the log source as an
identifier for Cisco ACS events.

Step 9 Click Save.
Step 10 On the Admin tab, click Deploy Changes.

The configuration is complete.
Configure Cisco ACS
for the Adaptive Log
Exporter

If you are using an older version of Cisco ACS, such as v3.x, you can log events
from your Cisco ACS appliance to a comma-seperated file.
The Cisco ACS device plug-in for the Adaptive Log Exporter can be used to read
and forward events from your comma-separated file to JSA.
Configure Cisco ACS to log events
Your Cisco ACS appliance must be configured to write comma-seperated event
files to integrate with the Adaptive Log Exporter.

Configuring DSMs

Cisco ASA

161

To configure Cisco ACS:
Step 1 Log in to your Cisco ACS appliance.
Step 2 On the navigation manu, click System Configuration.

The System Configuration page opens.
Step 3 Click Logging.

The logging configuration is displayed.
Step 4 In the CSV column for Failed Attempts, click Configure.

The Enable Logging window is displayed.
Step 5 Select the Log to CSV Failed Attempts report check box.
Step 6 Add the following Logged Attributes:

•

Message-Type

•

User-Name

•

Nas-IP-Address

•

Authen-Failure-Code

•

Caller-ID

•

NAS-Port

•

Author-Data

•

Group-Name

•

Filter Information

•

Logged Remotely

Step 7 Configure a time frame for Cisco ACS to generate a new comma-seperated value

(CSV) file.
Step 8 Click Submit.

You are now ready to configure the Adaptive Log Exporter.
For more information on installing and using the Adaptive Log Exporter, see the
Adaptive Log Exporter Users Guide.

Cisco ASA

You can integrate a Cisco Adaptive Security Appliance (ASA) with JSA.
A Cisco ASA DSM accepts events using syslog or NetFlow using NetFlow Security
Event Logging (NSEL). JSA records all relevant events. Before you configure JSA,
you must configure your Cisco ASA device to forward syslog or NetFlow NSEL
events.
Choose one of the following options:
•

Forward events to JSA using syslog. See Integrate Cisco ASA Using Syslog

Configuring DSMs

162

CISCO

•

Forward events to JSA using NetFlow NSEL. See Integrate Cisco ASA for
NetFlow Using NSEL

Integrate Cisco ASA
Using Syslog

This section includes the following topics:
•

Configure syslog forwarding

•

Configure a log source

Configure syslog forwarding
This section describes how to configure Cisco ASA to forward syslog events.
Step 1 Log in to the Cisco ASA device.
Step 2 Type the following command to access privileged EXEC mode:

enable
Step 3 Type the following command to access global configuration mode:

conf t
Step 4 Enable logging:

logging enable
Step 5 Configure the logging details:

logging console warning
logging trap warning
logging asdm warning
Step 6 Type the following command to configure logging to JSA:

logging host  

Where:
 is the name of the Cisco Adaptive Security Appliance interface.
 is the IP address of JSA.

NOTE

Note: Using the command show interfaces displays all available interfaces for
your Cisco device.

Step 7 Disable the output object name option:

no names

You must disable the output object name option to ensure that the logs use IP
addresses and not object names.
Step 8 Exit the configuration:

exit
Step 9 Save the changes:

write mem

Configuring DSMs

Cisco ASA

163

The configuration is complete. The log source is added to JSA as Cisco ASA
syslog events are automatically discovered. Events forwarded to JSA by Cisco
ASA are displayed on the Log Activity tab of JSA.
Configure a log source
JSA automatically discovers and creates a log source for syslog events from Cisco
ASA. The following configuration steps are optional.
To manually configure a log source for Cisco ASA syslog events:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cisco Adaptive Security Appliance

(ASA).
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 26-4 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your OSSEC installations.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.
Integrate Cisco ASA
for NetFlow Using
NSEL

This section includes the following topics:
•

Configure NetFlow Using NSEL

•

Configure a log source

Configuring DSMs

164

CISCO

Configure NetFlow Using NSEL
To configure Cisco ASA to forward NetFlow events using NSEL.
Step 1 Log in to the Cisco ASA device command-line interface (CLI).
Step 2 Type the following command to access privileged EXEC mode:

enable
Step 3 Type the following command to access global configuration mode:

conf t
Step 4 Disable the output object name option:

no names
Step 5 Type the following command to enable NetFlow export:

flow-export destination   

Where:
 is the name of the Cisco Adaptive Security Appliance

interface for the NetFlow collector.
 is the IP address or host name of the Cisco
ASA device with the NetFlow collector application.
 is the UDP port number to which NetFlow packets are sent.

NOTE

Note: JSA typically uses port 2055 for NetFlow event data on Flow Processors.
You must configure a different UDP port on your Cisco Adaptive Security
Appliance for NetFlow using NSEL.

Step 6 Type the following command to configure the NSEL class-map:

class-map flow_export_class
Step 7 Choose one of the following traffic options:
a

To configure a NetFlow access list to match specific traffic, type the command:
match access-list flow_export_acl

b

To configure NetFlow to match any traffic, type the command:
match any

NOTE

Note: The Access Control List (ACL) must exist on the Cisco ASA device before
defining the traffic match option in Step 7.

Step 8 Type the following command to configure the NSEL policy-map:

policy-map flow_export_policy
Step 9 Type the following command to define a class for the flow-export action:

class flow_export_class

Configuring DSMs

Cisco ASA

165

Step 10 Type the following command to configure the flow-export action:

flow-export event-type all destination 

Where  is the IP address of JSA.

NOTE

Note: If you are using a Cisco ASA version before v8.3 you can skipStep 10 as the
device defaults to the flow-export destination. For more information, see your
Cisco ASA documentation.

Step 11 Type the following command to add the service policy globally:

service-policy flow_export_policy global
Step 12 Exit the configuration:

exit
Step 13 Save the changes:

write mem

You must verify that your collector applications use the Event Time field to
correlate events.
Configure a log source
To integrate Cisco ASA using NetFlow with JSA, you must manually create a log
source to receive NetFlow events. JSA does not automatically discover or create
log sources for syslog events from Cisco ASA using NetFlow and NSEL.

NOTE

Note: Your system must be running the latest version of the NSEL protocol to
integrate with a Cisco ASA device using NetFlow NSEL. The NSEL protocol is
available on Juniper Customer Support, http://www.juniper.net/customers/support/,
or through auto updates in JSA.
To configure a log source:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.

Configuring DSMs

166

CISCO
Step 8 From the Log Source Type list box, select Cisco Adaptive Security Appliance

(ASA).
Step 9 Using the Protocol Configuration list box, select Cisco NSEL.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 26-5 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or hostname for the log source.

Collector Port

Type the UDP port number used by Cisco ASA to forward
NSEL events. The valid range of the Collector Port
parameter is 1-65535.
Note: JSA typically uses port 2055 for NetFlow event data
on Flow Processors. You must define a different UDP port on
your Cisco Adaptive Security Appliance for NetFlow using
NSEL.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. Events forwarded to JSA by Cisco ASA are
displayed on the Log Activity tab. For more information on configuring NetFlow
with your Cisco ASA device, see your vendor documentation.

Cisco CallManager

The Cisco CallManager DSM for JSA collects application events forwarded from
Cisco CallManager devices using syslog.
Before receiving events in JSA, you must configure your Cisco Call Manager
device to forward events. After you forward syslog events from Cisco CallManager,
JSA automatically detects and adds Cisco CallManager as a log source.

Configure Syslog
Forwarding

To configure syslog on your Cisco CallManager:

Step 1 Log in to your Cisco CallManager interface.
Step 2 Select System > Enterprise Parameters.

The Enterprise Parameters Configuration is displayed.
Step 3 In the Remote Syslog Server Name field, type the IP address of the JSA console.
Step 4 From the Syslog Severity For Remote Syslog messages list box, select

Informational
The informational severity allows you to collect all events at the information level
and above.
Step 5 Click Save.

Configuring DSMs

Cisco CatOS for Catalyst Switches

167

Step 6 Click Apply Config.

The syslog configuration is complete. You are now ready to configure a syslog log
source for Cisco CallManager.
Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from Cisco
CallManager devices. The following configuration steps are optional.
To manually configure a syslog log source for Cisco CallManager:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cisco Call Manager.
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 26-6 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cisco CallManager.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Cisco CatOS for
Catalyst Switches

The Cisco CatOS for Catalyst Switches DSM for JSA accepts events using syslog.
JSA records all relevant device events. Before configuring a Cisco CatOS device
in JSA, you must configure your device to forward syslog events.

Configuring DSMs

168

CISCO

Configure Syslog

To configure your Cisco CatOS device to forward syslog events:

Step 1 Log in to your Cisco CatOS user interface.
Step 2 Type the following command to access privileged EXEC mode:

enable
Step 3 Configure the system to timestamp messages:

set logging timestamp enable
Step 4 Type the IP address of JSA:

set logging server 
Step 5 Limit messages that are logged by selecting a severity level:

set logging server severity 
Step 6 Configure the facility level that should be used in the message. The default is

local7.
set logging server facility 
Step 7 Enable the switch to send syslog messages to the JSA.

set logging server enable

You are now ready to configure the log source in JSA.
Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from Cisco
CatOS appliances. The following configuration steps are optional.
To manually configure a syslog log source for Cisco CatOS:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cisco CatOS for Catalyst Switches
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Configuring DSMs

Cisco CSA

169

Table 26-7 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cisco CatOS for Catalyst
Switch appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Cisco CSA

You can integrate a Cisco Security Agent (CSA) server with JSA.

Supported Event
Types
Configure Syslog for
Cisco CSA

The Cisco CSA DSM accepts events using syslog, SNMPv1, and SNMPv2. JSA
records all configured Cisco CSA alerts.
To configure your Cisco CSA server to forward events:

Step 1 Open the Cisco CSA user interface.
Step 2 Select Events > Alerts.
Step 3 Click New.

The Configuration View window is displayed.
Step 4 Type in values for the following parameters:
a

Name - Type a name you wish to assign to your configuration.

b

Description - Type a description for the configuration. This parameter is
optional.

Step 5 From the Send Alerts, select the event set from the list box to generate alerts.
Step 6 Select the SNMP check box.
Step 7 Type a Community name.

The Community name entered in the CSA user interface must match the
Community field configured on JSA. This option is only available using the
SNMPv2 protocol.
Step 8 In the Manager IP address parameter, type the IP address of JSA.
Step 9 Click Save.

You are now ready to configure the log source in JSA.
Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from Cisco
CSA appliances. The following configuration steps are optional.

Configuring DSMs

170

CISCO

To manually configure a syslog log source for Cisco CSA:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cisco CSA.
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 26-8 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cisco CSA appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Cisco FWSM

You can integrate Cisco Firewall Service Module (FWSM) with JSA.

Supported Event
Types
Configure Cisco
FWSM to Forward
Syslog Events

The Cisco FWSM DSM for JSA accepts FWSM events using syslog. JSA records
all relevant Cisco FWSM events.
To integrate Cisco FWSM with JSA, you must configure your Cisco FWSM
appliances to forward syslog events to JSA.
To configure Cisco FWSM:

Step 1 Using a console connection, telnet, or SSH, log in to the Cisco FWSM.
Step 2 Enable logging:

logging on

Configuring DSMs

Cisco FWSM

171

Step 3 Change the logging level:

logging trap level (1-7)

By default, the logging level is set to 3 (error).
Step 4 Designate JSA as a host to receive the messages:

logging host [interface] ip_address [tcp[/port] | udp[/port]]
[format emblem]

For example:
logging host dmz1 192.168.1.5

Where 192.168.1.5 is the IP address of your JSA system.
You are now ready to configure the log source in JSA.
Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from Cisco
FWSM appliances. The following configuration steps are optional.
To manually configure a syslog log source for Cisco FWSM:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cisco Firewall Services Module

(FWSM).
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 26-9 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cisco FWSM appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

Configuring DSMs

172

CISCO

The configuration is complete.

Cisco IDS/IPS

The Cisco IDS/IPS DSM for JSA polls Cisco IDS/IPS for events using the Security
Device Event Exchange (SDEE) protocol.
The SDEE specification defines the message format and the protocol used to
communicate the events generated by your Cisco IDS/IPS security device. JSA
supports SDEE connections by polling directly to the IDS/IPS device and not the
management software, which controls the device.

NOTE

Note: You must have security access or web authentication on the device before
connecting to JSA.
After you configure your Cisco IDS/IPS device, you must configure the SDEE
protocol in JSA. When configuring the SDEE protocol, you must define the URL
required to access the device.
For example, https://www.mysdeeserver.com/cgi-bin/sdee-server.
You must use an http or https URL, which is specific to your Cisco IDS version:
•

If you are using RDEP (for Cisco IDS v4.0), the URL should have
/cgi-bin/event-server at the end. For example:
https://www.my-rdep-server.com/cgi-bin/event-server

•

If you are using SDEE/CIDEE (for Cisco IDS v5.x and above), the URL should
have /cgi-bin/sdee-server at the end. For example:
https://www.my-sdee-server/cgi-bin/sdee-server

JSA does not automatically discover or create log sources for syslog events from
Cisco IDS/IPS devices. To integrate Cisco IDS/IPS device events with JSA, you
must manually create a log source for each Cisco IDS/IPS in your network.
To configure a Cisco IDS/IPS log source using SDEE polling:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.

Configuring DSMs

Cisco IDS/IPS

173

Step 8 From the Log Source Type list box, select Cisco Intrusion Prevention System

(IPS).
Step 9 Using the Protocol Configuration list box, select SDEE.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 26-10 SDEE Parameters

Parameter

Description

Log Source
Identifier

Type an IP address, hostname, or name to identify the SDEE
event source. IP addresses or hostnames are recommended as
they allow JSA to identify a log file to a unique event source.
The log source identifier must be unique for the log source type.

URL

Type the URL required to access the log source, for example,
https://www.mysdeeserver.com/cgi-bin/sdee-server. You must
use an http or https URL.
The options include:
•

If you are using SDEE/CIDEE (for Cisco IDS v5.x and
above), the URL should have /cgi-bin/sdee-server at the end.
For example,
https://www.my-sdee-server/cgi-bin/sdee-serv
er

•

If you are using RDEP (for Cisco IDS v4.0), the URL should
have /cgi-bin/event-server at the end. For example,
https://www.my-rdep-server.com/cgi-bin/event
-server

Username

Type the username. This username must match the SDEE URL
username used to access the SDEE URL. The username can
be up to 255 characters in length.

Password

Type the user password. This password must match the SDEE
URL password used to access the SDEE URL. The password
can be up to 255 characters in length.

Events / Query

Type the maximum number of events to retrieve per query. The
valid range is 0 to 501 and the default is 100.

Force Subscription

Select this check box if you want to force a new SDEE
subscription. By default, the check box is selected.
The check box forces the server to drop the least active
connection and accept a new SDEE subscription connection for
this log source.
Clearing the check box continues with any existing SDEE
subscription.

Severity Filter Low

Select this check box if you want to configure the severity level
as low.
Log sources that support SDEE return only the events that
match this severity level. By default, the check box is selected.

Configuring DSMs

174

CISCO

Table 26-10 SDEE Parameters (continued)

Parameter

Description

Severity Filter
Medium

Select this check box if you want to configure the severity level
as medium.
Log sources that supports SDEE returns only the events that
match this severity level. By default, the check box is selected.

Severity Filter High

Select this check box if you want to configure the severity level
as high.
Log sources that supports SDEE returns only the events that
match this severity level. By default, the check box is selected.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. Events polled from your Cisco IDS/IPS appliances
are displayed on the Log Activity tab of JSA.

Cisco IronPort

The Cisco IronPort DSM for JSA provides event information for email spam, web
content filtering, and corporate email policy enforcement.
Before you configure JSA to integrate with your Cisco IronPort device, you must
select the log type to configure:

IronPort Mail Log
Configuration

•

To configure IronPort mail logs, see IronPort Mail Log Configuration.

•

To configure IronPort content filtering logs, see IronPort Web Content Filter.

The JSA Cisco IronPort DSM accepts events using syslog. To configure your
IronPort device to send syslog events to JSA, you must:

Step 1 Log in to your Cisco IronPort user interface.
Step 2 Select System Administration\Log Subscriptions.
Step 3 Click Add Log Subscription.
Step 4 Configure the following values:

•

Log Type - Define a log subscription for both Ironport Text Mail Logs and
System Logs.

•

Log Name - Type a log name.

•

File Name - Use the default configuration value.

•

Maximum File Size - Use the default configuration value.

•

Log Level - Select Information (Default).

•

Retrieval Method - Select Syslog Push.

•

Hostname - Type the IP address or server name of your JSA system.

•

Protocol - Select UDP.
Configuring DSMs

Cisco IronPort

•

175

Facility - Use the default configuration value. This value depends on the
configured Log Type.

Step 5 Save the subscription.

You are now ready to configure the log source in JSA.
Configure a log source
To integrate Cisco IronPort with JSA, you must manually create a log source to
receive Cisco IronPort events. JSA does not automatically discover or create log
sources for syslog events from Cisco IronPort appliances.
To create a log source for Cisco IronPort events:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cisco IronPort.
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 26-11 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cisco IronPort appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. Events forwarded to JSA by Cisco IronPort are
displayed on the Log Activity tab.
IronPort Web Content
Filter

The Cisco IronPort DSM for JSA retrieves web content filtering events in W3C
format from a remote source using the log file protocol.
Your system must be running the latest version of log file protocol to integrate with
a Cisco IronPort device. To configure your Cisco IronPort device to push web
Configuring DSMs

176

CISCO

content filter events, you must configure a log subscription for the web content filter
using the W3C format. For more information on configuring a log subscription, see
your Cisco IronPort documentation.
You are now ready to configure the log source and protocol JSA.
Step 1 From the Log Source Type drop-down list box, select Cisco IronPort.
Step 2 From the Protocol Configuration list box, select Log File protocol option.
Step 3 Select W3C as the Event Generator used to process the web content filter log

files.
Step 4 The FTP File Pattern parameter must use a regular expression that matches the

log files generated by the web content filter logs.
For more information on configuring the Log File protocol, see the Juniper Secure
Analytics Log Sources User Guide.

Cisco NAC

The Cisco NAC DSM for JSA accepts events using syslog.

Supported Event
Types

Configuring Cisco
NAC to Forward
Events

JSA records all relevant audit, error, and failure events as well as quarantine and
infected system events. Before configuring a Cisco NAC device in JSA, you must
configure your device to forward syslog events.
To configure the device to forward syslog events:
Procedure

Step 1 Log in to the Cisco NAC user interface.
Step 2 In the Monitoring section, select Event Logs.
Step 3 Click the Syslog Settings tab.
Step 4 In the Syslog Server Address field, type the IP address of your JSA.
Step 5 In the Syslog Server Port field, type the syslog port. The default is 514.
Step 6 In the System Health Log Interval field, type the frequency, in minutes, for

system statistic log events.
Step 7 Click Update.

You are now ready to configure the log source in JSA.
Configuring a Log
Source

To integrate Cisco NAC events with JSA, you must manually create a log source to
receive Cisco NAC events. JSA does not automatically discover or create log
sources for syslog events from Cisco NAC appliances.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.

Configuring DSMs

Cisco Nexus

177

Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cisco NAC Appliance.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 26-12 Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cisco NAC appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. Events forwarded to JSA by Cisco NAC are
displayed on the Log Activity tab.

Cisco Nexus

The Cisco Nexus DSM for JSA supports alerts from Cisco NX-OS devices.
The events are forwarded from Cisco Nexus to JSA using syslog. Before you can
integrate events with JSA, you must configure your Cisco Nexus device to forward
syslog events.

Configure Cisco
Nexus to Forward
Events

To configure syslog on your Cisco Nexus server:

Step 1 Type the following command to switch to configuration mode:

config t
Step 2 Type the following commands:

logging server  

Where:
 is the IP address of your JSA console.
 is the severity level of the event messages, which range from 0-7.
For example, logging server 100.100.10.1 6 forwards information level (6)
syslog messages to 100.100.10.1.
Step 3 Type the following to configure the interface for sending syslog events:

logging source-interface loopback
Configuring DSMs

178

CISCO
Step 4 Type the following command to save your current configuration as the start up

configuration:
copy running-config startup-config

The configuration is complete. The log source is added to JSA as Cisco Nexus
events are automatically discovered. Events forwarded to JSA by Cisco Nexus are
displayed on the Log Activity tab of JSA.
Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from Cisco
Nexus. The following configuration steps are optional.
To manually configure a log source for Cisco Nexus:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cisco Nexus.
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 26-13 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cisco Nexus appliances.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete. For more information on configuring a Virtual
Device Context (VDC) on your Cisco Nexus device, see your vendor
documentation.

Configuring DSMs

Cisco IOS

Cisco IOS

179

You can integrate Cisco IOS series devices with JSA.

Supported Event
Types

NOTE

Configure Cisco IOS
to Forward Events

The Cisco IOS DSM for JSA accepts Cisco IOS events using syslog. JSA records
all relevant events. The following Cisco Switches and Routers are automatically
discovered as Cisco IOS and have their events parsed by the Cisco IOS DSM:
•

Cisco 12000 Series Routers

•

Cisco 6500 Series Switches

•

Cisco 7600 Series Routers

•

Cisco Carrier Routing System

•

Cisco Integrated Services Router.

Note: Make sure all Access Control Lists (ACLs) are set to LOG.
To configure a Cisco IOS-based device to forward events:

Step 1 Log in to your Cisco IOS Server, switch, or router.
Step 2 Type the following command to log in to the router in privileged-exec.

enable
Step 3 Type the following command to switch to configuration mode:

conf t
Step 4 Type the following commands:

logging 
logging source-interface 

Where:
 is the IP address hosting JSA and the SIM components.
 is the name of the interface, for example, dmz, lan, ethernet0, or

ethernet1.
Step 5 Type the following to configure the priority level:

logging trap warning
logging console warning

Where warning is the priority setting for the logs.
Step 6 Configure the syslog facility:

logging facility syslog
Step 7 Save and exit the file.

Configuring DSMs

180

CISCO
Step 8 Copy running-config to startup-config:

copy running-config startup-config

You are now ready to configure the log source in JSA.
The configuration is complete. The log source is added to JSA as Cisco IOS
events are automatically discovered. Events forwarded to JSA by Cisco IOS-based
devices are displayed on the Log Activity tab of JSA.
Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from Cisco
IOS. The following configuration steps are optional.
To manually configure a log source for Cisco IOS-based devices:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select one of the following:

•

Cisco IOS

•

Cisco 12000 Series Routers

•

Cisco 6500 Series Switches

•

Cisco 7600 Series Routers

•

Cisco Carrier Routing System

•

Cisco Integrated Services Router

Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 26-14 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cisco IOS-based device.

Step 11 Click Save.

Configuring DSMs

Cisco Pix

181

Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Cisco Pix

You can integrate Cisco Pix security appliances with JSA.
The Cisco Pix DSM for JSA accepts Cisco Pix events using syslog. JSA records all
relevant Cisco Pix events.

Configure Cisco Pix
to Forward Events

To Configure Cisco Pix:

Step 1 Log in to your Cisco PIX appliance using a console connection, telnet, or SSH.
Step 2 Type the following command to access Privileged mode:

enable
Step 3 Type the following command to access Configuration mode:

conf t
Step 4 Enable logging and timestamp the logs:

logging on
logging timestamp
Step 5 Set the log level:

logging trap warning
Step 6 Configure logging to JSA:

logging host  

Where:
 is the name of the interface, for example, dmz, lan, ethernet0, or
ethernet1.
 is the IP address hosting JSA.
The configuration is complete. The log source is added to JSA as Cisco Pix
Firewall events are automatically discovered. Events forwarded to JSA by Cisco
Pix Firewalls are displayed on the Log Activity tab of JSA.
Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from Cisco
Pix Firewalls. The following configuration steps are optional.
To manually configure a log source for Cisco Pix:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Configuring DSMs

182

CISCO
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cisco PIX Firewall.
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 26-15 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cisco Pix Firewall.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Cisco VPN 3000
Concentrator

The Cisco VPN 3000 Concentrator DSM for JSA accepts
Cisco VPN Concentrator events using syslog. JSA records all relevant events.
Before you can integrate with a Cisco VPN concentrator, you must configure your
device to forward syslog events to JSA.

Configure a Cisco
VPN 3000
Concentrator

To configure your Cisco VPN 3000 Concentrator:

Step 1 Log in to the Cisco VPN 3000 Concentrator command-line interface (CLI).
Step 2 Type the following command to add a syslog server to your configuration:

set logging server 

Where  is the IP address of JSA or your Event Collector.
Step 3 Type the following command to enable system message logging to the configured

syslog servers:
set logging server enable
Step 4 Set the facility and severity level for syslog server messages:

set logging server facility server_facility_parameter
set logging server severity server_severity_level
Configuring DSMs

Cisco Wireless Services Module

183

The configuration is complete. The log source is added to JSA as Cisco VPN
Concentrator events are automatically discovered. Events forwarded to JSA are
displayed on the Log Activity tab of JSA.
Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from Cisco
VPN 3000 Series Concentrators. These configuration steps are optional.
To manually configure a log source:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cisco VPN 3000 Series

Concentrator.
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 26-16 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cisco VPN 3000 Series
Concentrators.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Cisco Wireless
Services Module

You can integrate a Cisco Wireless Services Module (WiSM) device with JSA.
A Cisco WiSM DSM for JSA accepts events using syslog. Before you can integrate
JSA with a Cisco WiSM device, you must configure Cisco WiSM to forward syslog
events.

Configuring DSMs

184

CISCO

Configure Cisco
WiSM to Forward
Events

To configure Cisco WiSM to forward syslog events to JSA:

Step 1 Log in to the Cisco Wireless LAN Controller user interface.
Step 2 Click Management > Logs > Config.

The Syslog Configuration window is displayed.
Step 3 In the Syslog Server IP Address field type the IP address of the JSA host to

which you want to send the syslog messages. Click Add.
Step 4 Using the Syslog Level list box, set the severity level for filtering syslog messages

to the syslog servers using one of the following options:
•

Emergencies - Severity level 0

•

Alerts - Severity level 1 (Default)

•

Critical - Severity level 2

•

Errors - Severity level 3

•

Warnings - Severity level 4

•

Notifications - Severity level 5

•

Informational - Severity level 6

•

Debugging - Severity level 7

If you set a syslog level, only those messages whose severity level is equal or less
than that level are sent to the syslog servers. For example, if you set the syslog
level to Warnings (severity level 4), only those messages whose severity is
between 0 and 4 are sent to the syslog servers.
Step 5 From the Syslog Facility list box, set the facility for outgoing syslog messages to

the syslog server using one of the following options:
•

Kernel - Facility level 0

•

User Process - Facility level 1

•

Mail - Facility level 2

•

System Daemons - Facility level 3

•

Authorization - Facility level 4

•

Syslog - Facility level 5 (default value)

•

Line Printer - Facility level 6

•

USENET - Facility level 7

•

Unix-to-Unix Copy - Facility level 8

•

Cron - Facility level 9

•

FTP Daemon - Facility level 11

•

System Use 1 - Facility level 12

•

System Use 2 - Facility level 13
Configuring DSMs

Cisco Wireless Services Module

•

System Use 3 - Facility level 14

•

System Use 4 - Facility level 15

•

Local Use 0 - Facility level 16

•

Local Use 1 - Facility level 17

•

Local Use 2 - Facility level 18

•

Local Use 3 - Facility level 19

•

Local Use 4 - Facility level 20

•

Local Use 5 - Facility level 21

•

Local Use 6 - Facility level 22

•

Local Use 7 - Facility level 23

185

Step 6 Click Apply.
Step 7 From the Buffered Log Level and the Console Log Level list boxes, select the

severity level for log messages to the controller buffer and console using one of the
following options:
Emergencies - Severity level 0
Alerts - Severity level 1
Critical - Severity level 2
Errors - Severity level 3 (default value)
Warnings - Severity level 4
Notifications - Severity level 5
Informational - Severity level 6
Debugging - Severity level 7
If you set a logging level, only those messages whose severity is equal to or less
than that level are logged by the controller. For example, if you set the logging level
to Warnings (severity level 4), only those messages whose severity is between 0
and 4 are logged.
Step 8 Select the File Info check box if you want the message logs to include information

about the source file. The default value is enabled.
Step 9 Select the Proc Info check box if you want the message logs to include process

information. The default value is disabled.
Step 10 Select the Trace Info check box if you want the message logs to include traceback

information. The default value is disabled.
Step 11 Click Apply to commit your changes.
Step 12 Click Save Configuration to save your changes.

The configuration is complete. The log source is added to JSA as Cisco WiSM
events are automatically discovered. Events forwarded by Cisco WiSM are
displayed on the Log Activity tab of JSA.

Configuring DSMs

186

CISCO

Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from Cisco
WiSM. The following configuration steps are optional.
To manually configure a log source for Cisco WiSM:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cisco Wireless Services Module

(WiSM).
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 26-17 Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cisco WiSM appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Cisco Wireless LAN
Controllers

The Cisco Wireless LAN Controllers DSM for JSA collects events forwarded from
Cisco Wireless LAN Controller devices using syslog or SNMPv2.
This section includes the following topics:

Before You Begin

•

Configuring Syslog for Cisco Wireless LAN Controller

•

Configuring SNMPv2 for Cisco Wireless LAN Controller

If you collect events from Cisco Wireless LAN Controllers, you should select the
best collection method for your configuration. The Cisco Wireless LAN Controller
DSM for JSA supports both syslog and SNMPv2 events. However, syslog provides

Configuring DSMs

Cisco Wireless LAN Controllers

187

all available Cisco Wireless LAN Controller events, where SNMPv2 only sends a
limited set of security events to JSA.
Configuring Syslog
for Cisco Wireless
LAN Controller

You can configure Cisco Wireless LAN Controller for forward syslog events to JSA.
Procedure

Step 1 Log in to your Cisco Wireless LAN Controller interface.
Step 2 Click the Management tab.
Step 3 From the menu, select Logs > Config.
Step 4 In the Syslog Server IP Address field, type the IP address of your JSA console.
Step 5 Click Add.
Step 6 From the Syslog Level list box, select a logging level.

The Information level allows you to collect all Cisco Wireless LAN Controller
events above the debug level.
Step 7 From the Syslog Facility list box, select a facility level.
Step 8 Click Apply
Step 9 Click Save Configuration.

What to do next
You are now ready to configure a syslog log source for Cisco Wireless LAN
Controller.
Configuring a syslog log source in JSA
JSA does not automatically discover incoming syslog events from Cisco Wireless
LAN Controllers. You must create a log source for each Cisco Wireless LAN
Controller providing syslog events to JSA.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cisco Wireless LAN Controllers.
Step 9 Using the Protocol Configuration list box, select Syslog.

Configuring DSMs

188

CISCO
Step 10 Configure the following values:

Table 26-18 Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cisco Wireless LAN Controller.

Enabled

Select this check box to enable the log source. By default,
the check box is selected.

Credibility

From the list box, select the credibility of the log source. The
range is 0 to 10. The credibility indicates the integrity of an
event or offense as determined by the credibility rating from
the source devices. Credibility increases if multiple sources
report the same event. The default is 5.

Target Event Collector From the list box, select the Event Collector to use as the
target for the log source.
Coalescing Events

Select this check box to enable the log source to coalesce
(bundle) events.
Automatically discovered log sources use the default value
configured in the Coalescing Events drop-down in the JSA
Settings window on the Admin tab. However, when you
create a new log source or update the configuration for an
automatically discovered log source you can override the
default value by configuring this check box for each log
source. For more information on settings, see the Juniper
Secure Analytics Administration Guide.

Incoming Event
Payload

From the list box, select the incoming payload encoder for
parsing and storing the logs.

Store Event Payload

Select this check box to enable or disable JSA from storing
the event payload.
Automatically discovered log sources use the default value
from the Store Event Payload drop-down in the JSA
Settings window on the Admin tab. However, when you
create a new log source or update the configuration for an
automatically discovered log source you can override the
default value by configuring this check box for each log
source.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.
Configuring SNMPv2
for Cisco Wireless
LAN Controller

SNMP event collection for Cisco Wireless LAN Controllers allows you to capture
the following events for JSA:
•

SNMP Config Event

•

bsn Authentication Errors

•

LWAPP Key Decryption Errors
Configuring DSMs

Cisco Wireless LAN Controllers

189

Procedure
Step 1 Log in to your Cisco Wireless LAN Controller interface.
Step 2 Click the Management tab.
Step 3 From the menu, select SNMP > Communities.

You can use the one of the default communities created or create a new
community.
Step 4 Click New.
Step 5 In the Community Name field, type the name of the community for your device.
Step 6 In the IP Address field, type the IP address of JSA.

The IP address and IP mask you specify is the address from which your Cisco
Wireless LAN Controller accepts SNMP requests. You can treat these values as an
access list for SNMP requests.
Step 7 In the IP Mask field, type a subnet mask.
Step 8 From the Access Mode list box, select Read Only or Read/Write.
Step 9 From the Status list box, select Enable.
Step 10 Click Save Configuration to save your changes.

What to do next
You are now ready to create a SNMPv2 trap receiver.
Configure a trap receiver for Cisco Wireless LAN Controller
Trap receivers configured for Cisco Wireless LAN Controllers define where the
device can send SNMP trap messages.
Procedure
Step 1 Click the Management tab.
Step 2 From the menu, select SNMP > Trap Receivers.
Step 3 In the Trap Receiver Name field, type a name for your trap receiver.
Step 4 In the IP Address field, type the IP address of JSA.

The IP address you specify is the address to which your Cisco Wireless LAN
Controller sends SNMP messages. If you plan to configure this log source on an
Event Collector, you want to specify the Event Collector appliance IP address.
Step 5 From the Status list box, select Enable.
Step 6 Click Apply to commit your changes.
Step 7 Click Save Configuration to save your settings.

What to do next
You are now ready to create a SNMPv2 log source in JSA.

Configuring DSMs

190

CISCO

Configure a log source for SNMPv2 for Cisco Wireless LAN Controller
JSA does not automatically discover and create log sources for SNMP event data
from Cisco Wireless LAN Controllers. You must create a log source for each Cisco
Wireless LAN Controller providing SNMPv2 events.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cisco Wireless LAN Controllers.
Step 9 Using the Protocol Configuration list box, select SNMPv2.
Step 10 Configure the following values:

Table 26-19 SNMPv2 protocol parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cisco Wireless LAN Controller.

Community

Type the SNMP community name required to access the
system containing SNMP events. The default is Public.

Include OIDs in Event
Payload

Select the Include OIDs in Event Payload check box.

Enabled

Select this check box to enable the log source. By default,
the check box is selected.

Credibility

From the list box, select the credibility of the log source. The
range is 0 to 10. The credibility indicates the integrity of an
event or offense as determined by the credibility rating from
the source devices. Credibility increases if multiple sources
report the same event. The default is 5.

This options allows the SNMP event payload to be
constructed using name-value pairs instead of the standard
event payload format. Including OIDs in the event payload is
required for processing SNMPv2 or SNMPv3 events from
certain DSMs.

Target Event Collector From the list box, select the Event Collector to use as the
target for the log source.

Configuring DSMs

Cisco Identity Services Engine

191

Table 26-19 SNMPv2 protocol parameters (continued)

Parameter

Description

Coalescing Events

Select this check box to enable the log source to coalesce
(bundle) events.
Automatically discovered log sources use the default value
configured in the Coalescing Events drop-down in the JSA
Settings window on the Admin tab. However, when you
create a new log source or update the configuration for an
automatically discovered log source you can override the
default value by configuring this check box for each log
source. For more information on settings, see the Juniper
Secure Analytics Administration Guide.

Store Event Payload

Select this check box to enable or disable JSA from storing
the event payload.
Automatically discovered log sources use the default value
from the Store Event Payload drop-down in the JSA
Settings window on the Admin tab. However, when you
create a new log source or update the configuration for an
automatically discovered log source you can override the
default value by configuring this check box for each log
source.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete. Events forwarded to by Cisco Wireless LAN
Controller are displayed on the Log Activity tab of JSA.

Cisco Identity
Services Engine

Configuration
Overview

The Cisco Identity Services Engine (ISE) DSM for JSA accepts syslog events from
Cisco ISE appliances with log sources configured to use the UDP Multiline
protocol.
JSA supports syslog events forwarded by Cisco ISE versions 1.1. Before you
configure your Cisco ISE appliance, you should consider which logging categories
you want to configure on your Cisco ISE to forward to JSA. Each logging category
must be configured with a syslog severity and included as a remote target to allow
Cisco ISE to forward the event to JSA. The log source you configure in JSA
receives the event forwarded from Cisco ISE and uses a regular expression to
assemble the multiline syslog event in to an event readable by JSA.

Configuring DSMs

192

CISCO

To integrate Cisco ISE events with JSA, you must perform the following tasks:
1 Configure a log source in JSA for your Cisco ISE appliance forwarding events to

JSA.
2 Create a remote logging target for JSA on your Cisco ISE appliance.
3 Configure the logging categories on your Cisco ISE appliance.

Supported Event
Logging Categories

The Cisco ISE DSM for JSA is capable of receiving syslog events from the
following event logging categories.
Table 26-1 Supported Cisco ISE Event Logging Categories

Event logging category
AAA audit
Failed attempts
Passed authentication
AAA diagnostics
Administrator authentication and authorization
Authentication flow diagnostics
Identity store diagnostics
Policy diagnostics
Radius diagnostics
Guest
Accounting
Radius accounting
Administrative and operational audit
Posture and client provisioning audit
Posture and client provisioning diagnostics
Profiler
System diagnostics
Distributed management
Internal operations diagnostics
System statistics

Configuring a Cisco
ISE Log Source in
JSA

To collect syslog events, you must configure a log source for Cisco ISE in JSA to
use the UDP Multiline Syslog protocol.
You must configure a log source for each individual Cisco ISE appliance that
forwards events to JSA. However, all Cisco ISE appliances can forward their
events to the same listen port on JSA that you configure.

Configuring DSMs

Cisco Identity Services Engine

193

Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 In the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for your log source.
Step 8 From the Log Source Type list box, select Cisco Identity Services Engine.
Step 9 From the Protocol Configuration list box, select UDP Multiline Syslog.
Step 10 Configure the following values:

Table 26-2 Cisco ISE Log Source Parameters

Parameter

Description

Log Source Identifier

Type the IP address, host name, or name to identify the log
source or appliance providing UDP Multiline Syslog events to
JSA.

Listen Port

Type 517 as the port number used by JSA to accept
incoming UDP Multiline Syslog events. The valid port range
is 1 to 65535.
To edit a saved configuration to use a new port number:
1 In the Listen Port field, type the new port number for
receiving UDP Multiline Syslog events.
2 Click Save.
3 On the Admin tab, select Advanced > Deploy Full
Configuration.
After the full deploy completes, JSA is capable of receiving
events on the updated listen port.
Note: When you click Deploy Full Configuration, JSA restarts
all services, resulting in a gap in data collection for events
and flows until the deployment completes.

Message ID Pattern

Type the following regular expression (regex) required to
filter the event payload messages.
CISE_\S+ (\d{10})

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

What to do next
You are now ready to configure your Cisco ISE appliance with a remote logging
target.

Configuring DSMs

194

CISCO

Creating a Remote
Logging Target in
Cisco ISE

To forward syslog events to JSA, you must configure your Cisco ISE appliance
with a remote logging target.
Procedure

Step 1 Log in to your Cisco ISE Administration Interface.
Step 2 From the navigation menu, select Administration > System > Logging >

Remote Logging Targets.
Step 3 Click Add.
Step 4 In the Name field, type a name for the remote target system.
Step 5 In the Description field, type a description.
Step 6 In the IP Address field, type a the IP address of the JSA console or Event

Collector.
Step 7 In the Port field, type 517 or use the port value you specific in your Cisco ISE log

source for JSA.
Step 8 From the Facility Code list box, select the syslog facility to use for logging events.
Step 9 In the Maximum Length field, type 1024 as the maximum packet length allowed

for the UDP syslog message.
Step 10 Click Submit.

The remote logging target is created for JSA.
What to do next
You are now ready to configure the logging categories forwarded by Cisco ISE to
JSA.
Configuring Cisco
ISE Logging
Categories

To define which events are forwarded by your Cisco ISE appliance, you must
configure each logging category with a syslog severity and the remote logging
target your configured for JSA.
For a list of pre-defined event logging categories for Cisco ISE, see Supported
Event Logging Categories.
Procedure

Step 1 From the navigation menu, select Administration > System > Logging >

Logging Categories.
Step 2 Select a logging category, and click Edit.
Step 3 From the Log Severity list box, select a severity for the logging category.
Step 4 In the Target field, add your remote logging target for JSA to the Select box.
Step 5 Click Save.
Step 6 Repeat this process for each logging category you want to forward to JSA.

The configuration is complete. Events forwarded by Cisco ISE are displayed on the
Log Activity tab in JSA.

Configuring DSMs

24

CITRIX

This section provides information on the following DSMs:

Citrix NetScaler

•

Citrix NetScaler

•

Citrix Access Gateway

The Citrix NetScaler DSM for Juniper Secure Analytics (JSA) accepts all relevant
audit log events using syslog.

Configuring Syslog
on Citrix NetScaler

To integrate Citrix NetScaler events with JSA, you must configure Citrix NetScaler
to forward syslog events.
Procedure

Step 1 Using SSH, log in to your Citrix NetScaler device as a root user.
Step 2 Type the following command to add a remote syslog server:

add audit syslogAction   -serverPort 514
-logLevel Info -dateFormat DDMMYYYY

Where:
 is a descriptive name for the syslog server action.
 is the IP address or hostname of your JSA console.

For example:
add audit syslogAction action-JSA 10.10.10.10 -serverPort 514
-logLevel Info -dateFormat DDMMYYYY
Step 3 Type the following command to add an audit policy:

add audit syslogPolicy   

Where:
 is a descriptive name for the syslog policy.
 is the rule or expression the policy uses. The only supported value is
ns_true.
 is a descriptive name for the syslog server action.

Configuring DSMs

196

CITRIX

For example:
add audit syslogPolicy policy-JSA ns_true action-JSA
Step 4 Type the following command to bind the policy globally:

bind system global  -priority 

Where:
 is a descriptive name for the syslog policy.
 is a numeric value used to rank message priority for multiple policies
that are communicating using syslog.

For example:
bind system global policy-JSA -priority 30

When multiple policies have priority assigned to them as a numeric value the lower
priority value is evaluated before the higher value.
Step 5 Type the following command to save the Citrix NetScaler configuration.

save config
Step 6 Type the following command to verify the policy is saved in your configuration:

sh system global

NOTE

Note: For information on configuring syslog using the Citrix NetScaler user
interface, see http://support.citrix.com/article/CTX121728 or your vendor
documentation.
The configuration is complete. The log source is added to JSA as Citrix NetScaler
events are automatically discovered. Events forwarded by Citrix NetScaler are
displayed on the Log Activity tab of JSA.

Configuring a Citrix
NetScaler Log
Source

JSA automatically discovers and creates a log source for syslog events from Citrix
NetScaler. This procedure is optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Citrix NetScaler.
Step 9 Using the Protocol Configuration list box, select Syslog.

Configuring DSMs

Citrix Access Gateway

197

Step 10 Configure the following values:

Table 27-1 Syslog protocol parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Citrix NetScaler devices.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Citrix Access
Gateway

The Citrix Access Gateway DSM accepts access, audit, and diagnostic events
forwarded from your Citrix Access Gateway appliance using syslog.

Configuring Syslog
for Citrix Access
Gateway

This procedure outlines the configure steps required to configure syslog on your
Citrix Access Gateway to forward events to the JSA console or an Event
Collectors.
Procedure

Step 1 Log in to your Citrix Access Gateway web interface.
Step 2 Click the Access Gateway Cluster tab.
Step 3 Select Logging/Settings.
Step 4 In the Server field, type the IP address of your JSA console or Event Collector.
Step 5 From the Facility list box, select a syslog facility level.
Step 6 In the Broadcast interval (mins), type 0 to continuously forward syslog events to

JSA.
Step 7 Click Submit to save your changes.

The configuration is complete. The log source is added to JSA as Citrix Access
Gateway events are automatically discovered. Events forwarded to JSA by Citrix
Access Gateway are displayed on the Log Activity tab in JSA.
Configuring a Citrix
Access Gateway Log
Source

JSA automatically discovers and creates a log source for syslog events from Citrix
Access Gateway appliances. This procedure is optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.

Configuring DSMs

198

CITRIX
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Citrix Access Gateway.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 27-2 Syslog protocol parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Citrix Access Gateway
appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

25

CRYPTOCARD CRYPTO-SHIELD

The Juniper Secure Analytics (JSA) CRYPTOCard CRYPTO-Shield DSM for JSA
accepts events using syslog.
Before You Begin

To integrate CRYPTOCard CRYPTO-Shield events with JSA, you must manually
create a log source to receive syslog events.
Before you can receive events in JSA, you must configure a log source, then
configure your CRYPTOCard CRYPTO-Shield to forward syslog events. Syslog
events forwarded from CRYPTOCard CRYPTO-Shield devices are not
automatically discovered. JSA can receive syslog events on port 514 for both TCP
and UDP.

Configuring a Log
Source

JSA does not automatically discover or create log sources for syslog events from
CRYPTOCard CRYPTO-Shield devices.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select CRYPTOCard CRYPTOShield.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 28-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your CRYPTOCard
CRYPTO-Shield device.

Configuring DSMs

200

CRYPTOCARD CRYPTO-SHIELD
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA.
Configure Syslog for
CRYPTOCard
CRYPTO-Shield

To configure your CRYPTOCard CRYPTO-Shield device to forward syslog events:

Step 1 Log in to your CRYPTOCard CRYPTO-Shield device.
Step 2 Configure the following System Configuration parameters:

NOTE

You must have CRYPTOCard Operator access with the assigned default
Super-Operator system role to access the System Configuration parameters.
•

log4j.appender. - Directs the logs to a syslog host where the
 is the type of log appender, which determines where you want to

send logs for storage. The options are: ACC, DBG, or LOG. For this parameter,
type the following: org.apache.log4j.net.SyslogAppender
•

log4j.appender..SyslogHost  - Type the IP

address or hostname of the syslog server where:
-

 is the type of log appender, which determines where you want

to send logs for storage. The options are: ACC, DBG, or LOG.
-

 is the IP address of the JSA host to which you want to send

logs. This value can only be specified when the first parameter is configured.
This parameter can only be specified when the log4j.apender.
parameter is configured.
The configuration is complete. Events forwarded to JSA by CRYPTOCard
CRYPTO-Shield are displayed on the Log Activity tab.

Configuring DSMs

26

CYBER-ARK VAULT

The Cyber-Ark Vault DSM for Juniper Secure Analytics (JSA) accepts events using
syslog formatted for Log Enhanced Event Format (LEEF).
Supported Event
Types

JSA records both user activities and safe activities from the Cyber-Ark Vault in the
audit log events. Cyber-Ark Vault integrates with JSA to forward audit logs using
syslog to create a complete audit picture of privileged account activities.

Event Type Format

Cyber-Ark Vault must be configured to generate events in Log Enhanced Event
Protocol (LEEF) and forward these events using syslog. The LEEF format consists
of a pipe ( | ) delimited syslog header and tab separated fields in the event payload.
If the syslog events forwarded from your Cyber-Ark Vault is not formatted as
described above, you must examine your device configuration or software version
to ensure your appliance supports LEEF. Properly formatted LEEF event
messages are automatically discovered and added as a log source to JSA.

Configure Syslog for
Cyber-Ark Vault

To configure Cyber-Ark Vault to forward syslog events to JSA:
Procedure

Step 1 Log in to your Cyber-Ark device.
Step 2 Edit the DBParm.ini file.
Step 3 Configure the following parameters:

•

SyslogServerIP - Type the IP address of JSA.

•

SyslogServerPort - Type the UDP port used to connect to JSA. The default
value is 514.

•

SyslogMessageCodeFilter - Configure which message codes are sent from
the Cyber-Ark Vault to JSA. You can define specific message numbers or a
range of numbers. By default, all message codes are sent for user activities and
safe activities.
For example, to define a message code of 1,2,3,30 and 5-10, you must type:
1,2,3,5-10,30.

Configuring DSMs

202

CYBER-ARK VAULT

•

SyslogTranslatorFile - Type the file path to the LEEF.xsl translator file. The
translator file is used to parse Cyber-Ark audit records data in the syslog
protocol.

Step 4 Copy LEEF.xsl to the location specified by the SyslogTranslatorFile parameter in

the DBParm.ini file.
The configuration is complete. The log source is added to JSA as Cyber-Ark Vault
events are automatically discovered. Events forwarded by Cyber-Ark Vault are
displayed on the Log Activity tab of JSA.
Configuring a Log
Source

JSA automatically discovers and creates a log source for syslog events from
Cyber-Ark Vault. The following configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Cyber-Ark Vault.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 29-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Cyber-Ark Vault appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

27

CYBERGUARD FIREWALL/VPN
APPLIANCE
The CyberGuard Firewall VPN Appliance DSM for Juniper Secure Analytics (JSA)
accepts CyberGuard events using syslog.

Supported Event
Types

JSA records all relevant CyberGuard events for CyberGuard KS series appliances
forwarded using syslog.

Configure Syslog
Events

To configure a CyberGuard device to forward syslog events:
Procedure

Step 1 Log in to the CyberGuard user interface.
Step 2 Select the Advanced page.
Step 3 Under System Log, select Enable Remote Logging.
Step 4 Type the IP address of JSA.
Step 5 Click Apply.

The configuration is complete. The log source is added to JSA as CyberGuard
events are automatically discovered. Events forwarded by CyberGuard appliances
are displayed on the Log Activity tab of JSA.
Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from
CyberGuard appliances. The following configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select CyberGuard TSP Firewall/VPN.

Configuring DSMs

204

CYBERGUARD FIREWALL/VPN APPLIANCE
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 30-1 Syslog parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your CyberGuard appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

28

DAMBALLA FAILSAFE

The Failsafe DSM for Juniper Secure Analytics (JSA) accepts syslog events using
the Log Enhanced Event Protocol (LEEF), enabling JSA to record all relevant
Damballa Failsafe events.
Event Type Format

Damballa Failsafe must be configured to generate events in Log Enhanced Event
Protocol (LEEF) and forward these events using syslog. The LEEF format consists
of a pipe ( | ) delimited syslog header and tab separated fields in the event payload.
If the syslog events forwarded from your Damballa Failsafe is not formatted as
described above, you must examine your device configuration or software version
to ensure your appliance supports LEEF. Properly formatted LEEF event
messages are automatically discovered and added as a log source to JSA.

Configuring Syslog
for Damballa Failsafe

To collect events, you must configure your Damballa Failsafe device to forward
syslog events to JSA.
Procedure

Step 1 Log in to your Damballa Failsafe Management console
Step 2 From the navigation menu, select Setup > Integration Settings.
Step 3 Click the Q1 QRadar tab.
Step 4 Select Enable Publishing to Q1 QRadar.
Step 5 Configure the following options:
a

Q1 Hostname - Type the IP address or Fully Qualified Name (FQN) of your
JSA console.

b

Destination Port - Type 514. By default, JSA uses port 514 as the port for
receiving syslog events.

c

Source Port - Optional. Type the source port your Damballa Failsafe device
uses for sending syslog events.

Step 6 Click Save.

The configuration is complete. The log source is added to JSA as Damballa
Failsafe events are automatically discovered. Events forwarded by Damballa
Failsafe are displayed on the Log Activity tab of JSA.

Configuring DSMs

206

DAMBALLA FAILSAFE

Configuring a Log
Source

JSA automatically discovers and creates a log source for syslog events from
Damballa Failsafe devices. The following configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Damballa Failsafe.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 31-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Damballa Failsafe devices.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

29

DIGITAL CHINA NETWORKS (DCN)

The Digital China Networks (DCN) DCS/DCRS Series DSM for Juniper Secure
Analytics (JSA) can accept events from Digital China Networks (DCN) switches
using syslog.
Supported Event
Types

Supported
Appliances

Configuring a Log
Source

JSA records all relevant IPv4 events forwarded from DCN switches. To integrate
your device with JSA, you must configure a log source, then configure your DCS or
DCRS switch to forward syslog events.
The DSM supports the following DCN DCS/DCRS Series switches:
•

DCS - 3650

•

DCS - 3950

•

DCS - 4500

•

DCRS - 5750

•

DCRS - 5960

•

DCRS - 5980

•

DCRS - 7500

•

DCRS - 9800

JSA does not automatically discover incoming syslog events from DCN
DCS/DCRS Series switches.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.

Configuring DSMs

208

DIGITAL CHINA NETWORKS (DCN)
Step 8 From the Log Source Type list box, select DCN DCS/DCRS Series.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following value:

Table 32-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address, hostname, or name for the log source
as an identifier for your DCN DCS/DCRS Series switch.
Each log source you create for your DCN DCS/DCRS Series
switch should include a unique identifier, such as an IP
address or hostname.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. You are now ready to configure your Digital China
Networks DCS or DCRS Series switch to forward events to JSA.
Configure a DCN
DCS/DCRS Series
Switch

To collect events, you must configure your DCN DCS/DCRS Series switch in JSA.
Procedure

Step 1 Log in to your DCN DCS/DCRS Series switch command-line Interface (CLI).
Step 2 Type the following command to access the administrative mode:

enable
Step 3 Type the following command to access the global configuration mode:

config

The command-line interface displays the configuration mode prompt:
Switch(Config)#
Step 4 Type the following command to configure a log host for your switch:

logging  facility  severity 

Where:
 is the IP address of the JSA console.
 is the syslog facility, for example, local0.
 is the severity of the syslog events, for example, informational. If you

specify a value of informational, you forward all information level events and
above, such as, notifications, warnings, errors, critical, alerts, and emergencies.
For example,
logging 10.10.10.1 facility local0 severity informational

Configuring DSMs

209

Step 5 Type the following command to save your configuration changes:

write

The configuration is complete. You can verify events forwarded to JSA by viewing
events in the Log Activity tab.

Configuring DSMs

30

ENTERASYS

This section provides information on the following DSMs:

Enterasys Dragon

•

Enterasys Dragon

•

Enterasys HiGuard Wireless IPS

•

Enterasys HiPath Wireless Controller

•

Enterasys Stackable and Standalone Switches

•

Enterasys XSR Security Router

•

Enterasys Matrix Router

•

Enterasys NetSight Automatic Security Manager

•

Enterasys Matrix K/N/S Series Switch

•

Enterasys NAC

•

Enterasys 800-Series Switch

The Enterasys Dragon DSM for Juniper Secure Analytics (JSA) accepts Enterasys
events using either syslog or SNMPv3 to record all relevant Enterasys Dragon
events.
To configure your JSA Enterasys Dragon DSM, you must:
1 Choose one of the following:
a

Create an Alarm Tool policy using an SNMPv3 notification rule. See Create an
Alarm Tool Policy for SNMPv3.

b

Create an Alarm Tool policy using a Syslog notification rule. See Create a
Policy for Syslog.

2 Configure the log source within JSA. See Configure a Log Source.
3 Configure Dragon Enterprise Management Server (EMS) to forward syslog

messages. See Configure the EMS to Forward Syslog Messages

Configuring DSMs

212

ENTERASYS

Create an Alarm Tool
Policy for SNMPv3

This procedure describes how to configure an Alarm Tool policy using an SNMPv3
notification rule. Use SNMPv3 notification rules if you need to transfer PDATA
binary data elements.
To configure Enterasys Dragon with an Alarm Tool policy using an SNMPv3
notification rule:

Step 1 Log in to the Enterasys Dragon EMS.
Step 2 Click the Alarm Tool icon.
Step 3 Configure the Alarm Tool Policy:
a

In the Alarm Tool Policy View > Custom Policies menu tree, right-click and
select Add Alarm Tool Policy.
The Add Alarm Tool Policy window is displayed.

b

In the Add Alarm Tool Policy field, type a policy name.
For example:
JSA

c

Click OK.

d

In the menu tree, select the policy name you entered from Stepb.

Step 4 To configure the event group:
a

Click the Events Group tab.

b

Click New.
The Event Group Editor is displayed.

c

Select the event group or individual events to monitor.

d

Click Add.
A prompt is displayed.

e

Click Yes.

f

In the right column of the Event Group Editor, type Dragon-Events.

g

Click OK.

Step 5 Configure the SNMPv3 notification rules:
a

Click the Notification Rules tab.

b

Click New.

c

In the name field, type JSA-Rule.

d

Click OK.

e

In the Notification Rules panel, select JSA-Rule.

f

Click the SNMP V3 tab.

g

Click New.

Configuring DSMs

Enterasys Dragon

h

213

Update SNMP V3 values, as required:
-

Server IP Address - Type the JSA IP address.

Note: Do not change the OID.
-

Inform - Select the Inform check box.

-

Security Name - Type the SNMPv3 username.

-

Auth Password - Type the appropriate password.

-

Priv Password - Type the appropriate password.

-

Message - Type the following on one line:

Dragon Event:
%DATE%,,%TIME%,,%NAME%,,%SENSOR%,,%PROTO%,,%SIP%,,
%DIP%,,%SPORT%,,%DPORT%,, %DIR%,,%DATA%,,<<<%PDATA%>>>

NOTE

Note: Verify that the security passwords and protocols match data configured in
the SNMP configuration.
i

Click OK.

Step 6 Verify that the notification events are logged as separate events:
a

Click the Global Options tab.

b

Click the Main tab.

c

Make sure that Concatenate Events is not selected.

Step 7 Configure the SNMP options:
a

Click the Global Options tab.

b

Click the SNMP tab

c

Type the IP address of the EMS server sending SNMP traps.

Step 8 Configure the alarm information:
a

Click the Alarms tab.

b

Click New.

c

Type values for the following parameters:
-

Name - Type JSA-Alarm.

-

Type - Select Real Time.

-

Event Group - Select Dragon-Events.

-

Notification Rule - Select the JSA-Rule check box.

d

Click OK.

e

Click Commit.

Step 9 Navigate to the Enterprise View.
Step 10 Right-click on the Alarm Tool and select Associate Alarm Tool Policy.

Configuring DSMs

214

ENTERASYS
Step 11 Select the JSA policy. Click OK.
Step 12 From the Enterprise menu, right-click and select Deploy.

You are now ready to configure the log source SNMP protocol in JSA.
Create a Policy for
Syslog

This procedure describes how to configure an Alarm Tool policy using a syslog
notification rule in the Log Event Extended Format (LEEF) message format.
LEEF is the preferred message format for sending notifications to Dragon Network
Defense when the notification rate is very high or when IPv6 addresses are
displayed. If you prefer not to use syslog notifications in LEEF format, refer to your
Enterasys Dragon documentation for more information.

NOTE

Note: Use SNMPv3 notification rules if you need to transfer PDATA, which is a
binary data element. Do not use a syslog notification rule.
To configure Enterasys Dragon with an Alarm Tool policy using a syslog notification
rule:

Step 1 Log in to the Enterasys Dragon EMS.
Step 2 Click the Alarm Tool icon.
Step 3 Configure the Alarm Tool Policy:
a

In the Alarm Tool Policy View > Custom Policies menu tree, right-click and
select Add Alarm Tool Policy.
The Add Alarm Tool Policy window is displayed.

b

In the Add Alarm Tool Policy field, type a policy name.
For example:
JSA

c

Click OK.

d

In the menu tree, select JSA.

Step 4 To configure the event group:
a

Click the Events Group tab.

b

Click New.
The Event Group Editor is displayed.

c

Select the event group or individual events to monitor.

d

Click Add.
A prompt is displayed.

e

Click Yes.

f

In the right column of the Event Group Editor, type Dragon-Events.

g

Click OK.
Configuring DSMs

Enterasys Dragon

215

Step 5 Configure the Syslog notification rule:
a

Click the Notification Rules tab.

b

Click New.

c

In the name field, type JSA-RuleSys.

d

Click OK.

e

In the Notification Rules panel, select the newly created JSA-RuleSys item.

f

Click the Syslog tab.

g

Click New.
The Syslog Editor is displayed.

h

Update the following values:
-

Facility - Using the Facility list box, select a facility.

-

Level - Using the Level list box, select notice.

-

Message - Using the Type list box, select LEEF.

LEEF:Version=1.0|Vendor|Product|ProductVersion|eventID|devTime|
proto|src|sensor|dst|srcPort|dstPort|direction|eventData|

NOTE

Note: The LEEF message format delineates between fields using a pipe delimiter
between each keyword.
i

Click OK.

Step 6 Verify that the notification events are logged as separate events:
a

Click the Global Options tab.

b

Click the Main tab.

c

Make sure that Concatenate Events is not selected.

Step 7 Configure the alarm information:
a

Click the Alarms tab.

b

Click New.

c

Type values for the parameters:
-

Name - Type JSA-Alarm.

-

Type - Select Real Time.

-

Event Group - Select Dragon-Events.

-

Notification Rule - Select the JSA-RuleSys check box.

d

Click OK.

e

Click Commit.

Step 8 Navigate to the Enterprise View.
Step 9 Right-click on the Alarm Tool and select Associate Alarm Tool Policy.

Configuring DSMs

216

ENTERASYS
Step 10 Select the newly created JSA policy. Click OK.
Step 11 In the Enterprise menu, right-click the policy and select Deploy.

You are now ready to configure a syslog log source in JSA.
Configure a Log
Source

You are now ready to configure the log source in JSA:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Enterasys Dragon Network IPS.
Step 9 From the Protocol Configuration list box, select either the SNMPv3 or Syslog

option. For more information on configuring a specific protocol, see the Log
Sources Users Guide.
For more information about Enterasys Dragon device, see your Enterasys Dragon
documentation.

NOTE

Configure the EMS to
Forward Syslog
Messages

Note: Using the event mapping tool in the Log Activity tab, you can map a
normalized or raw event to a high-level and low-level category (or QID). However,
you cannot map combination Dragon messages using the event mapping tool. For
more information, see the Juniper Secure Analytics Users Guide.
Starting with Dragon Enterprise Management Server (EMS) v7.4.0 appliances, you
must use syslog-ng for forwarding events to a Security and Information Manager
such as JSA.
Syslogd has been replaced by syslog-ng in Dragon EMS v7.4.0 and above.
To configure EMS to forward syslog messages, you must choose one of the
following:
•

If you are using syslog-ng and Enterasys Dragon EMS v7.4.0 and above, see
Configuring syslog-ng Using Enterasys Dragon EMS v7.4.0 and above.

•

If you are using syslogd and Enterasys Dragon EMS v7.4.0 and below, see
Configuring syslogd Using Enterasys Dragon EMS v7.4.0 and below.

Configuring DSMs

Enterasys Dragon

217

Configuring syslog-ng Using Enterasys Dragon EMS v7.4.0 and above
This section describes the steps to configure syslog-ng in non-encrypted mode
and syslogd to forward syslog messages to JSA.
If you are using encrypted syslog-ng, refer to your Enterasys documentation.

CAUTION
CAUTION: Do not run both syslog-ng and syslogd at the same time.
To configure syslog-ng in non-encrypted mode:
Step 1 On your EMS system, open the following file:

/opt/syslog-ng/etc/syslog-ng.conf
Step 2 Configure a Facility filter for the Syslog notification rule.

For example, if you selected facility local1:
filter filt_facility_local1 {facility(local1); };
Step 3 Configure a Level filter for the Syslog notification rule.

For example, if you selected level notice:
filter filt_level_notice {level(notice); };
Step 4 Configure a destination statement for the JSA.

For example, if the IP address of the JSA is 10.10.1.1 and you want to use syslog
port of 514, type:
destination siem { tcp("10.10.1.1" port(514)); };
Step 5 Add a log statement for the notification rule:

log {
source(s_local);
filter (filt_facility_local1); filter (filt_level_notice);
destination(siem);
};
Step 6 Save the file and restart syslog-ng.

cd /etc/rc.d
./rc.syslog-ng stop
./rc.syslog-ng start
Step 7 The Enterasys Dragon EMS configuration is complete.

Configuring syslogd Using Enterasys Dragon EMS v7.4.0 and below
If your Dragon Enterprise Management Server (EMS) is using a version earlier
than v7.4.0 on the appliance, you must use syslogd for forwarding events to a
Security and Information Manager such as JSA.

Configuring DSMs

218

ENTERASYS

To configure syslogd, you must:
Step 1 On the Dragon EMS system, open the following file:

/etc/syslog.conf
Step 2 Add a line to forward the facility and level you configured in the syslog notification

rule to JSA.
For example, to define the local1 facility and notice level:
local1.notice @

Where:
 is the IP address of the JSA system.
Step 3 Save the file and restart syslogd.

cd /etc/rc.d
./rc.syslog stop
./rc.syslog start

The Enterasys Dragon EMS configuration is complete.

Enterasys HiGuard
Wireless IPS

The Enterasys HiGuard Wireless IPS DSM for JSA records all relevant events
using syslog
Before configuring the Enterasys HiGuard Wireless IPS device in JSA, you must
configure your device to forward syslog events.

Configure Enterasys
HiGuard

To configure the device to forward syslog events:

Step 1 Log in to the HiGuard Wireless IPS user interface.
Step 2 In the left navigation pane, click Syslog, which allows the management server to

send events to designated syslog receivers.
The Syslog Configuration panel is displayed.
Step 3 In the System Integration Status section, enable syslog integration.

This allows the management server to send messages to the configured syslog
servers. By default, the management server enables syslog.
The Current Status field displays the status of the syslog server. The options are:
Running or Stopped. An error status is displayed if one of the following occurs:
•

One of the configured and enabled syslog servers includes a hostname that
cannot be resolved.

•

The management server is stopped.

•

An internal error has occurred. If this occurs, please contact Enterasys
Technical Support.

Configuring DSMs

Enterasys HiGuard Wireless IPS

219

Step 4 From Manage Syslog Servers, click Add.

The Syslog Configuration window is displayed.
Step 5 Type values for the following parameters:

•

NOTE

Syslog Server (IP Address/Hostname) - Type the IP address or hostname of
the syslog server to which events should be sent.

Note: Configured syslog servers use the DNS names and DNS suffixes configured
in the Server initialization and Setup Wizard on the HWMH Config Shell.
•

Port Number - Type the port number of the syslog server to which HWMH
sends events. The default is 514.

•

Message Format - Select Plain Text as the format for sending events.

•

Enabled? - Select if the events are to be sent to this syslog server.

Step 6 Save your configuration.

The configuration is complete. The log source is added to JSA as HiGuard events
are automatically discovered. Events forwarded to JSA by Enterasys HiGuard are
displayed on the Log Activity tab of JSA.
Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from
Enterasys HiGuard. The following configuration steps are optional.
To manually configure a log source for Enterasys HiGuard:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Enterasys HiGuard.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 33-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Enterasys HiGuard.

Step 11 Click Save.

Configuring DSMs

220

ENTERASYS
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Enterasys HiPath
Wireless Controller
Supported Event
Types

Configure Your
HiPath Wireless
Controller

The Enterasys HiPath Wireless Controller DSM for JSA records all relevant events
using syslog.
JSA supports the following Enterasys HiPath Wireless Controller events:
•

Wireless access point events

•

Application log events

•

Service log events

•

Audit log events

To integrate your Enterasys HiPath Wireless Controller events with JSA, you must
configure your device to forward syslog events.
To forward syslog events to JSA:

Step 1 Log in to the HiPath Wireless Assistant.
Step 2 Click Wireless Controller Configuration.

The HiPath Wireless Controller Configuration window is displayed.
Step 3 From the menu, click System Maintenance.
Step 4 From the Syslog section, select the Syslog Server IP check box and type the IP

address of the device receiving the syslog messages.
Step 5 Using the Wireless Controller Log Level list box, select Information.
Step 6 Using the Wireless AP Log Level list box, select Major.
Step 7 Using the Application Logs list box, select local.0.
Step 8 Using the Service Logs list box, select local.3.
Step 9 Using the Audit Logs list box, select local.6.
Step 10 Click Apply.

You are now ready to configure the log source in JSA.
Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events from
Enterasys HiPath. The following configuration steps are optional.
To manually configure a log source for Enterasys HiPath:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

Configuring DSMs

Enterasys Stackable and Standalone Switches

221

Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Enterasys HiPath.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 33-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Enterasys HiPath.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete. For more information about your Enterasys HiPath
Wireless Controller device, see your vendor documentation.

Enterasys
Stackable and
Standalone
Switches

The Enterasys Stackable and Standalone Switches DSM for JSA accepts events
using syslog.
JSA records all relevant events. Before configuring an Enterasys Stackable and
Standalone Switches device in JSA, you must configure your device to forward
syslog events.
To configure the device to forward syslog events to JSA:
Step 1 Log in to the Enterasys Stackable and Standalone Switch device.
Step 2 Type the following command:

set logging server  [ip-addr ] [facility
] [severity ] [descr ] [port
] [state ]

Where:
 is the server table index number (1 to 8) for this server.
 is the IP address of the server you wish to send
syslog messages. This is an optional field. If you do not define an IP

address, an entry in the Syslog server table is created with the specified index
number and a message is displayed indicating that no IP address has been
assigned.
 is a syslog facility. Valid values are local0 to local7. This is an

optional field. If not specified, the default value configured with the set logging
default command is applied.
Configuring DSMs

222

ENTERASYS

 is the server severity level that the server will log messages. The
valid range is 1 to 8. If not specified, the default value configured with the set
logging default command is applied. This is an optional field. Valid values include:

-

1: Emergencies (system is unusable)

-

2: Alerts (immediate action required)

-

3: Critical conditions

-

4: Error conditions

-

5: Warning conditions

-

6: Notifications (significant conditions)

-

7: Informational messages

-

8: Debugging messages

 is a description of the facility/server. This is an optional field.
 is the default UDP port that the client uses to send messages to the

server. If not specified, the default value configured with the set logging default
command is applied. This is an optional field.
 enables or disables this facility/server configuration. This is

an optional field. If state is not specified, the server will not be enabled or disabled.
Step 3 You are now ready to configure the log source in JSA.

To configure JSA to receive events from an Enterasys Stackable and Standalone
Switch device:

From the Log Source Type list box, select one of the following options:
Enterasys Stackable and Standalone Switches, Enterasys A-Series,
Enterasys B2-Series, Enterasys B3-Series, Enterasys C2-Series,
Enterasys C3-Series, Enterasys D-Series, Enterasys G-Series, or
Enterasys I-Series.
For more information on configuring log sources, see the Log Source Users Guide.
For more information about your Enterasys Stackable and Standalone Switches,
see your vendor documentation.

Enterasys XSR
Security Router

The Enterasys XSR Security Router DSM for JSA accepts events using syslog.
JSA records all relevant events. Before configuring an Enterasys XSR Security
Router in JSA, you must configure your device to forward syslog events.
To configure the device to send syslog events to JSA:
Step 1 Using Telnet or SSH, log in to the XSR Security Router command-line interface.

Configuring DSMs

Enterasys Matrix Router

223

Step 2 Type the following command to access config mode:

enable
config
Step 3 Type the following command:

logging  low

Where  is the IP address of your JSA.
Step 4 Exit from config mode.
Step 5 Save the configuration:

exit
copy running-config startup-config
Step 6 You are now ready to configure the log sources in JSA.

To configure JSA to receive events from an Enterasys XSR Security Router:

From the Log Source Type list box, select Enterasys XSR Security
Routers.
For more information on configuring log sources, see the Log Sources Users
Guide.
For more information about your Enterasys XSR Security Router, see your vendor
documentation.

Enterasys Matrix
Router

The Enterasys Matrix Router DSM for JSA accepts Enterasys Matrix events using
SNMPv1, SNMPv2, SNMPv3, and syslog.
You can integrate Enterasys Matrix Router version 3.5 with JSA. JSA records all
SNMP events and syslog login, logout, and login failed events. Before you
configure JSA to integrate with Enterasys Matrix, you must:

Step 1 Log in to the switch/router as a privileged user.
Step 2 Type the following command:

set logging server  description 
facility  ip_addr  port  severity


Where:
 is the server number 1 to 8.
 is a description of the server.
 is a syslog facility, for example, local0.
 is the IP address of the server you wish to send syslog messages.

Configuring DSMs

224

ENTERASYS

 is the default UDP port that the client uses to send messages to the

server. Use port 514 unless otherwise stated.
 is the server severity level 1 to 9 where 1 indicates an emergency
and 8 is debug level.

For example:
set logging server 5 description ourlogserver facility local0
ip_addr 1.2.3.4 port 514 severity 8
Step 3 You are now ready to configure the log source in JSA.

To configure JSA to receive events from an Enterasys Matrix device:

From the Log Source Type list box, select Enterasys Matrix E1 Switch.
For more information on configuring log sources, see the Log Sources Users
Guide.

Enterasys NetSight
Automatic Security
Manager

The Enterasys NetSight Automatic Security Manager DSM for JSA accepts events
using syslog.
JSA records all relevant events. Before configuring an Enterasys NetSight
Automatic Security Manager device in JSA, you must configure your device to
forward syslog events.
To configure the device to send syslog events to JSA:

Step 1 Log in to the Automatic Security Manager user interface.
Step 2 Click the Automated Security Manager icon to access the Automated Security

Manager Configuration window.

NOTE

Note: You can also access the Automated Security Manager Configuration
window from the Tool menu.

Step 3 From the left navigation menu, select Rule Definitions.
Step 4 Choose one of the following options:
a

If a rule is currently configured, highlight the rule. Click Edit.

b

To create a new rule, click Create.

Step 5 Select the Notifications check box.
Step 6 Click Edit.

The Edit Notifications window is displayed.
Step 7 Click Create.

The Create Notification window is displayed.

Configuring DSMs

Enterasys Matrix K/N/S Series Switch

225

Step 8 Using the Type list box, select Syslog.
Step 9 In the Syslog Server IP/Name field, type the IP address of the device that will

receive syslog traffic.
Step 10 Click Apply.
Step 11 Click Close.
Step 12 In the Notification list box, select the notification configured above.
Step 13 Click OK.
Step 14 You are now ready to configure the log source in JSA.

To configure JSA to receive events from an Enterasys NetSight Automatic Security
Manager device:

From the Log Source Type list box, select Enterasys NetsightASM.
For more information on configuring log sources, see the Log Sources Users
Guide.
For more information about your Enterasys NetSight Automatic Security Manager
device, see your vendor documentation.

Enterasys Matrix
K/N/S Series Switch

The Enterasys Matrix Series DSM for JSA accepts events using syslog. JSA
records all relevant Matrix K-Series, N-Series, or S-Series standalone device
events.
Before you configure JSA to integrate with a Matrix K-Series, N-Series, or
S-Series, you must:

Step 1 Log in to your Enterasys Matrix device command-line interface (CLI).
Step 2 Type the following commands:

set logging server 1 ip-addr 
state enable
set logging application RtrAcl level 8
set logging application CLI level 8
set logging application SNMP level 8
set logging application Webview level 8
set logging application System level 8
set logging application RtrFe level 8
set logging application Trace level 8
set logging application RtrLSNat level 8
set logging application FlowLimt level 8
set logging application UPN level 8
set logging application AAA level 8
Configuring DSMs

226

ENTERASYS

set logging application Router level 8
set logging application AddrNtfy level 8
set logging application OSPF level 8
set logging application VRRP level 8
set logging application RtrArpProc level 8
set logging application LACP level 8
set logging application RtrNat level 8
set logging application RtrTwcb level 8
set logging application HostDoS level 8
set policy syslog extended-format enable

For more information on configuring the Matrix Series routers or switches, consult
your vendor documentation.
Step 3 You are now ready to configure the log sources in JSA.

To configure JSA to receive events from an Enterasys Matrix Series device:

From the Log Source Type list box, select Enterasys Matrix K/N/S Series
Switch.
For information on configuring log sources, see the Log Sources Users Guide.

Enterasys NAC

The Enterasys NAC DSM for JSA accepts events using syslog. JSA records all
relevant events.
For details on configuring your Enterasys NAC appliances for syslog, consult your
vendor documentation. After the Enterasys NAC appliance is forwarding syslog
events to JSA, the configuration is complete. The log source is added to JSA as
Enterasys NAC events are automatically discovered. Events forwarded by
Enterasys NAC appliances are displayed on the Log Activity tab of JSA.

Configure a log
source

JSA automatically discovers and creates a log source for syslog events from
Enterasys NAC. The following configuration steps are optional.
To manually configure a log source for Enterasys NAC:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.

Configuring DSMs

Enterasys 800-Series Switch

227

Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Enterasys NAC.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 33-2 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Enterasys NAC appliances.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Enterasys
800-Series Switch

The Enterasys 800-Series Switch DSM for JSA accepts events using syslog.

Configure your
Enterasys 800-Series
Switch

To configure the device to forward syslog events:

JSA records all relevant audit, authentication, system, and switch events. Before
configuring your Enterasys 800-Series Switch in JSA, you must configure your
switch to forward syslog events.

Step 1 Log in to your Enterasys 800-Series Switch command-line interface.

You must be a system administrator or operator-level user to complete these
configuration steps.
Step 2 Type the following command to enable syslog:

enable syslog
Step 3 Type the following command to create a syslog address for forwarding events to

JSA:
create syslog host 1  severity informational
facility local7 udp_port 514 state enable

Where  is the IP address of your JSA console or Event Collector.
Step 4 Optional. Type the following command to forward syslog events using an IP

interface address:
create syslog source_ipif  

Where:
 is the name of your IP interface.
 is the IP address of your JSA console or Event Collector.

Configuring DSMs

228

ENTERASYS

The configuration is complete. The log source is added to JSA as Enterasys
800-Series Switch events are automatically discovered. Events forwarded to JSA
by Enterasys 800-Series Switches are displayed on the Log Activity tab of JSA.
Configure a log
source

JSA automatically discovers and creates a log source for syslog events from
Enterasys 800-Series Switches. The following configuration steps are optional.
To manually configure a log source:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Enterasys 800-Series Switch.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 33-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Enterasys 800-Series Switch.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

31

EXTREME NETWORKS
EXTREMEWARE
The Extreme Networks ExtremeWare DSM for Juniper Secure Analytics (JSA)
records al relevant Extreme Networks ExtremeWare and Extremeware XOS
devices events from using syslog.
To integrate JSA with an ExtremeWare device, you must configure a log source in
JSA, then configure your Extreme Networks ExtremeWare and Extremeware XOS
devices to forward syslog events. JSA does not automatically discover or create
log sources for syslog events from ExtremeWare appliances.

Configuring a Log
Source

To integrate with JSA, you must manually create a log source to receive the
incoming ExtremeWare events forwarded to JSA.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Extreme Networks ExtremeWare

Operating System (OS).
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 34-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your ExtremeWare appliance.

Step 11 Click Save.

Configuring DSMs

230

EXTREME NETWORKS EXTREMEWARE
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. Events forwarded to JSA by Extreme Networks
ExtremeWare appliances are displayed on the Log Activity tab.
For information on configuring syslog forwarding for your Extremeware appliances,
see your vendor documentation.

Configuring DSMs

32

F5 NETWORKS

This section provides information on the following DSMs:

F5 Networks BIG-IP
AFM

Supported Event
Types

Before You Begin

•

F5 Networks BIG-IP AFM

•

F5 Networks BIG-IP APM

•

F5 Networks BIG-IP ASM

•

F5 Networks BIG-IP LTM

•

F5 Networks FirePass

The F5 Networks BIG-IP Advanced Firewall Manager (AFM) DSM for Juniper
Secure Analytics (JSA) accepts syslog events forwarded from F5 Networks BIG-IP
AFM systems in name-value pair format.
JSA is capable of collecting the following events from F5 BIG-IP appliances with
Advanced Firewall Managers:
•

Network events

•

Network Denial of Service (DoS) events

•

Protocol security events

•

DNS events

•

DNS Denial of Service (DoS) events

Before you can configure the Advanced Firewall Manager, you must verify that
your BIG-IP appliance is licensed and provisions to include Advanced Firewall
Manager.
Procedure

Step 1 Log in to your BIG-IP appliance Management Interface.
Step 2 From the navigation menu, select System > License.
Step 3 In the License Status column, verify the Advanced Firewall Manager is licensed

and enabled.

Configuring DSMs

232

F5 NETWORKS
Step 4 To enable the Advanced Firewall Manager, select System > Resource

Provisioning.
Step 5 From the Provisioning column, select the check box and select Nominal from the

list box.
Step 6 Click Submit to save your changes.

Configure a Logging
Pool

A logging pool allows you to define a pool of servers that receive syslog events.
The pool contains the IP address, port, and a node name that you provide.
Procedure

Step 1 From the navigation menu, select Local Traffic > Pools.
Step 2 Click Create.
Step 3 In the Name field, type a name for the logging pool.

For example, Logging_Pool.
Step 4 From the Health Monitor field, in the Available list, select TCP and click <<.

This moves the TCP option from the Available list to the Selected list.
Step 5 In the Resource pane, from the Node Name list box, select Logging_Node or the

name you defined in Step 3.
Step 6 In the Address field, type the IP address for the JSA console or Event Collector.
Step 7 In the Service Port field, type 514.
Step 8 Click Add.
Step 9 Click Finish.

Creating a
High-Speed Log
Destination

The process to configure logging for BIG-IP AFM requires that you create a
high-speed logging destination.
Procedure

Step 1 From the navigation menu, select System > Logs > Configuration > Log

Destinations.
Step 2 Click Create.
Step 3 In the Name field, type a name for the destination.

For example, Logging_HSL_dest.
Step 4 In the Description field, type a description.
Step 5 From the Type list box, select Remote High-Speed Log.
Step 6 From the Pool Name list box, select a logging pool from the list of remote log

servers.
For example, Logging_Pool.
Step 7 From the Protocol list box, select TCP.
Step 8 Click Finish.
Configuring DSMs

F5 Networks BIG-IP AFM

Creating a Formatted
Log Destination

233

The formatted log destination allows you to specify any special formatting required
on the events forwarded to the high-speed logging destination.
Procedure

Step 1 From the navigation menu, select System > Logs > Configuration > Log

Destinations.
Step 2 Click Create.
Step 3 In the Name field, type a name for the logging format destination.

For example, Logging_Format_dest.
Step 4 In the Description field, type a description.
Step 5 From the Type list box, select Remote Syslog.
Step 6 From the Syslog Format list box, select Syslog.
Step 7 From the High-Speed Log Destination list box, select your high-speed logging

destination.
For example, Logging_HSL_dest.
Step 8 Click Finished.

Creating a Log
Publisher

Creating a publisher allows the BIG-IP appliance to publish the formatted log
message to the local syslog database.
Procedure

Step 1 From the navigation menu, select System > Logs > Configuration > Log

Publishers.
Step 2 Click Create.
Step 3 In the Name field, type a name for the publisher.

For example, Logging_Pub.
Step 4 In the Description field, type a description.
Step 5 From the Destinations field, in the Available list, select the log destination name

you created in Step 3 and click << to add items to the Selected list.
This moves your logging format destination from the Available list to the Selected
list. To include local logging in your publisher configuration, you can add local-db
and local-syslog to the Selected list.

Configuring DSMs

234

F5 NETWORKS

Creating a Logging
Profile

Logging profiles allow you to configure the types of events that your Advanced
Firewall Manager is producing and associates your events with the logging
destination.
Procedure

Step 1 From the navigation menu, select Security > Event Logs > Logging Profile.
Step 2 Click Create.
Step 3 In the Name field, type a name for the log profile.

For example, Logging_Profile.
Step 4 In the Network Firewall field, select the Enabled check box.
Step 5 From the Publisher list box, select the log publisher you configured.

For example, Logging_Pub.
Step 6 In the Log Rule Matches field, select the Accept, Drop, and Reject check boxes.
Step 7 In the Log IP Errors field, select the Enabled check box.
Step 8 In the Log TCP Errors field, select the Enabled check box.
Step 9 In the Log TCP Events field, select the Enabled check box.
Step 10 In the Storage Format field, from the list box, select Field-List.
Step 11 In the Delimiter field, type , (comma) as the delimiter for events.
Step 12 In the Storage Format field, select all of the options in the Available Items list and

click <<.
This moves the all Field-List options from the Available list to the Selected list.
Step 13 In the IP Intelligence pane, from the Publisher list box, select the log publisher you

configured.
For example, Logging_Pub.
Step 14 Click Finished.

Associate the Profile
to a Virtual Server

The log profile you created must be associated with a virtual server in the Security
Policy tab. This allows the virtual server to process your network firewall events,
along with local traffic.
Procedure

Step 1 From the navigation menu, select Local Traffic > Virtual Servers.
Step 2 Click the name of a virtual server to modify.
Step 3 From the Security tab, select Policies.
Step 4 From the Log Profile list box, select Enabled.
Step 5 From the Profile field, in the Available list, select Logging_Profile or the name

you specified in Step 3 and click <<.
This moves the Logging_Profile option from the Available list to the Selected list.

Configuring DSMs

F5 Networks BIG-IP AFM

235

Step 6 Click Update to save your changes.

The configuration is complete. The log source is added to JSA as F5 Networks
BIG-IP AFM syslog events are automatically discovered. Events forwarded to JSA
by F5 Networks BIG-IP AFM are displayed on the Log Activity tab of JSA.
Configuring a Log
Source

JSA automatically discovers and creates a log source for syslog events from F5
Networks BIG-IP AFM. However, you can manually create a log source for JSA to
receive syslog events. The following configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select F5 Networks BIG-IP AFM.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 35-2 Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your F5 BIG-IP AFM appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

236

F5 NETWORKS

F5 Networks BIG-IP
APM

The F5 Networks BIG-IP Access Policy Manager (APM) DSM for JSA collects
access and authentication security events from a BIG-IP APM device using syslog.

Configure Remote
Syslog

To configure your BIG-IP LTM device to forward syslog events to a remote syslog
source, choose your BIG-IP APM software version:
•

Configure Remote Syslog for F5 BIG-IP APM 11.x

•

Configure Remote Syslog for F5 BIG-IP APM 10.x

Configure Remote Syslog for F5 BIG-IP APM 11.x
To configure syslog for F5 BIG-IP APM 11.x:
Step 1 Log in to the command-line of your F5 BIG-IP device.
Step 2 Type the following command to add a single remote syslog server:

tmsh syslog remote server { {host }}

Where:
 is the name of the F5 BIG-IP APM syslog source.
 is the IP address of the JSA console.

For example,
bigpipe syslog remote server {BIGIP_APM {host 10.100.100.101}}
Step 3 Type the following to save the configuration changes:

tmsh save sys config partitions all

The configuration is complete. The log source is added to JSA as F5 Networks
BIG-IP APM events are automatically discovered. Events forwarded to JSA by F5
Networks BIG-IP APM are displayed on the Log Activity tab in JSA.
Configure Remote Syslog for F5 BIG-IP APM 10.x
To configure syslog for F5 BIG-IP APM 10.x:
Step 1 Log in to the command-line of your F5 BIG-IP device.
Step 2 Type the following command to add a single remote syslog server:

bigpipe syslog remote server { {host }}

Where:
 is the name of the F5 BIG-IP APM syslog source.
 is the IP address of JSA console.

For example,
bigpipe syslog remote server {BIGIP_APM {host 10.100.100.101}}
Step 3 Type the following to save the configuration changes:

bigpipe save

Configuring DSMs

F5 Networks BIG-IP ASM

237

The configuration is complete. The log source is added to JSA as F5 Networks
BIG-IP APM events are automatically discovered. Events forwarded to JSA by F5
Networks BIG-IP APM are displayed on the Log Activity tab.
Configuring a Log
Source

JSA automatically discovers and creates a log source for syslog events from F5
Networks BIG-IP APM appliances. These configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select F5 Networks BIG-IP APM.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 35-1 Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your F5 Networks BIG-IP APM
appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

F5 Networks BIG-IP
ASM

The F5 Networks BIG-IP Application Security Manager (ASM) DSM for JSA
collects web application security events from BIG-IP ASM appliances using syslog.

Configure F5
Networks BIG-IP ASM

To forward syslog events from an F5 Networks BIG-IP ASM appliance to JSA, you
must configure a logging profile.
A logging profile allows you to configure remote storage for syslog events, which
can be forwarded directly to JSA.
Procedure

Step 1 Log in to the F5 Networks BIG-IP ASM appliance user interface.
Step 2 On the navigation pane, select Application Security > Options.
Configuring DSMs

238

F5 NETWORKS
Step 3 Click Logging Profiles.
Step 4 Click Create.
Step 5 From the Configuration list box, select Advanced.
Step 6 Configure the following parameters:
a

Type a Profile Name.
For example, type JSA.

b

NOTE

Note: If you do not want data logged locally as well as remotely, you must clear the
Local Storage check box.
c

Select the Remote Storage check box.

d

From the Type list box, select Reporting Server.

e

From the Protocol list box, select TCP.

f

Configure the Server Addresses fields:

g

NOTE

Optional. Type a Profile Description.

-

IP address - Type the IP address of the JSA console.

-

Port - Type a port value of 514.

Select the Guarantee Logging check box.

Note: Enabling the Guarantee Logging option ensures the system log requests
continue for the web application when the logging utility is competing for system
resources. Enabling the Guarantee Logging option can slow access to the
associated web application.
h

Select the Report Detected Anomalies check box, to allow the system to log
details.

i

Click Create.

The display refreshes with the new logging profile. The log source is added to JSA
as F5 Networks BIG-IP ASM events are automatically discovered. Events
forwarded by F5 Networks BIG-IP ASM are displayed on the Log Activity tab of
JSA.
Configuring a Log
Source

JSA automatically discovers and creates a log source for syslog events from F5
Networks BIG-IP ASM appliances. These configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.

Configuring DSMs

F5 Networks BIG-IP LTM

239

Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select F5 Networks BIG-IP ASM.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 35-2 Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your F5 Networks BIG-IP ASM
appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

F5 Networks BIG-IP
LTM

The F5 Networks BIG-IP Local Traffic Manager (LTM) DSM for JSA collects
networks security events from a BIG-IP device using syslog.
Before receiving events in JSA, you must configure a log source for JSA, then
configure your BIG-IP LTM device to forward syslog events. We recommend you
create your log source before forward events as JSA does not automatically
discover or create log sources for syslog events from F5 BIG-IP LTM appliances.

Configuring a Log
Source

To integrate F5 BIG-IP LTM with JSA, you must manually create a log source to
receive syslog events.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select F5 Networks BIG-IP LTM.
Step 9 Using the Protocol Configuration list box, select Syslog.

Configuring DSMs

240

F5 NETWORKS
Step 10 Configure the following values:

Table 35-3 Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your BIG-IP LTM appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

You are now ready to configure your BIG-IP LTM appliance to forward syslog
events to JSA.
Configuring Syslog
Forwarding in BIG-IP
LTM

To configure your BIG-IP LTM device to forward syslog events, select your BIG-IP
LTM software version:
•

Configuring Remote Syslog for F5 BIG-IP LTM 11.x

•

Configuring Remote Syslog for F5 BIG-IP LTM 10.x

•

Configuring Remote Syslog for F5 BIG-IP LTM 9.4.2 to 9.4.8

Configuring Remote Syslog for F5 BIG-IP LTM 11.x
To configure syslog for F5 BIG-IP LTM 11.x:
Step 1 Log in to the command-line of your F5 BIG-IP device.
Step 2 Type the following command to add a single remote syslog server:

tmsh syslog remote server { {host }}

Where:
 is a name you assign to identify the syslog source, for example,

BIGIPsyslog or JSA.
 is the IP address of JSA.

For example,
tmsh syslog remote server {BIGIPsyslog {host 10.100.100.100}}
Step 3 Save the configuration changes:

tmsh save sys config partitions all

The configuration is complete. Events forwarded from your F5 Networks BIG-IP
LTM appliance are displayed on the Log Activity tab in JSA.
Configuring Remote Syslog for F5 BIG-IP LTM 10.x
To configure syslog for F5 BIG-IP LTM 10.x:
Step 1 Log in to the command-line of your F5 BIG-IP device.
Step 2 Type the following command to add a single remote syslog server:

bigpipe syslog remote server { {host }}
Configuring DSMs

F5 Networks FirePass

241

Where:
 is the name of the F5 BIG-IP LTM syslog source.
 is the IP address of JSA.

For example:
bigpipe syslog remote server {BIGIPsyslog {host 10.100.100.100}}
Step 3 Save the configuration changes:

bigpipe save

NOTE

Note: F5 Networks modified the syslog output format in BIG-IP v10.x to include the
use of local/ before the hostname in the syslog header. The syslog header
format containing local/ is not supported in JSA, but a workaround is available to
correct the syslog header. For more information, see
http://www.juniper.net/customers/support/.
The configuration is complete. Events forwarded from your F5 Networks BIG-IP
LTM appliance are displayed on the Log Activity tab in JSA.
Configuring Remote Syslog for F5 BIG-IP LTM 9.4.2 to 9.4.8
To configure syslog for F5 BIG-IP LTM 9.4.2 to 9.4.8:

Step 1 Log in to the command-line of your F5 BIG-IP device.
Step 2 Type the following command to add a single remote syslog server:

bigpipe syslog remote server 

Where  is the IP address of JSA.
For example:
bigpipe syslog remote server 10.100.100.100
Step 3 Type the following to save the configuration changes:

bigpipe save

The configuration is complete. Events forwarded from your F5 Networks BIG-IP
LTM appliance are displayed on the Log Activity tab in JSA.

F5 Networks
FirePass

The F5 Networks FirePass DSM for JSA collects system events from an F5
FirePass SSL VPN device using syslog.
By default, remote logging is disabled and must be enabled in the F5 Networks
FirePass device. Before receiving events in JSA, you must configure your F5
Networks FirePass device to forward system events to JSA as a remote syslog
server.

Configuring DSMs

242

F5 NETWORKS

Configuring Syslog
Forwarding for F5
FirePass

To forward syslog events from an F5 Networks BIG-IP FirePass SSL VPM
appliance to JSA, you must enable and configure a remote log server.
The remote log server can forward events directly to your JSA console or any
Event Collectors in your deployment.
Procedure

Step 1 Log in to the F5 Networks FirePass Admin console.
Step 2 On the navigation pane, select Device Management > Maintenance > Logs.
Step 3 From the System Logs menu, select the Enable Remote Log Server check box.
Step 4 From the System Logs menu, clear the Enable Extended System Logs check

box.
Step 5 In the Remote host parameter, type the IP address or hostname of your JSA.
Step 6 From the Log Level list box, select Information.

The Log Level parameter monitors application level system messages.
Step 7 From the Kernel Log Level list box, select Information.

The Kernel Log Level parameter monitors Linux kernel system messages.
Step 8 Click Apply System Log Changes.

The changes are applied and the configuration is complete. The log source is
added to JSA as F5 Networks FirePass events are automatically discovered.
Events forwarded to JSA by F5 Networks BIG-IP ASM are displayed on the Log
Activity tab in JSA.
Configuring a Log
Source

JSA automatically discovers and creates a log source for syslog events from F5
Networks FirePass appliances. These configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select F5 Networks FirePass.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Configuring DSMs

F5 Networks FirePass

243

Table 35-4 Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your F5 Networks FirePass
appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

F5 Networks FirePass

Configuring DSMs

244

33

FAIR WARNING

The Fair Warning DSM for Juniper Secure Analytics (JSA) retrieves event files
from a remote source using the log file protocol.
JSA records event categories from the Fair Warning log files about user activity
related to patient privacy and security threats to medical records. Before you can
retrieve log files from Fair Warning, you must verify your device is configured to
generate an event log. Instructions for generating the event log can be found in
your Fair Warning documentation.
When configuring the log file protocol, make sure the hostname or IP address
configured in the Fair Warning system is the same as configured in the Remote
Host parameter in the Log File Protocol configuration.
Configuring a Log
Source

You can configure JSA to download an event log from a Fair Warning device.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Fair Warning.
Step 9 Select the Log File option from the Protocol Configuration list box.
Step 10 In the FTP File Pattern field, type a regular expression that matches the log files

generated by the Fair Warning system.
Step 11 In the Remote Directory field, type the path to the directory containing logs from

your Fair Warning device.
Step 12 From the Event Generator list box, select Fair Warning.
Step 13 Click Save.

Configuring DSMs

246

FAIR WARNING
Step 14 On the Admin tab, click Deploy Changes.

The configuration is complete. For more information on full parameters for the Log
File protocol, see the Log Sources Users Guide.
For more information on configuring Fair Warning, consult your vendor
documentation.

Configuring DSMs

34

FIDELIS XPS

The Fidelis XPS DSM for Juniper Secure Analytics (JSA) accepts events
forwarded in Log Enhanced Event Protocol (LEEF) from Fidelis XPS appliances
using syslog.
Supported Event
Types

JSA is capable of collecting all relevant alerts triggered by policy and rule violations
configured on your Fidelis XPS appliance.

Event Type Format

Fidelis XPS must be configured to generate events in Log Enhanced Event
Protocol (LEEF) and forward these events using syslog. The LEEF format consists
of a pipe ( | ) delimited syslog header and tab separated fields in the event payload.
If the syslog events forwarded from your Fidelis XPS is not formatted as described
above, you must examine your device configuration or software version to ensure
your appliance supports LEEF. Properly formatted LEEF event messages are
automatically discovered and added as a log source to JSA.

Configuring Fidelis
XPS

You can configure syslog forwarding of alerts from your Fidelis XPS appliance.
Procedure

Step 1 Log in to CommandPost to manage your Fidelis XPS appliance.
Step 2 From the navigation menu, select System > Export.

A list of available exports is displayed. If this is the first time you have used the
export function, the list is empty.
Step 3 Select one of the following options:

•

Click New to create a new export for your Fidelis XPS appliance.

•

Click Edit next to an export name to edit an existing export on your Fidelis XPS
appliance.

The Export Editor is displayed.
Step 4 From the Export Method list box, select Syslog LEEF.
Step 5 In the Destination field, type the IP address or host name for JSA.

For example, 10.10.10.100:::514
This field does not support non-ASCII characters.

Configuring DSMs

248

FIDELIS XPS
Step 6 From Export Alerts, select one of the following options:

•

All alerts - Select this option to export all alerts to JSA. This option is resource
intensive and it can take time to export all alerts.

•

Alerts by Criteria - Select this option to export specific alerts to JSA. This
option displays a new field that allows you to define your alert criteria.

Step 7 From Export Malware Events, select None.
Step 8 From Export Frequency, select Every Alert / Malware.
Step 9 In the Save As field, type a name for your export.
Step 10 Click Save.
Step 11 Optional. To verify events are forwarded to JSA, you can click Run Now.

Run Now is intended as a test tool to verify that alerts selected by criteria are
exported from your Fidelis appliance. This option is not available if you selected to
export all events in Step 6.
The configuration is complete. The log source is added to JSA as Fidelis XPS
syslog events are automatically discovered. Events forwarded to JSA by Fidelis
XPS are displayed on the Log Activity tab of JSA.
Configuring a Log
Source

JSA automatically discovers and creates a log source for syslog events from
Fidelis XPS. However, you can manually create a log source for JSA to receive
syslog events. The following configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Fidelis XPS.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 37-5 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Fidelis XPS appliance.

Configuring DSMs

249

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

250

FIDELIS XPS

Configuring DSMs

35

FIREEYE

The FireEye DSM for Juniper Secure Analytics (JSA) accepts rsyslog events in
Log Event Extended Format (LEEF).
Supported Event
Types
Configuring a Log
Source

This DSM applies to FireEye MPS, eMPS and MA appliances. JSA records all
relevant notification alerts sent by FireEye appliances.
To integrate FireEye events with JSA, you must manually create a log source as
JSA does not automatically discover or create log sources for syslog events from
FireEye appliances.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select FireEye.
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 38-1 Syslog protocol parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your FireEye appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA.

Configuring DSMs

252

FIREEYE

Configuring FireEye
to Forward Syslog
Events

You are now ready to configure your FireEye appliance to forward syslog events.
Procedure

Step 1 Log in to the FireEye appliance using the CLI.
Step 2 Type the following command to activate configuration mode:

enable
configure terminal
Step 3 Enable rsyslog notifications:

fenotify rsyslog enable
Step 4 Add JSA as an rsyslog notification consumer:

fenotify rsyslog trap-sink JSA
Step 5 Type the IP address for the JSA system receiving rsyslog trap-sink notifications:

fenotify rsyslog trap-sink JSA address 

Where  is the IP address of the JSA system.
Step 6 Type the following command to define the rsyslog event format:

fenotify rsyslog trap-sink JSA prefer message format leef
Step 7 Save the configuration changes to the FireEye appliance:

write memory

The configuration is complete. Events forwarded by FireEye are displayed on the
Log Activity tab.

Configuring DSMs

36

FORESCOUT COUNTERACT

The ForeScout CounterACT DSM for Juniper Secure Analytics (JSA) accepts Log
Extended Event Format (LEEF) events from CounterACT using syslog.
Supported Event
Types

Configuring a Log
Source

JSA records the following ForeScout CounterACT events:
•

Denial of Service (DoS)

•

Authentication

•

Exploit

•

Suspicious

•

System

To integrate ForeScout CounterACT with JSA, you must manually create a log
source to receive policy-based syslog events.
JSA does not automatically discover or create log sources for syslog events from
ForeScout CounterACT appliances.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select ForeScout CounterACT.
Step 9 Using the Protocol Configuration list box, select Syslog.

Configuring DSMs

254

FORESCOUT COUNTERACT
Step 10 Configure the following values:

Table 39-1 Syslog protocol parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your ForeScout CounterACT
appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA.
Configure ForeScout
CounterACT

Before configuring JSA, you must install a plug-in for your ForeScout CounterACT
appliance and configure ForeScout CounterACT to forward syslog events to JSA.
Configure the ForeScout CounterACT Plug-in
To integrate JSA with ForeScout CounterACT, you must download, install and
configure a plug-in for CounterACT. The plug-in extends ForeScout CounterACT
and provides the framework for forwarding LEEF events to JSA.
Procedure

Step 1 From the ForeScout website, download the plug-in for ForeScout CounterACT.
Step 2 Log in to your ForeScout CounterACT appliance.
Step 3 From the CounterACT console toolbar, select Options > Plugins > Install and

select the location of the plug-in file.
The plug-in is installed and displayed in the Plugins pane.
Step 4 From the Plugins pane, select the JSA plug-in and click Configure.

The Add JSA wizard is displayed.
Step 5 In the Server Address field, type IP address of JSA.
Step 6 From the Port list box, select 514.
Step 7 Click Next.
Step 8 From the Assigned CounterACT devices pane, choose one of the following

options:
•

Default Server - Select this option to make all devices on this ForeScout
CounterACT forward events to JSA.

•

Assign CounterACT devices - Select this option to assign which individual
devices running on ForeScout CounterACT forward events to JSA. The Assign
CounterACT devices option is only available if you have one or more ForeScout
CounterACT server.

Step 9 Click Finish.

Configuring DSMs

255

The plug-in configuration is complete. You are now ready to define the events
forwarded to JSA by ForeScout CounterACT policies.
Configuring ForeScout CounterACT Policies
ForeScout CounterACT policies test conditions to trigger management and
remediation actions on the appliance.
The plug-in provides an additional action for policies to forward the event to the
JSA using syslog. To forward events to JSA, you must define a CounterACT policy
that includes the JSA update action. The policy condition must be met at least
once to initiate an event to JSA. You must configure each policy to send updates to
JSA for events you want to record.
Procedure
Step 1 Select a policy for ForeScout CounterACT.
Step 2 From the Actions tree, select Audit > Send Updates to JSA Server.
Step 3 From the Contents tab, configure the following values:
a

Select the Send host property results check box.

b

Choose one of the type of events to forward for the policy:

c

-

Send All - Select this option to include all properties discovered for the
policy to JSA.

-

Send Specific - Select this option to select and send only specific properties
for the policy to JSA.

Select the Send policy status check box.

Step 4 From the Trigger tab, select the interval ForeScout CounterACT uses for

forwarding the event to JSA:
•

Send when the action starts - Select this check box to send a single event to
JSA when the conditions of your policy are met.

•

Send when information is updated - Select this check box to send a report
when there is a change in the host properties specified in the Contents tab.

•

Send periodically every - Select this check box to send a reoccurring event to
JSA on an interval if the policy conditions are met.

Step 5 Click OK to save the policy changes.
Step 6 Repeat this process to configure any additional policies with an action to send

updates to JSA, if required.
The configuration is complete. Events forwarded by ForeScout CounterACT are
displayed on the Log Activity tab of JSA.

Configuring DSMs

37

FORTINET FORTIGATE

The Fortinet FortiGate DSM for Juniper Secure Analytics (JSA) records all relevant
FortiGate IPS/Firewall events using syslog.
Table 40-1 identifies the specifications for the Fortinet FortiGate DSM.

Table 40-1 Fortinet FortiGate DSM Specifications

Fortinet FortiGate
DSM Integration
Process

Specification

Value

Manufacturer

Fortinet

DSM

Fortinet FortiGate

RPM file name

DSM-FortinetFortiGate-7.x-xxxxxx.noarch.rpm

Supported
version

FortiOS v2.5 and later

Protocol

Syslog

JSA recorded
events

All relevant events

Auto discovered

Yes

Includes identity

Yes

For more
information

http://www.fortinet.com

To integrate Fortinet FortiGate DSM with JSA, use the following procedures:

1 Download and install the most recent Fortinet FortiGate RPM to your JSA console.

If automatic updates are enabled, this procedure is not required. RPMs need to be
installed only one time.
2 Optional. Install the Syslog Redirect protocol RPM to collect events through

Fortigate FortiAnalyzer. When you use the Syslog Redirect protocol, JSA can
identify the specific Fortigate firewall that sent the event. You can use the
procedure to manually install a DSM to install a protocol.

Configuring DSMs

258

FORTINET FORTIGATE
3 Configure your Fortinet FortiGate system to enable communication with JSA. This

procedure must be performed for each instance of Fortinet FortiGate. For more
information on configuring a Fortinet FortiGate device, see your vendor
documentation.
4 For each Fortinet FortiGate server you want to integrate, create a log source on

the JSA console. If JSA automatically discovers the DSM, this step is not required.
Related tasks

Configuring a
Fortinet FortiGate
Log Source

•

Manually Installing a DSM

•

Configuring a Fortinet FortiGate Log Source

JSA automatically discovers and creates a log source for syslog events from
Fortinet FortiGate. The following configuration steps are optional.
Procedure
To configure a Fortinet FortiGate log source:

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list, select Fortinet FortiGate Security Gateway.
Step 9 Using the Protocol Configuration list, select one of the following options:

•

Select Syslog.

•

To configure JSA to receive FortiAnalyzer events, select Syslog Redirect.

Step 10 Configure the following values:

Table 40-1 Syslog Parameters

Parameter

Description

Log Source Identifier
RegEx

devname=([\w-]+)

Listen Port

517

Protocol

UDP

Step 11 Configure the remaining parameters.
Step 12 Click Save.

On the Admin tab, click Deploy Changes.

Configuring DSMs

38

FOUNDRY FASTIRON

You can integrate a Foundry FastIron device with Juniper Secure Analytics (JSA)
to collect all relevant events using syslog.
Configure Syslog for
Foundry FastIron

To integrate JSA with a Foundry FastIron RX device, you must configure the
appliance to forward syslog events.
Procedure

Step 1 Log in to the Foundry FastIron device command-line interface (CLI).
Step 2 Type the following command to enable logging:

logging on

Local syslog is now enabled with the following defaults:
•

Messages of all syslog levels (Emergencies - Debugging) are logged.

•

Up to 50 messages are retained in the local syslog buffer.

•

No syslog server is specified.

Step 3 Type the following command to define an IP address for the syslog server:

logging host 

Where  is the IP address of your JSA.
You are now ready to configure the log source in JSA.
Configuring a Log
Source

JSA automatically discovers and creates a log source for syslog events from
Foundry FastIron. The following configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.

Configuring DSMs

260

FOUNDRY FASTIRON
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Foundry FastIron.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 41-1 Syslog protocol parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Foundry FastIron appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

39

GENERIC FIREWALL

The generic firewall server DSM for Juniper Secure Analytics (JSA) accepts events
using syslog. JSA records all relevant events.
Configuring Event
Properties

To configure JSA to interpret the incoming generic firewall events:

Step 1 Forward all firewall logs to your JSA.

For information on forwarding firewall logs from your generic firewall to JSA, see
your firewall vendor documentation.
Step 2 Open the following file:

/opt/qradar/conf/genericFirewall.conf

Make sure you copy this file to systems hosting the Event Collector and the JSA
console.
Step 3 Restart the Tomcat server:

service tomcat restart

A message is displayed indicating that the Tomcat server has restarted.
Step 4 Enable or disable regular expressions in your patterns by setting the

regex_enabled property accordingly. By default, regular expressions are disabled.
For example:
regex_enabled=false

When you set the regex_enabled property to false, the system generates regular
expressions based on the tags you entered while attempting to retrieve the
corresponding data values from the logs.
When you set the regex_enabled property to true, you can define custom regex to
control patterns. These regex are directly applied to the logs and the first captured
group is returned. When defining custom regex patterns, you must adhere to regex
rules, as defined by the Java programming language. For more information, see
the following website: http://download.oracle.com/javase/tutorial/essential/regex/
To integrate a generic firewall with JSA, make sure you specify the classes directly
instead of using the predefined classes. For example, the digit class (/\d/)
becomes /[0-9]/. Also, instead of using numeric qualifiers, re-write the
expression to use the primitive qualifiers (/?/,/*/ and /+/).

Configuring DSMs

262

GENERIC FIREWALL
Step 5 Review the file to determine a pattern for accepted packets.

For example, if your device generates the following log messages for accepted
packets:
Aug. 5, 2005 08:30:00 Packet accepted. Source IP: 192.168.1.1
Source Port: 80 Destination IP: 192.168.1.2 Destination Port: 80
Protocol: tcp

The pattern for accepted packets is Packet accepted.
Step 6 Add the following to the file:

accept_pattern=

Where  is the pattern determined in Step 5. For example:
accept pattern=Packet accepted

Patterns are case insensitive.
Step 7 Review the file to determine a pattern for denied packets.

For example, if your device generates the following log messages for denied
packets:
Aug. 5, 2005 08:30:00 Packet denied. Source IP: 192.168.1.1
Source Port: 21 Destination IP: 192.168.1.2 Destination Port: 21
Protocol: tcp

The pattern for denied packets is Packet denied.
Step 8 Add the following to the file:

deny_pattern=

Where  is the pattern determined in Step 7.
Patterns are case insensitive.
Step 9 Review the file to determine a pattern, if present, for the following:

source ip
source port
destination ip
destination port
protocol
For example, if your device generates the following log message:
Aug. 5, 2005 08:30:00 Packet accepted. Source IP: 192.168.1.1
Source Port: 80 Destination IP: 192.168.1.2 Destination Port: 80
Protocol: tcp

The pattern for source IP is Source IP.
Step 10 Add the following to the file:

source_ip_pattern=
source_port_pattern=
destination_ip_pattern=
Configuring DSMs

263

destination_port_pattern=
protocol_pattern=

Where , , , , and 
are the corresponding patterns identified in Step 9.

NOTE

Note: Patterns are case insensitive and you can add multiple patterns. For multiple
patterns, separate using a # symbol.

Step 11 Save and exit the file.

You are now ready to configure the log source in JSA.
Configuring a Log
Source

To integrate generic firewalls with JSA, you must manually create a log source to
receive the events as JSA does not automatically discover or create log sources
for events from generic firewall appliances.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.

The Log Sources window is displayed.
Step 5 Click Add.

The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Configurable Firewall Filter.
Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.
Step 10 Configure the following values:

Table 42-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your generic firewall appliance.

Configuring DSMs

264

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. Events forwarded to JSA by generic firewalls are
displayed on the Log Activity tab.

Configuring DSMs

40

GENERIC AUTHORIZATION SERVER

The generic authorization server DSM for Juniper Secure Analytics (JSA) records
all relevant generic authorization events using syslog.
Configuring Event
Properties

To configure JSA to interpret the incoming generic authorization events:

Step 1 Forward all authentication server logs to your JSA system.

For information on forwarding authentication server logs to JSA, see your generic
authorization server vendor documentation.
Step 2 Open the following file:

/opt/qradar/conf/genericAuthServer.conf

Make sure you copy this file to systems hosting the Event Collector and the
console.
Step 3 Restart the Tomcat server:

service tomcat restart

A message is displayed indicating that the Tomcat server has restarted.
Step 4 Enable or disable regular expressions in your patterns by setting the

regex_enabled property accordingly. By default, regular expressions are disabled.
For example:
regex_enabled=false

When you set the regex_enabled property to false, the system generates regular
expressions (regex) based on the tags you entered while attempting to retrieve the
corresponding data values from the logs.
When you set the regex_enabled property to true, you can define custom regex to
control patterns. These regex are directly applied to the logs and the first captured
group is returned. When defining custom regex patterns, you must adhere to regex
rules, as defined by the Java programming language. For more information, see
the following website: http://download.oracle.com/javase/tutorial/essential/regex/
To integrate the generic authorization server with JSA, make sure you specify the
classes directly instead of using the predefined classes. For example, the digit
class (/\d/) becomes /[0-9]/. Also, instead of using numeric qualifiers,
re-write the expression to use the primitive qualifiers (/?/,/*/ and /+/).

Configuring DSMs

266

GENERIC AUTHORIZATION SERVER
Step 5 Review the file to determine a pattern for successful login:

For example, if your authentication server generates the following log message for
accepted packets:
Jun 27 12:11:21 expo sshd[19926]: Accepted password for root
from 10.100.100.109 port 1727 ssh2

The pattern for successful login is Accepted password.
Step 6 Add the following entry to the file:

login_success_pattern=

Where  is the pattern determined in Step 5.
For example:
login_success_pattern=Accepted password

All entries are case insensitive.
Step 7 Review the file to determine a pattern for login failures.

For example, if your authentication server generates the following log message for
login failures:
Jun 27 12:58:33 expo sshd[20627]: Failed password for root from
10.100.100.109 port 1849 ssh2

The pattern for login failures is Failed password.
Step 8 Add the following to the file:

login_failed_pattern=

Where  is the pattern determined for login failure.
For example:
login_failed_pattern=Failed password

All entries are case insensitive.
Step 9 Review the file to determine a pattern for logout:

For example, if your authentication server generates the following log message for
logout:
Jun 27 13:00:01 expo su(pam_unix)[22723]: session closed for
user genuser

The pattern for lookout is session closed.
Step 10 Add the following to the genericAuthServer.conf file:

logout_pattern=

Where  is the pattern determined for logout in Step 9.
For example:
logout_pattern=session closed

All entries are case insensitive.

Configuring DSMs

267

Step 11 Review the file to determine a pattern, if present, for source IP address and source

port.
For example, if your authentication server generates the following log message:
Jun 27 12:11:21 expo sshd[19926]: Accepted password for root
from 10.100.100.109 port 1727 ssh2

The pattern for source IP address is from and the pattern for source port is port.
Step 12 Add an entry to the file for source IP address and source port:

source_ip_pattern=
source_port_pattern=

Where  and  are the patterns
identified in Step 11 for source IP address and source port.
For example:
source_ip_pattern=from
source_port_pattern=port
Step 13 Review the file to determine if a pattern exists for username.

For example:
Jun 27 12:11:21 expo sshd[19926]: Accepted password for root
from 10.100.100.109 port 1727 ssh2

The pattern for username is for.
Step 14 Add an entry to the file for the username pattern:

For example:
user_name_pattern=for

You are now ready to configure the log source in JSA.
Configure a Log
Source

To integrate generic authorization appliance event with JSA, you must manually
create a log source to receive the events as JSA does not automatically discover
or create log sources for events from generic authorization appliances.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Configurable Authentication

message filter.
Configuring DSMs

268

GENERIC AUTHORIZATION SERVER
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 43-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your generic authorization
appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. Events forwarded to JSA by generic authorization
appliances are displayed on the Log Activity tab.

Configuring DSMs

41

GREAT BAY BEACON

The Great Bay Beacon DSM for Juniper Secure Analytics (JSA) supports syslog
alerts from the Great Bay Beacon Endpoint Profiler.
JSA records all relevant endpoint security events. Before you can integrate with
JSA, you must configure your Great Bay Beacon Endpoint Profiler to forward
syslog event messages to JSA.
Configuring Syslog
for Great Bay Beacon

You can configure your Great Bay Beacon Endpoint Profiler to forward syslog
events.
Procedure

Step 1 Log in to your Great Bay Beacon Endpoint Profiler.
Step 2 To create an event, select Configuration > Events > Create Events.

A list of currently configured events is displayed.
Step 3 From the Event Delivery Method pane, select the Syslog check box.
Step 4 To apply your changes, select Configuration Apply Changes > Update

Modules.
Step 5 Repeat Step 2 to Step 4 to configure all of the events you want to monitor in JSA.
Step 6 Configure JSA as an external log source for your Great Bay Beacon Endpoint

Profiler.
For information on configuring JSA as an external log source, see the Great Bay
Beacon Endpoint Profiler Configuration Guide.
You are now ready to configure the log source in JSA.
Configuring a log
source

JSA automatically discovers and creates a log source for syslog events from Great
Bay Beacon. The following configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.

Configuring DSMs

270

GREAT BAY BEACON
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Great Bay Beacon.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 44-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Great Bay Beacon appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

42

HBGARY ACTIVE DEFENSE

The HBGary Active Defense DSM for Juniper Secure Analytics (JSA) accepts
several event types forwarded from HBGary Active Defense devices, such as
access, system, system configuration, and policy events.
Events from Active Defense are forwarded in the Log Event Extended Format
(LEEF) to JSA using syslog. Before you can configure JSA, you must configure a
route for your HBGary Active Defense device to forward events to a syslog
destination.
Configuring HBGary
Active Defense

You can configure a route for syslog events in Active Defense for JSA.
Procedure

Step 1 Log in to the Active Defense Management console.
Step 2 From the navigation menu, select Settings > Alerts.
Step 3 Click Add Route.
Step 4 In the Route Name field, type a name for the syslog route you are adding to Active

Defense.
Step 5 From the Route Type list box, select LEEF (Q1 Labs).
Step 6 In the Settings pane, configure the following values:

•

Host - Type the IP address or hostname for your JSA console or Event
Collector.

•

Port - Type 514 as the port number.

Step 7 In the Events pane, select any events you want to forward to JSA.
Step 8 Click OK to save your configuration changes.

The Active Defense device configuration is complete. You are now ready to
configure a log source in JSA. For more information on configuring a route in
Active Defense, see your HBGary Active Defense User Guide.

Configuring DSMs

272

HBGARY ACTIVE DEFENSE

Configuring a Log
Source

JSA automatically discovers and creates a log source for LEEF formatted syslog
events forwarded from Active Defense. These configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 In the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for the log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select HBGary Active Defense.
Step 9 From the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 45-1 HBGary Active Defense Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or hostname for your HBGary Active
Defense device.
The IP address or hostname identifies your HBGary Active
Defense device as a unique event source in JSA.

For more information on configuring log sources, see the Log Sources Users
Guide.
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The HBGary Active Defense configuration is complete.

Configuring DSMs

43

HONEYCOMB LEXICON FILE
INTEGRITY MONITOR (FIM)
You can use the Honeycomb Lexicon File Integrity Monitor (FIM) DSM with JSA to
collect detailed file integrity events from your network.

Configuration
Overview

JSA supports syslog events that are forwarded from Lexicon File Integrity Monitor
installations that use Lexicon mesh v3.1 and above. The syslog events that are
forwarded by Lexicon FIM are formatted as Log Extended Event Format (LEEF)
events by the Lexicon mesh service.
To integrate Lexicon FIM events with JSA, you must complete the following tasks:
1 On your Honeycomb installation, configure the Lexicon mesh service to generate

syslog events in LEEF.
2 On your Honeycomb installation, configure any Lexicon FIM policies for your

Honeycomb data collectors to forward FIM events to your JSA console or Event
Collector.
3 On your JSA console, verify that a Lexicon FIM log source is created and that

events are displayed on the Log Activity tab.
4 Optional. Ensure that no firewall rules block communication between your

Honeycomb data collectors and the JSA console or Event Collector that is
responsible for receiving events.
Supported
Honeycomb FIM
Event Types Logged
by JSA

The Honeycomb FIM DSM for JSA can collect events from several categories.
Each event category contains low-level events that describe the action that is
taken within the event category. For example, file rename events might have a
low-level categories of either file rename successful or file rename failed.
The following list defines the event categories that are collected by JSA for
Honeycomb file integrity events:
•

Baseline events

•

Open file events

•

Create file events

•

Rename file events

•

Modify file events

Configuring DSMs

274

HONEYCOMB LEXICON FILE INTEGRITY MONITOR (FIM)

•

Delete file events

•

Move file events

•

File attribute change events

•

File ownership change events

JSA can also collect Windows and other log files that are forwarded from
Honeycomb Lexicon. However, any event that is not a file integrity event might
require special processing by a Universal DSM or a log source extension in JSA.
Configuring the
Lexicon Mesh
Service

To collect events in a format that is compatible with JSA, you must configure your
Lexicon mesh service to generate syslog events in LEEF.
Procedure

Step 1 Log in to the Honeycomb LexCollect system that is configured as the dbContact

system in your network deployment.
Step 2 Locate the Honeycomb installation directory for the installImage directory.

For example, c:\Program Files\Honeycomb\installImage\data.
Step 3 Open the mesh.properties file.

If your deployment does not contain Honeycomb LexCollect, you can edit
mesh.properties manually.
For example, c:\Program Files\mesh
Step 4 To export syslog events in LEEF, edit the formatter field.

For example, formatter=leef.
Step 5 Save your changes.

The mesh service is configured to output LEEF events. For information about the
Lexicon mesh service, see your Honeycomb documentation.
Configuring a
Honeycomb Lexicon
FIM Log Source in
JSA

JSA automatically discovers and creates a log source for file integrity events that
are forwarded from the Honeycomb Lexicon File Integrity Monitor. This procedure
is optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 In the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 Optional. In the Log Source Description field, type a description for your log

source.
Configuring DSMs

275

Step 8 From the Log Source Type list box, select Honeycomb Lexicon File Integrity

Monitor.
Step 9 From the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 46-2 Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Honeycomb Lexicon FIM
installation.
The log source identifier must be unique value.

Enabled

Select this check box to enable the log source. By default,
the check box is selected.

Credibility

From the list box, select the credibility of the log source. The
range is 0 - 10.
The credibility indicates the integrity of an event or offense
as determined by the credibility rating from the source
devices. Credibility increases if multiple sources report the
same event. The default is 5.

Target Event Collector From the list box, select the Event Collector to use as the
target for the log source.
Coalescing Events

Select this check box to enable the log source to coalesce
(bundle) events.
By default, automatically discovered log sources inherit the
value of the Coalescing Events list box from the System
Settings in JSA. When you create a log source or edit an
existing configuration, you can override the default value by
configuring this option for each log source.

Incoming Event
Payload

From the list box, select the incoming payload encoder for
parsing and storing the logs.

Store Event Payload

Select this check box to enable the log source to store event
payload information.
By default, automatically discovered log sources inherit the
value of the Store Event Payload list box from the System
Settings in JSA. When you create a log source or edit an
existing configuration, you can override the default value by
configuring this option for each log source.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

Honeycomb Lexicon File Integrity Monitor events that are forwarded to JSA are
displayed on the Log Activity tab.

Configuring DSMs

44

HP

This section provides information on the following DSMs:

HP ProCurve

•

HP ProCurve

•

HP Tandem

•

Hewlett Packard UNIX (HP-UX)

You can integrate an HP ProCurve device with JSA to record all relevant HP
Procurve events using syslog.

Configuring Syslog
for HP ProCurve

You can configure your HP ProCurve device to forward syslog events to Juniper
Secure Analytics (JSA)
Procedure

Step 1 Log into the HP ProCurve device.
Step 2 Type the following command to make global configuration level changes.

config

If successful, the CLI will change to ProCurve(config)# as the prompt.
Step 3 Type the following command to logging 

Where  is the IP address of the JSA.
Step 4 To exit config mode, press CTRL+Z.
Step 5 Type write mem to save the current configuration to the startup configuration for

your HP ProCurve device.
You are now ready to configure the log source in JSA.
Configuring a Log
Source

JSA automatically discovers and creates a log source for LEEF formatted syslog
events forwarded from Active Defense. These configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 In the navigation menu, click Data Sources.

Configuring DSMs

278

HP
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for the log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select HP ProCurve.
Step 9 From the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 47-1 HP ProCurve syslog protocol parameters

Parameter

Description

Log Source Identifier

Type the IP address or hostname for your HP ProCurve
device.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

HP Tandem

You can integrate an HP Tandem device with JSA. An HP Tandem device accepts
SafeGuard Audit file events using a log file protocol source.
A log file protocol source allows JSA to retrieve archived log files from a remote
host. The HP Tandem DSM supports the bulk loading of log files using the log file
protocol source.
When configuring your HP Tandem device to use the log file protocol, make sure
the hostname or IP address configured in the HP Tandem device is the same as
configured in the Remote Host parameter in the Log File Protocol configuration.
The SafeGuard Audit file names have the following format:
Annnnnnn

The single alphabetic character A is followed by a seven-digit decimal integer
nnnnnnn, which increments by one each time a name is generated in the same
audit pool.
You are now ready to configure the log source and protocol in JSA:
Procedure
Step 1 From the Log Source Type list box, select HP Tandem.
Step 2 To configure the log file protocol, from the Protocol Configuration list box, select

Log File.

Configuring DSMs

Hewlett Packard UNIX (HP-UX)

NOTE

279

Note: Your system must be running the latest version of the log file protocol to
integrate with an HP Tandem device:
For the full list of Log File protocol parameters, see the Log Sources Users Guide.
For more information about HP Tandem see your vendor documentation.

Hewlett Packard
UNIX (HP-UX)

You can integrate an HP-UX device with JSA. An HP-UX DSM accepts events
using syslog.

Configuring Syslog
for HP-UX

You can configure syslog on your HP-UX device to forward events to JSA.
Procedure

Step 1 Log in to the HP-UX device command-line interface.
Step 2 Open the following file:

/etc/syslog.conf
Step 3 Add the following line:

.



Where:
 is auth.
 is info.
 is the IP address of the JSA.
Step 4 Save and exit the file.
Step 5 Type the following command to ensure that syslogd enforces the changes to the

syslog.conf file.
kill -HUP ‘cat /var/run/syslog.pid‘

NOTE

Note: The above command is surrounded with back quotation marks.
You are now ready to configure the log source in JSA.

Configure a Log
Source

JSA automatically discovers and creates a log source for syslog events forwarded
from HP-UX. These configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 In the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.

Configuring DSMs

280

HP
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for the log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Hewlett Packard UniX.
Step 9 From the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 47-1 HP-UX syslog parameters

Parameter

Description

Log Source Identifier

Type the IP address or hostname for your Hewlett Packard
UniX device.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

45

HUAWEI

This section includes configurations for the following DSMs:

Huawei AR Series
Router

•

Huawei AR Series Router

•

Huawei S Series Switch

The Huawei AR Series Router DSM for Juniper Secure Analytics (JSA) can accept
events from Huawei AR Series Routers using syslog.
JSA records all relevant IPv4 events forwarded from Huawei AR Series Router. To
integrate your device with JSA, you must create a log source, then configure your
AR Series Router to forward syslog events.

Supported Routers

Configuring a Log
Source

The DSM supports events from the following Huawei AR Series Routers:
•

AR150

•

AR200

•

AR1200

•

AR2200

•

AR3200

JSA does not automatically discover incoming syslog events from Huawei AR
Series Routers.
If your events are not automatically discovered, you must manually create a log
source from the Admin tab in JSA.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.

Configuring DSMs

282

HUAWEI
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Huawei AR Series Router.
Step 9 From the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 48-1 Syslog protocol parameters

Parameter

Description

Log Source Identifier

Type the IP address, host name, or name for the log source
as an identifier for your Huawei AR Series Router.
Each log source you create for your Huawei AR Series
Router should include a unique identifier, such as an IP
address or host name.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. You are now ready to configure your Huawei AR
Series Router to forward events to JSA.
Configuring Your
Huawei AR Series
Router

To forward syslog events to JSA, you must configure your Huawei AR Series
Router as an information center, then configure a log host.
The log host you create for your Huawei AR Series Router should forward events
to your JSA console or an Event Collector.
Procedure

Step 1 Log in to your Huawei AR Series Router command-line Interface (CLI).
Step 2 Type the following command to access the system view:

system-view
Step 3 Type the following command to enable the information center:

info-center enable
Step 4 Type the following command to send informational level log messages to the

default channel:
info-center source default channel loghost log level
informational debug state off trap state off
Step 5 Optional. To verify your Huawei AR Series Router source configuration, type the

command:
display channel loghost
Step 6 Type the following command to configure the IP address for JSA as the loghost for

your switch:
info-center loghost  facility 

Configuring DSMs

Huawei S Series Switch

283

Where:
 is the IP address of the JSA console or Event Collector.
 is the syslog facility, for example, local0.

For example,
info-center loghost 10.10.10.1 facility local0
Step 7 Type the following command to exit the configuration:

quit

The configuration is complete. You can verify events forwarded to JSA by viewing
events on the Log Activity tab.

Huawei S Series
Switch

The Huawei S Series Switch DSM for JSA can accept events from Huawei S
Series Switch appliances using syslog.
JSA records all relevant IPv4 events forwarded from Huawei S Series Switches. To
integrate your device with JSA, you must configure a log source, then configure
your S Series Switch to forward syslog events.

Supported Switches

Configuring a Log
Source

The DSM supports events from the following Huawei S Series Switches:
•

S5700

•

S7700

•

S9700

JSA does not automatically discover incoming syslog events from Huawei S Series
Switches.
If your events are not automatically discovered, you must manually create a log
source from the Admin tab in JSA.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Huawei S Series Switch.
Step 9 From the Protocol Configuration list box, select Syslog.

Configuring DSMs

284

HUAWEI
Step 10 Configure the following values:

Table 48-2 Syslog protocol parameters

Parameter

Description

Log Source Identifier

Type the IP address, host name, or name for the log source
as an identifier for your Huawei S Series switch.
Each log source you create for your Huawei S Series switch
should include a unique identifier, such as an IP address or
host name.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. You are now ready to configure your Huawei S
Series Switch to forward events to JSA.
Configuring Your
Huawei S Series
Switch

To forward syslog events to JSA, you must configure your Huawei S Series Switch
as an information center, then configure a log host.
The log host you create for your Huawei S Series Switch should forward events to
your JSA console or an Event Collector.
Procedure

Step 1 Log in to your Huawei S Series Switch command-line Interface (CLI).
Step 2 Type the following command to access the system view:

system-view
Step 3 Type the following command to enable the information center:

info-center enable
Step 4 Type the following command to send informational level log messages to the

default channel:
info-center source default channel loghost log level
informational debug state off trap state off
Step 5 Optional. To verify your Huawei S Series Switch source configuration, type the

command:
display channel loghost
Step 6 Type the following command to configure the IP address for JSA as the loghost for

your switch:
info-center loghost  facility 

Where:
 is the IP address of the JSA console or Event Collector.
 is the syslog facility, for example, local0.

For example,

Configuring DSMs

Huawei S Series Switch

285

info-center loghost 10.10.10.1 facility local0
Step 7 Type the following command to exit the configuration:

quit

The configuration is complete. You can verify events forwarded to JSA by viewing
events on the Log Activity tab.

Configuring DSMs

46

IBM

This section provides information on the following DSMs:
•

IBM AIX

•

IBM AS/400 iSeries

•

IBM CICS

•

IBM Lotus Domino

•

IBM Proventia Management SiteProtector

•

IBM ISS Proventia

•

IBM RACF

•

IBM DB2

•

IBM WebSphere Application Server

•

IBM Informix Audit

•

IBM IMS

•

IBM Guardium

•

IBM Tivoli Access Manager for E-business

•

IBM z/Secure Audit

•

IBM Tivoli Endpoint Manager

•

IBM zSecure Alert

•

IBM Security Network Protection (XGS)

•

IBM Security Network IPS

Configuring DSMs

288

IBM

IBM AIX

Supported Versions

Available DSMs

IBM offers two DSMs for Juniper Secure Analytics (JSA) that can collect and parse
audit or operating system events from IBM AIX®.
JSA supports the following versions of IBM AIX:
•

The IBM AIX Audit DSM supports IBM AIX v6.1 and IBM AIX v7.1.

•

The IBM AIX Server DSM supports IBM AIX v5.x and IBM AIX v6.x.

JSA can collect IBM AIX events with two available DSMs:
•

IBM AIX Audit DSM - The IBM AIX Audit DSM collects detailed audit
information for events that occur on your IBM AIX appliance. IBM AIX provides
approximately 130 base audit events that you can collect.
JSA can collect audit events using one of the following protocols:

•

-

Syslog - To use syslog to collect audit events in real-time, you must redirect
the audit log output to JSA.

-

Log File - To use the log file protocol, you must install the audit.pl script on
your IBM AIX appliance and schedule the script to generate an event log file
that contains JSA readable audit events. You can then configure a log
source in JSA to retrieve your IBM AIX event logs. The shortest time period
you can configure to retrieve events with the log file protocol is a 15 minute
interval. Perl 5.8 or above is required on your IBM AIX appliance to use the
audit script.

IBM AIX Server DSM - The IBM AIX Server DSM collects operating system
and authentication events using syslog for users that interact or log in to your
IBM AIX appliance. Events can include:
-

Login or logoff events

-

Session opened or session closed events

-

Accepted password and failed password events

-

Operating system events

Configuring DSMs

IBM AIX

Configuration
Overview

IBM AIX supports multiple DSMs for events and methods for event collection.
Consider the following information when configuring JSA:
•

•

Configuring Syslog
for the IBM AIX Audit
DSM

289

To collect audit events using the IBM AIX Audit DSM, you must select one of the
following configuration options:
-

Configuring Syslog for the IBM AIX Audit DSM

-

Configuring the Log File Protocol for the IBM AIX Audit DSM

To collect system authentication events using the IBM AIX Server DSM, you
must complete the system authentication syslog configuration. For more
information, see Configuring the IBM AIX Server DSM.

To collect audit events with syslog using the IBM AIX Audit DSM, you must redirect
your audit log output from your IBM AIX appliance to JSA.
You can configure the events generated by IBM AIX appliances for JSA and
enable or disable classes in the audit configuration. The default classes configured
in IBM AIX captures a large number of audit events. To prevent performance
issues, you can tune your IBM AIX appliance and reduce the number of classes
collected per your network security policy. For more information on the audit
classes, see your IBM AIX appliance documentation.
Procedure

Step 1 Log in to your IBM AIX appliance.
Step 2 Edit the audit configuration file:

/etc/security/audit/config
Step 3 In the Start section of the audit file, edit the configuration to disable binmode and

enable streammode.
For example,
binmode = off
streammode = on
Step 4 In the Classes section of the audit file, edit the configuration to determine which

classes are audited.
Step 5 Save the configuration changes.
Step 6 Edit the streamcmds configuration file on your IBM AIX appliance:

/etc/security/audit/streamcmds
Step 7 Add the following command to your streamcmds file:

/usr/sbin/auditstream | auditpr -h eclrRdi | /usr/bin/logger -p
local0.debug &
Step 8 Save the configuration changes.
Step 9 Edit the syslog configuration file to include a debug entry and the location of JSA.

Configuring DSMs

290

IBM

For example,
*.debug

@

Where  is the IP address of your JSA console or Event Collector. A tab must
separate *.debug and the IP address of JSA.
Step 10 Save the configuration changes.
Step 11 Type the following command to reload your syslog configuration:

refresh -s syslogd
Step 12 Type the following command to start the audit script on your IBM AIX appliance:

audit start

The configuration is complete. The IBM AIX Audit DSM automatically discovers
syslog audit events that are forwarded from IBM AIX to JSA. If the events are not
automatically discovered, you can manually configure a log source.
Configuring a log source
JSA automatically discovers and creates a log source for system authentication
events forwarded from IBM AIX. This procedure is optional.
Procedure
Step 1 Click the Admin tab.
Step 2 Click the Log Sources icon.
Step 3 Click Add.
Step 4 In the Log Source Name field, type a name for your log source.
Step 5 From the Log Source Type list box, select IBM AIX Audit.
Step 6 Using the Protocol Configuration list box, select Syslog.
Step 7 Configure the following values:

Table 49-1 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your IBM AIX.

Enabled

Select this check box to enable the log source.
By default, the check box is selected.

Credibility

Select the credibility of the log source. The range is 0 - 10.
The credibility indicates the integrity of an event or offense
as determined by the credibility rating from the source
devices. Credibility increases if multiple sources report the
same event. The default is 5.

Target Event Collector Select the Event Collector to use as the target for the log
source.

Configuring DSMs

IBM AIX

291

Table 49-1 Syslog Parameters (continued)

Parameter

Description

Coalescing Events

Select this check box to enable the log source to coalesce
(bundle) events.
By default, automatically discovered log sources inherit the
value of the Coalescing Events list box from the System
Settings in JSA. When you create a log source or edit an
existing configuration, you can override the default value by
configuring this option for each log source.

Incoming Event
Payload

From the list box, select the incoming payload encoder for
parsing and storing the logs.

Store Event Payload

Select this check box to enable the log source to store event
payload information.
By default, automatically discovered log sources inherit the
value of the Store Event Payload list box from the System
Settings in JSA. When you create a log source or edit an
existing configuration, you can override the default value by
configuring this option for each log source.

Step 8 Click Save.
Step 9 On the Admin tab, click Deploy Changes.

The configuration is complete. The Log Activity tab of JSA displays syslog audit
events are redirected to syslog by IBM AIX.
Configuring the Log
File Protocol for the
IBM AIX Audit DSM

The log file protocol retrieves the event log created by the audit.pl script.
About this task
You can schedule the audit.pl script to run each time you want to convert your IBM
AIX audit logs to a readable event log format for JSA.
The audit script determines which audit logs to read based on the configuration of
your audit configuration file in the /etc/security/audit/config directory on your IBM
AIX appliance. The audit configuration allows you to identify the event classes that
are audited and folder location for the event log file on your IBM AIX appliance.
The audit script converts binary logs on your IBM AIX appliance to single line
events that are readable by JSA. The log file protocol then retrieves the event log
from your IBM AIX appliance and imports the events to JSA.
The default classes configured in IBM AIX captures a large number of audit
events. You can configure the classes in the audit configuration on your IBM AIX
system to prevent performance issues. For information on configuring audit
classes, see your IBM AIX documentation.

Configuring DSMs

292

IBM

Procedure
Step 1 Log in to your IBM AIX appliance.
Step 2 Edit the following audit configuration file:

/etc/security/audit/config
Step 3 In the Start section of the audit file, edit the configuration to enable binmode.

For example,
binmode = on
Step 4 In the Start section of the audit file, edit the configuration to determine which

directories contain the binary audit logs.
In most cases, you do not have to edit the binary file (bin1 and bin2) directories.
For example, the default configuration for IBM AIX auditing writes binary logs to
the following directories:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
Step 5 In the Classes section of the audit file, edit the configuration to determine which

classes are audited.
For information on configuring classes, see your IBM AIX documentation.
Step 6 Save the configuration changes.
Step 7 Type the following command to start auditing on your IBM AIX system:

audit start

You are now ready to install the audit script.
Installing and starting the audit script
You are required to install a version of Perl 5.8 or above on your IBM AIX appliance
to use the audit.pl script.
About this task
The audit script uses audit.pr to convert the binary audit records to event log files
JSA can read. You must run the script each time you want to convert your audit
records to readable events. A cronjob for the audit.pl script can automate this
process. Add 0 * * * * /audit.pl to allow the audit script to run hourly. The
minimum interval the audit.pl script should run is 15 minutes, as the shortest time
interval supported by the log file protocol to retrieve the event log is 15 minutes.
Command parameters for audit.pl must be added with the cronjob you schedule on
your IBM AIX appliance. For more information, see your system documentation.

Configuring DSMs

IBM AIX

293

Procedure
Step 1 Download the following archive file from http://www.juniper.net/customers/support/:

audit.pl.gz
Step 2 Copy the audit script to a folder on your IBM AIX appliance.
Step 3 Type the following command to extract the file:

tar -zxvf audit.pl.gz
Step 4 Type the following command, and include additional command parameters to start

the audit script:
./audit.pl
Table 49-2 Command Parameters

Parameters Description
-r

The -r parameter defines the results directory where the audit script
writes event log files for JSA.
If you do not specify a results directory, the script writes the events to
the following directory:
/audit/results/
The directory you specify for your audit result files is required in the
Remote Directory field when you configure a log source using the log
file protocol.
Note: To prevent errors, verify that your results directory exists on your
IBM AIX system.

-n

The -n parameter allows you to define a unique name for the event log
file generated by audit.pl. By default, audit files are processed as
AIX_AUDIT_.
The value you specify using the -n parameter is required by the FTP
File Pattern field to identify the event logs the log source must retrieve
in JSA

-l

The -l parameter defines the name of the last record file. By default, the
last record file is named lastrecord.txt.
The audit script uses last record file to determine the last event
processed. The last record file ensures duplicate events are not added
to the results file.

-m

The -m parameter defines the maximum number of audit files to retain
on your IBM AIX system. By default, the script retains 30 audit files.
When the number of audit files exceeds the value of the -m parameter,
the script deletes the audit file with the oldest timestamp.

-t

The -t parameter defines the directory that contains the audit trail file.
The default is /audit/trail.

-h

The -h parameter displays the help and usage information.

-v

The -v parameter displays the script version information.

The configuration is complete.

Configuring DSMs

294

IBM

You are now ready to configure a log source for IBM AIX in JSA.
Configure a log source
A log file protocol source allows JSA to retrieve the audit log files from your IBM
AIX appliance.
About this task
The log file protocol can retrieve and import log files in a time interval greater than
15 minutes. The log file protocol supports the SFTP, SCP, or FTP protocol to
retrieve event files. When you configure the log file protocol in JSA to retrieve IBM
AIX audit log events, you must specify the audit log in the audit/results/ directory or
the directory specified using the -r parameter. The log file protocol uses regex to
determine which files to import and can track log files that are already imported
and processed to prevent duplicate audit events in JSA.
Procedure
Step 1 Click the Admin tab.
Step 2 Click the Log Sources icon.
Step 3 Click Add.
Step 4 In the Log Source Name field, type a name for the log source.
Step 5 In the Log Source Description field, type a description for the log source.
Step 6 From the Log Source Type list box, select IBM AIX Audit.
Step 7 From the Protocol Configuration list box, select Log File.
Step 8 Configure the following values:

Table 49-3 IBM AIX Log File Protocol Parameters

Parameter

Description

Log Source Identifier

Type an IP address, host name, or name to identify the event
source. IP addresses or host names allow JSA to identify a
log file to a unique event source.

Service Type

From the list box, select the protocol you want to use to
retrieve log files from a remote server. The default is SFTP.
•

SFTP - SSH File Transfer Protocol

•

FTP - File Transfer Protocol

•

SCP - Secure Copy

Note: The underlying protocol used to retrieve log files for the
SCP and SFTP service type requires that the server specified
in the Remote IP or Hostname field has the SFTP subsystem
enabled.
Remote IP or
Hostname

Type the IP address or host name of the IBM AIX appliance or
remote host that contains your event log files.

Configuring DSMs

IBM AIX

295

Table 49-3 IBM AIX Log File Protocol Parameters (continued)

Parameter

Description

Remote Port

Type the port number for the protocol selected to retrieve the
event logs from your IBM AIX appliance. The valid range is 1
to 65535.
The options include:
•

FTP - TCP Port 21

•

SFTP - TCP Port 22

•

SCP - TCP Port 22

Note: If the host for your event files is using a non-standard
port number for FTP, SFTP, or SCP, adjust the port value
accordingly.
Remote User

Type the user name required to log in to the IBM AIX
appliance that contains your audit event logs.
The username can be up to 255 characters in length.

Remote Password

Type the password to log in to your IBM AIX appliance.

Confirm Password

Confirm the password to log in to your IBM AIX appliance

SSH Key File

If you select SCP or SFTP as the Service Type, use this
parameter to define an SSH private key file. When you
provide an SSH Key File, the Remote Password field is
ignored.

Remote Directory

Type the directory location on the remote host from which the
files are retrieved, relative to the user account you are using
to log in.
Note: For FTP only. If your log files reside in the remote user’s
home directory, you can leave the remote directory blank. This
is to support operating systems where a change in the
working directory (CWD) command is restricted.

Recursive

Select this check box if you want the file pattern to search sub
folders in the remote directory. By default, the check box is
clear.
The Recursive parameter is ignored if you configure SCP as
the Service Type.

Configuring DSMs

296

IBM

Table 49-3 IBM AIX Log File Protocol Parameters (continued)

Parameter

Description

FTP File Pattern

If you select SFTP or FTP as the Service Type, this option
allows you to configure the regular expression (regex)
required to filter the list of files specified in the Remote
Directory. All files that match the regular expression are
retrieved and processed.
The FTP file pattern must match the name you assigned to
your AIX audit files by the -n parameter of the audit script. For
example, to collect files that start with AIX_AUDIT and end
with your timestamp value, type the following value:
AIX_Audit_*
Use of this parameter requires knowledge of regular
expressions (regex). For more information, see the following
website:
http://download.oracle.com/javase/tutorial/essential/regex/

FTP Transfer Mode

This option only displays if you select FTP as the Service
Type. From the list box, select ASCII.
ASCII is required for text event logs retrieved by the log file
protocol using FTP.

SCP Remote File

If you select SCP as the Service Type, type the file name of
the remote file.

Start Time

Type a time value to represent the time of day you want the
log file protocol to start. Type the start time, based on a 24
hour clock, in the following format: HH:MM.
For example, type 00:00 to schedule the Log File protocol to
collect event files at midnight.
This parameter functions with the Recurrence parameter
value to establish when and how often the Remote Directory
on your IBM AIX appliance is scanned for new event log files.

Recurrence

Type the frequency that you want to scan the remote directory
on your IBM AIX appliance for new event log files. Type this
value in hours (H), minutes (M), or days (D).
For example, type 2H to scan the remote directory every 2
hours from the start time. The default is 1H and the minimum
value is 15M.

Run On Save

Select this check box if you want the log file protocol to run
immediately after you click Save.
After the save action completes, the log file protocol follows
your configured start time and recurrence schedule.
Selecting Run On Save clears the list of previously processed
files for the Ignore Previously Processed File parameter.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not
want this protocol to exceed. The valid range is 100 to 5000.

Configuring DSMs

IBM AIX

297

Table 49-3 IBM AIX Log File Protocol Parameters (continued)

Parameter

Description

Processor

From the list box, select NONE.
Processors allow event file archives to be expanded and
contents processed for events. Files are only processed after
they are downloaded. JSA can process files in zip, gzip, tar, or
tar+gzip archive format.

Ignore Previously
Processed File(s)

Select this check box to track and ignore files that are already
processed.
JSA examines the log files in the remote directory to
determine if a file is already processed by the log file protocol.
If a previously processed file is detected, the log file protocol
does not download the file. Only new or unprocessed event
log files are downloaded by JSA.
This option only applies to FTP and SFTP service types.

Change Local
Directory?

Select this check box to define a local directory on JSA to
store event log files during processing.
We recommend that you leave this check box clear. When
this check box is selected, the Local Directory field is
displayed, which allows you to configure the local directory on
JSA to store event log files. After the event log is processed
and the events added to JSA, the local directory deletes the
event log files to retain disk space.

Event Generator

From the Event Generator list box, select LineByLine.
The Event Generator applies additional processing to the
retrieved event files. Each line of the file is a single event. For
example, if a file has 10 lines of text, 10 separate events are
created.

Step 9 Click Save.
Step 10 On the Admin tab, click Deploy Changes.

The configuration for IBM AIX audit event collection with the log file protocol is
complete. As the log file protocol retrieves events, they are displayed on the Log
Activity tab of JSA.
Configuring the IBM
AIX Server DSM

You can configure syslog on your IBM AIX appliance to forward operating system
and authentication events to JSA.
Procedure

Step 1 Log in to your IBM AIX appliance as a root user.
Step 2 Open the /etc/syslog.conf file.
Step 3 To forward the system authentication logs to JSA, add the following line to the file:

auth.info

@

Where  is the IP address of the JSA. A tab must separate auth.info
and the IP address of JSA.
Configuring DSMs

298

IBM

For example,
##### begin /etc/syslog.conf
mail.debug /var/adm/maillog
mail.none /var/adm/maillog
auth.notice /var/adm/authlog
lpr.debug /var/adm/lpd-errs
kern.debug /var/adm/messages
*.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info
/var/adm/messages
auth.info
@<10.100.100.1>
##### end /etc/syslog.conf
Step 4 Save and exit the file.
Step 5 Type the following command to restart the syslog service:

refresh -s syslogd

After the syslog server restarts, the configuration is complete as system
authentication syslog events are automatically discovered. If the events are not
automatically discovered, you can manually configure a log source.
Configuring a log source
JSA automatically discovers and creates a log source for system authentication
events forwarded from IBM AIX. This procedure is optional.
Procedure
Step 1 Click the Admin tab.
Step 2 Click the Log Sources icon.
Step 3 Click Add.
Step 4 In the Log Source Name field, type a name for your log source.
Step 5 In the Log Source Description field, type a description for the log source.
Step 6 From the Log Source Type list box, select IBM AIX Server.
Step 7 Using the Protocol Configuration list box, select Syslog.
Step 8 Configure the following values:

Table 49-4 Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your IBM AIX.

Enabled

Select this check box to enable the log source.
By default, the check box is selected.

Configuring DSMs

IBM AS/400 iSeries

299

Table 49-4 Syslog Protocol Parameters (continued)

Parameter

Description

Credibility

Select the credibility of the log source. The range is 0 - 10.
The credibility indicates the integrity of an event or offense
as determined by the credibility rating from the source
devices. Credibility increases if multiple sources report the
same event. The default is 5.

Target Event Collector Select the Event Collector to use as the target for the log
source.
Coalescing Events

Select this check box to enable the log source to coalesce
(bundle) events.
By default, automatically discovered log sources inherit the
value of the Coalescing Events list box from the System
Settings in JSA. When you create a log source or edit an
existing configuration, you can override the default value by
configuring this option for each log source.

Incoming Event
Payload

From the list box, select the incoming payload encoder for
parsing and storing the logs.

Store Event Payload

Select this check box to enable the log source to store event
payload information.
By default, automatically discovered log sources inherit the
value of the Store Event Payload list box from the System
Settings in JSA. When you create a log source or edit an
existing configuration, you can override the default value by
configuring this option for each log source.

Step 9 Click Save.
Step 10 On the Admin tab, click Deploy Changes.

IBM AS/400 iSeries

JSA has three options for integrating events from an IBM AS/400® (or IBM
OS/400) iSeries using one of the following software products:
•

Integrating an IBM AS/400 iSeries DSM - The IBM AS/400 iSeries DSM uses
the DSPJRN command to write audit journal records to a database file that is
pushed to an FTP server for retrieval by JSA using the Log File protocol source.

For more information, see Integrating an IBM AS/400 iSeries DSM.
For more information on configuring log sources and protocols, see Pulling
Data Using Log File Protocol.
•

LogAgent for System i - Accepts all Common Event Format (CEF) formatted
syslog messages. You can integrate an IBM OS/400 device and above using
the LogAgent for System i software. After you configure your LogAgent for
System i software, use the Log File protocol source to pull the syslog CEF
messages.
For more information, see your Patrick Townsend Security Solutions LogAgent
for System i documentation.
Configuring DSMs

300

IBM

For more information on configuring log sources and protocols, see Pulling
Data Using Log File Protocol.

Integrating an IBM
AS/400 iSeries DSM

•

PowerTech Interact - Accepts all Common Event Format (CEF) formatted
syslog messages. You can integrate an IBM OS/400 device using the
PowerTech Interact software. After you configure your PowerTech Interact
software, use the Log File protocol source to pull the syslog CEF messages.

•

RazLee iSecurity - This DSM configuration is provided in a separate chapter.
See Raz-Lee iSecurity.

The JSA IBM AS/400 iSeries DSM allows you to integrate with an IBM AS/400
iSeries to collect audit records and event information.
The IBM AS/400 iSeries DSM uses an agent running on the iSeries that manages,
gathers and transfers the event information. The program leverages the DSPJRN
command to write audit journal records to a database file. These records are
reformatted and forwarded to an FTP server where JSA can retrieve the records
using FTP.
To integrate IBM iSeries events into JSA:

Step 1 The IBM iSeries system records and writes security events in the Audit Journal

and the QHST logs. QHST logs are stored in the Audit Journal as TYPE5
messages. For more information on configuring your AS/400 iSeries DSM, see
Configure an IBM iSeries to integrate with JSA.
Step 2 During your scheduled audit collection, the AJLIB/AUDITJRN command is run by

an iSeries Job Scheduler using DSPJRN to collect, format and write the Audit
Journal records to a database file. The database file containing the audit record
information is transferred from the iSeries to an FTP server.
Step 3 Use the log file protocol source to pull the formatted audit file from the FTP server

on a scheduled basis. For more information on configuring log sources and
protocols, see Pulling Data Using Log File Protocol.
Configure an IBM iSeries to integrate with JSA
To integrate an IBM iSeries with JSA:
Step 1 From the Juniper Networks support website

(http://www.juniper.net/customers/support/), download the following files:
AJLIB.SAVF
Step 2 Copy the AJLIB.SAVF file onto a computer or terminal that has FTP access to the

IBM AS/400 iSeries.
Step 3 Create a generic online SAVF file on the iSeries using the command:

CRTSAVF QGPL/SAVF
Step 4 Using FTP on the computer or terminal, replace the iSeries generic SAVF with the

AJLIB.SAVF file downloaded from http://www.juniper.net/customers/support/
bin

Configuring DSMs

IBM AS/400 iSeries

301

cd qgpl
lcd c:\
put ajlib.savf savf
quit
If you are transferring your SAVF file from another iSeries, the file must be sent
with the required FTP subcommand mode BINARY before the GET or PUT
statement.
Step 5 Restore the AJLIB library on the IBM iSeries:

RSTLIB
Step 6 Setup the data collection start date and time for the Audit Journal Library (AJLIB):

AJLIB/SETUP

You are prompted for a username and password. If you start the Audit Journal
Collector a failure message is sent to QSYSOPR.
The setup function sets a default start date and time for data collection from the
Audit Journal to 08:00:00 of the current day.

NOTE

Note: To preserve your previous start date and time information for a previous
installation you must run AJLIB/DATETIME. Record the previous start date and
time and type those values when you run AJLIB/SETUP. The start date and time
must contain a valid date and time in the six character system date and system
time format. The end date and time must be a valid date and time or left blank.

Step 7 Run AJLIB/DATETIME.

This updates the IBM AS/400 iSeries with the data collection start date and time if
you made changes.
Step 8 Run AJLIB/AUDITJRN.

This launches the Audit Journal Collection program to gather and send the records
to your remote FTP server: If the transfer to the FTP server fails, a message is sent
to QSYSOPR. The process for launching AJLIB/AUDITJRN is typically automated
by an iSeries Job Scheduler to collect records periodically.

NOTE

Note: If the FTP transfer is successful, the current data and time information is
written into the start time for AJLIB/DATETIME to update the gather time and the
end time is set to blank. If the FTP transfer fails, the export file is erased and no
updates are made to the gather date or time.

Configuring DSMs

302

IBM

Pulling Data Using Log File Protocol
You are now ready to configure the log source and protocol in JSA:
Step 1 To configure JSA to receive events from an IBM AS/400 iSeries, you must select

the IBM AS/400 iSeries option from the Log Source Type list box.
Step 2 To configure the log file protocol for the IBM AS/400 iSeries DSM, you must select

the Log File option from the Protocol Configuration list box and define the
location of your FTP server connection settings.

NOTE

Note: If you are using the PowerTech Interact or LogAgent for System i software to
collect CEF formatted syslog messages, you must select the Syslog option from
the Protocol Configuration list box.

Step 3 We recommend when you use the Log File protocol option that you select a secure

protocol for transferring files, such as Secure File Transfer Protocol (SFTP).
For more information on configuring log sources and protocols, see the Log
Sources Users Guide.

IBM CICS

The IBM CICS® DSM allows you to integrate events from IBM Custom Information
Control System (CICS®) events from an IBM z/OS® mainframe using IBM
Security zSecure.
Using a zSecure process, events from the System Management Facilities (SMF)
are recorded to an event file in the Log Enhanced Event format (LEEF). JSA
retrieves the LEEF event log files using the log file protocol and processes the
events. You can schedule JSA to retrieve events on a polling interval, which allows
JSA to retrieve the events on the schedule you have defined.
To integrate IBM CICS events:
1 Confirm your installation meets any prerequisite installation requirements. For

more information, see Before You Begin.
2 Configure your IBM z/OS image to write events in LEEF format. For more

information, see the IBM Security zSecure Suite: CARLa-Driven Components
Installation and Deployment Guide.
3 Create a log source in JSA for IBM CICS to retrieve your LEEF formatted event

logs. For more information, see Create a Log Source.
4 Optional. Create a custom event property for IBM CICS in JSA. For more

information, see the Custom Event Properties for IBM z/OS technical note.
Before You Begin

Before you can configure the data collection process, you must complete the basic
zSecure installation process.

Configuring DSMs

IBM CICS

303

The following prerequisites are required:
•

You must ensure parmlib member IFAPRDxx is not disabled for IBM Security
zSecure Audit on your z/OS image.

•

The SCKRLOAD library must be APF-authorized.

•

You must configure a process to periodically refresh your CKFREEZE and
UNLOAD data sets.

•

You must configure an SFTP, FTP, or SCP server on your z/OS image for JSA
to download your LEEF event files.

•

You must allow SFTP, FTP, or SCP traffic on firewalls located between JSA and
your z/OS image.

After installing the software, you must also perform the post-installation activities to
create and modify the configuration. For instructions on installing and configuring
zSecure, see the IBM Security zSecure Suite: CARLa-Driven Components
Installation and Deployment Guide.
Create a Log Source

The Log File protocol allows JSA to retrieve archived log files from a remote host.
Log files are transferred, one at a time, to JSA for processing. The log file protocol
can manage plain text event logs, compressed files, or archives. Archives must
contain plain-text files that can be processed one line at a time. Multi-line event
logs are not supported by the log file protocol. IBM z/OS with zSecure writes log
files to a specified directory as gzip archives. JSA extracts the archive and
processes the events, which are written as one event per line in the file.
To retrieve these events, you must create a log source using the Log File protocol.
JSA requires credentials to log in to the system hosting your LEEF formatted event
files and a polling interval.
Procedure

Step 1 Click the Admin tab.
Step 2 Click the Log Sources icon.
Step 3 Click Add.
Step 4 In the Log Source Name field, type a name for the log source.
Step 5 In the Log Source Description field, type a description for the log source.
Step 6 From the Log Source Type list box, select IBM CICS.
Step 7 From the Protocol Configuration list box, select Log File.

Configuring DSMs

304

IBM
Step 8 Configure the following values:

Table 49-5 IBM CICS Log File Protocol Parameters

Parameter

Description

Log Source Identifier

Type an IP address, host name, or name to identify the event
source. IP addresses or host names are recommended as
they allow JSA to identify a log file to a unique event source.
For example, if your network contains multiple devices, such
as multiple z/OS images or a file repository containing all of
your event logs, you should specify a name, IP address, or
hostname for the image or location that uniquely identifies
events for the IBM CICS log source. This allows events to be
identified at the image or location level in your network that
your users can identify.

Service Type

From the list box, select the protocol you want to use when
retrieving log files from a remote server. The default is SFTP.
•

SFTP - SSH File Transfer Protocol

•

FTP - File Transfer Protocol

•

SCP - Secure Copy

Note: The underlying protocol used to retrieve log files for the
SCP and SFTP service type requires that the server specified
in the Remote IP or Hostname field has the SFTP subsystem
enabled.
Remote IP or
Hostname

Type the IP address or host name of the device storing your
event log files.

Remote Port

Type the TCP port on the remote host that is running the
selected Service Type. The valid range is 1 to 65535.
The options include:
•

FTP - TCP Port 21

•

SFTP - TCP Port 22

•

SCP - TCP Port 22

Note: If the host for your event files is using a non-standard
port number for FTP, SFTP, or SCP, you must adjust the port
value accordingly.
Remote User

Type the user name or userid necessary to log in to the host
containing your event files.
•

If your log files are located on your IBM z/OS image, type
the userid necessary to log in to your IBM z/OS. The userid
can be up to 8 characters in length.

•

If your log files are located on a file repository, type the
user name necessary to log in to the file repository. The
user name can be up to 255 characters in length.

Remote Password

Type the password necessary to log in to the host.

Confirm Password

Confirm the password necessary to log in to the host.
Configuring DSMs

IBM CICS

305

Table 49-5 IBM CICS Log File Protocol Parameters (continued)

Parameter

Description

SSH Key File

If you select SCP or SFTP as the Service Type, this
parameter allows you to define an SSH private key file. When
you provide an SSH Key File, the Remote Password field is
ignored.

Remote Directory

Type the directory location on the remote host from which the
files are retrieved, relative to the user account you are using
to log in.

Recursive

Select this check box if you want the file pattern to search sub
folders in the remote directory. By default, the check box is
clear.
The Recursive option is ignored if you configure SCP as the
Service Type.

FTP File Pattern

If you select SFTP or FTP as the Service Type, this option
allows you to configure the regular expression (regex)
required to filter the list of files specified in the Remote
Directory. All matching files are included in the processing.
IBM z/OS mainframe using IBM Security zSecure Audit writes
event files using the pattern CICS..gz
The FTP file pattern you specify must match the name you
assigned to your event files. For example, to collect files
starting with zOS and ending with .gz, type the following:
CICS.*\.gz
Use of this parameter requires knowledge of regular
expressions (regex). For more information, see the following
website:
http://download.oracle.com/javase/tutorial/essential/regex/

FTP Transfer Mode

This option only displays if you select FTP as the Service
Type. From the list box, select Binary.
The binary transfer mode is required for event files stored in a
binary or compressed format, such as zip, gzip, tar, or
tar+gzip archive files.

SCP Remote File

If you select SCP as the Service Type you must type the file
name of the remote file.

Start Time

Type the time of day you want the processing to begin. For
example, type 00:00 to schedule the Log File protocol to
collect event files at midnight.
This parameter functions with the Recurrence value to
establish when and how often the Remote Directory is
scanned for files. Type the start time, based on a 24 hour
clock, in the following format: HH:MM.

Recurrence

Type the frequency, beginning at the Start Time, that you
want the remote directory to be scanned. Type this value in
hours (H), minutes (M), or days (D).
For example, type 2H if you want the remote directory to be
scanned every 2 hours from the start time. The default is 1H.
Configuring DSMs

306

IBM

Table 49-5 IBM CICS Log File Protocol Parameters (continued)

Parameter

Description

Run On Save

Select this check box if you want the log file protocol to run
immediately after you click Save.
After the Run On Save completes, the log file protocol follows
your configured start time and recurrence schedule.
Selecting Run On Save clears the list of previously processed
files for the Ignore Previously Processed File parameter.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not
want this protocol to exceed. The valid range is 100 to 5000.

Processor

From the list box, select gzip.
Processors allow event file archives to be expanded and
contents processed for events. Files are only processed after
they are downloaded to JSA. JSA can process files in zip,
gzip, tar, or tar+gzip archive format.

Ignore Previously
Processed File(s)

Select this check box to track and ignore files that have
already been processed by the log file protocol.
JSA examines the log files in the remote directory to
determine if a file has been previously processed by the log
file protocol. If a previously processed file is detected, the log
file protocol does not download the file for processing. All files
that have not been previously processed are downloaded.
This option only applies to FTP and SFTP Service Types.

Change Local
Directory?

Select this check box to define a local directory on your JSA
for storing downloaded files during processing.
We recommend that you leave this check box clear. When
this check box is selected, the Local Directory field is
displayed, which allows you to configure the local directory to
use for storing files.

Event Generator

From the Event Generator list box, select LineByLine.
The Event Generator applies additional processing to the
retrieved event files. Each line is a single event. For example,
if a file has 10 lines of text, 10 separate events are created.

Step 9 Click Save.
Step 10 On the Admin tab, click Deploy Changes.

The IBM CICS configuration is complete. If your IBM CICS requires custom event
properties, see the Custom Event Properties for IBM z/OS technical note.

IBM Lotus Domino

Setting Up SNMP
Services

You can integrate an IBM Lotus Domino® device with JSA. An IBM Lotus Domino
device accepts events using SNMP.
To set up the SNMP services on the IBM Lotus Domino server:

Configuring DSMs

IBM Lotus Domino

307

Procedure
Step 1 Install the Lotus Domino SNMP Agent as a service. From the command prompt, go

to the Lotus\Domino directory and type the following command:
Insnmp -SC
Step 2 Confirm that the Microsoft SNMP service is installed.
Step 3 Start the SNMP and LNSNMP services. From a command prompt, type the

following commands:
net start snmp
net start lnsnmp
Step 4 Select Start > Program > Administrative Tools > Services to open the Services

MMC
Step 5 Double-click on the SNMP service and select the Traps tab.
Step 6 In the Community name field, type public and click add to list:
Step 7 In the Traps destinations section, select Add and type the IP address of your JSA.

Click Add.
Step 8 Click OK.
Step 9 Confirm that both SNMP agents are set to Automatic so they run upon server boot.

Starting the Domino
Server Add-in Tasks

After you configure the SNMP services, you must start the Domino server add-in
tasks. Repeat the below procedure for each Domino partition.
Procedure

Step 1 Log in to the Domino Server console.
Step 2 To support SNMP traps for Domino events, type the following command to start the

Event Interceptor add-in task:
load intrcpt
Step 3 To support Domino statistic threshold traps, type the following command to start

the Statistic Collector add-in task:
load collect
Step 4 Arrange for the add-in tasks to be restarted automatically the next time that

Domino is restarted. Add intrcpt and collect to the ServerTasks variable in
Domino's NOTES.INI file.
Configuring SNMP
Services

NOTE

To configure SNMP services:

Note: Configurations might vary depending on your environment. See your vendor
documentation for more information.

Configuring DSMs

308

IBM

Procedure
Step 1 Open the Domino Administrator utility and authenticate with administrative

credentials.
Step 2 Click on the Files tab, and the Monitoring Configuration (events4.nsf) document.
Step 3 Expand the DDM Configuration Tree and select DDM Probes By Type.
Step 4 Select Enable Probes, and then select Enable All Probes In View.

NOTE

Note: You might receive a warning after performing this action. This is a normal
result, as some of the probes require additional configuration.

Step 5 Select DDM Filter.

You can either create a new DDM Filter or edit the existing DDM Default Filter.
Step 6 Apply the DDM Filter to enhanced and simple events. Choose to log all event

types.
Step 7 Depending on the environment, you can choose to apply the filter to all servers in a

domain or only to specific servers.
Step 8 Click Save. Close when finished.
Step 9 Expand the Event Handlers tree and select Event Handlers By Server.
Step 10 Select New Event Handler.
Step 11 Configure the following parameters:

•

Basic - Servers to monitor: Choose to monitor either all servers in the domain
or only specific servers.

•

Basic - Notification trigger: Any event that matches the criteria.

•

Event - Criteria to match: Events can be any type.

•

Event - Criteria to match: Events must be one of these priorities (Check all the
boxes).

•

Event - Criteria to match: Events can have any message.

•

Action - Notification method: SNMP Trap.

•

Action - Enablement: Enable this notification.

Step 12 Click Save. Close when finished.

You are now ready to configure the log source in JSA.
Configuring a Log
Source

JSA does not automatically discover incoming syslog events from Huawei AR
Series Routers.
If your events are not automatically discovered, you must manually create a log
source from the Admin tab in JSA.

Configuring DSMs

IBM Proventia Management SiteProtector

309

Procedure
Step 1 Click the Admin tab.
Step 2 Click the Log Sources icon.
Step 3 Click Add.
Step 4 In the Log Source Name field, type a name for your log source.
Step 5 From the Log Source Type list box, select IBM Lotus Domino.
Step 6 From the Protocol Configuration list box, select SNMPv2.
Step 7 Configure the following values:

Table 49-6 SNMPv2 Protocol Parameters

Parameter

Description

Log Source
Identifier

Type an IP address, hostname, or name to identify the SNMPv2
event source.
IP addresses or hostnames are recommended as they allow JSA
to identify a log file to a unique event source.

Community

Type the SNMP community name required to access the system
containing SNMP events.

Include OIDs in
Event Payload

Clear the value from this check box.
When selected, this option constructs SNMP events with
name-value pairs instead of the standard event payload format.

Step 8 Click Save.
Step 9 On the Admin tab, click Deploy Changes.

IBM Proventia
Management
SiteProtector

The IBM Proventia® Management SiteProtector DSM for JSA accepts
SiteProtector events by polling the SiteProtector database.
The DSM allows JSA to record Intrusion Prevention System (IPS) events and audit
events directly from the IBM SiteProtector database.

NOTE

Note: The IBM Proventia Management SiteProtector DSM requires the latest
JDBC Protocol to collect audit events.
The IBM Proventia Management SiteProtector DSM for JSA can accept detailed
SiteProtector events by reading information from the primary SensorData1 table.
The SensorData1 table is generated with information from several other tables in
the IBM SiteProtector database. SensorData1 remains the primary table for
collecting events.

Configuring DSMs

310

IBM

IDP events include information from SensorData1, along with information from the
following tables:
•

SensorDataAVP1

•

SensorDataReponse1

Audit events include information from the following tables:
•

AuditInfo

•

AuditTrail

Audit events are not collected by default and make a separate query to the
AuditInfo and AuditTrail tables when you select the Include Audit Events check
box. For more information about your SiteProtector database tables, see your
vendor documentation.
Before you configure JSA to integrate with SiteProtector, we recommend you
create a database user account and password in SiteProtector for JSA. Your JSA
user must have read permissions for the SensorData1 table, which stores
SiteProtector events. The JDBC - SiteProtector protocol allows JSA to log in and
poll for events from the database. Creating a JSA account is not required, but it is
recommended for tracking and securing your event data.

NOTE

Configure a Log
Source

Note: Ensure that no firewall rules are blocking the communication between the
SiteProtector console and JSA.
To configure JSA to poll for IBM SiteProtector events:
Procedure

Step 1 Click the Admin tab.
Step 2 Click the Log Sources icon.
Step 3 Click Add.
Step 4 In the Log Source Name field, type a name for your log source.
Step 5 From the Log Source Type list, select IBM Proventia Management

SiteProtector.
Step 6 Using the Protocol Configuration list box, select JDBC - SiteProtector.

Configuring DSMs

IBM Proventia Management SiteProtector

311

Step 7 Configure the following values:

Table 49-7 JDBC - SiteProtector Protocol Parameters

Parameter

Description

Log Source
Identifier

Type the identifier for the log source. The log source identifier must
be defined in the following format:
@
Where:
 is the database name, as defined in the Database
Name parameter. The database name is a required parameter.
 is the hostname or IP address for the log source as
defined in the IP or Hostname parameter. The hostname is a
required parameter.
The log source identifier must be unique for the log source type.

Database Type

From the list box, select MSDE as the type of database to use for
the event source.

Database Name

Type the name of the database to which you want to connect. The
default database name is RealSecureDB.

IP or Hostname

Type the IP address or hostname of the database server.

Port

Type the port number used by the database server. The default
that is displayed depends on the selected Database Type. The
valid range is 0 to 65536. The default for MSDE is port 1433.
The JDBC configuration port must match the listener port of the
database. The database must have incoming TCP connections
enabled to communicate with JSA.
The default port number for all options include:
•

MSDE - 1433

•

Postgres - 5432

•

MySQL - 3306

•

Oracle - 1521

•

Sybase - 1521

Note: If you define a Database Instance when using MSDE as the
database type, you must leave the Port parameter blank in your
configuration.
Username

Type the database username. The username can be up to 255
alphanumeric characters in length. The username can also include
underscores (_).

Password

Type the database password.
The password can be up to 255 characters in length.

Confirm
Password

Confirm the password to access the database.

Configuring DSMs

312

IBM

Table 49-7 JDBC - SiteProtector Protocol Parameters (continued)

Parameter

Description

Authentication
Domain

If you select MSDE as the Database Type and the database is
configured for Windows, you must define a Windows
Authentication Domain. Otherwise, leave this field blank.
The authentication domain must contain alphanumeric characters.
The domain can include the following special characters:
underscore (_), en dash (-), and period(.).

Database
Instance

If you select MSDE as the Database Type and you have multiple
SQL server instances on one server, define the instance to which
you want to connect.
Note: If you use a non-standard port in your database
configuration, or have blocked access to port 1434 for SQL
database resolution, you must leave the Database Instance
parameter blank in your configuration.

Table Name

Type the name of the view that includes the event records. The
default table name is SensorData1.

AVP View Name Type the name of the view that includes the event attributes. The
default table name is SensorDataAVP.
Response View
Name

Type the name of the view that includes the response events. The
default table name is SensorDataResponse.

Select List

Type * to include all fields from the table or view.
You can use a comma-separated list to define specific fields from
tables or views, if required for your configuration. The list must
contain the field defined in the Compare Field parameter. The
comma-separated list can be up to 255 alphanumeric characters in
length. The list can include the following special characters: dollar
sign ($), number sign (#), underscore (_), en dash (-), and
period(.).

Compare Field

Type SensorDataRowID to identify new events added between
queries to the table.

Polling Interval

Type the polling interval, which is the amount of time between
queries to the event table. The default polling interval is 10
seconds.
You can define a longer polling interval by appending H for hours
or M for minutes to the numeric value. The maximum polling
interval is 1 week in any time format. Numeric values without an H
or M designator poll in seconds.

Use Named Pipe If you select MSDE as the Database Type, select this check box to
Communication use an alternative method to a TCP/IP port connection.
When using a Named Pipe connection, the username and
password must be the appropriate Windows authentication
username and password and not the database username and
password. Also, you must use the default Named Pipe.

Configuring DSMs

IBM ISS Proventia

313

Table 49-7 JDBC - SiteProtector Protocol Parameters (continued)

Parameter

Description

Database
Cluster Name

If you select the Use Named Pipe Communication check box, the
Database Cluster Name parameter is displayed. If you are running
your SQL server in a cluster environment, define the cluster name
to ensure Named Pipe communication functions properly.

Include Audit
Events

Select this check box to collect audit events from IBM
SiteProtector.
By default, this check box is clear.

Use NTLMv2

Select the Use NTLMv2 check box to force MSDE connections to
use the NTLMv2 protocol when communicating with SQL servers
that require NTLMv2 authentication. The default value of the check
box is selected.
If the Use NTLMv2 check box is selected, it has no effect on
MSDE connections to SQL servers that do not require NTLMv2
authentication.

Use SSL

Select this check box if your connection supports SSL
communication.

Log Source
Language

Select the language of the log source events.

Step 8 Click Save.
Step 9 On the Admin tab, click Deploy Changes.

The configuration is complete.

IBM ISS Proventia

The IBM Integrated Systems Solutions® (ISS) Proventia DSM for JSA records all
relevant IBM Proventia® events using SNMP.
Procedure

Step 1 In the Proventia Manager user interface navigation pane, expand the System

node.
Step 2 Select System.
Step 3 Select Services.

The Service Configuration page is displayed.
Step 4 Click the SNMP tab.
Step 5 Select SNMP Traps Enabled.
Step 6 In the Trap Receiver field, type the IP address of your JSA you wish to monitor

incoming SNMP traps.
Step 7 In the Trap Community field, type the appropriate community name.
Step 8 From the Trap Version list, select the trap version.
Step 9 Click Save Changes.

Configuring DSMs

314

IBM

You are now ready to configure JSA to receive SNMP traps.
To configure JSA to receive events from an ISS Proventia device:

From the Log Source Type list box, select IBM Proventia Network Intrusion
Prevention System (IPS).
For information on configuring SNMP in the JSA, see the Log Sources Users
Guide. For more information about your ISS Proventia device, see your vendor
documentation.

IBM RACF

Integrating IBM RACF
with JSA Using IBM
Security zSecure

JSA includes two options for integrating event from IBM RACF®:
•

Integrating IBM RACF with JSA Using IBM Security zSecure

•

Integrate IBM RACF with JSA Using Audit Scripts

The IBM RACF DSM allows you to integrate events from an IBM z/OS® mainframe
using IBM Security zSecure.
Using a zSecure process, events from the System Management Facilities (SMF)
are recorded to an event file in the Log Enhanced Event format (LEEF). JSA
retrieves the LEEF event log files using the log file protocol and processes the
events. You can schedule JSA to retrieve events on a polling interval, which allows
JSA to retrieve the events on the schedule you have defined.
To integrate IBM RACF LEEF events:
1 Confirm your installation meets any prerequisite installation requirements. For

more information, see Before You Begin.
2 Configure your IBM z/OS image to write events in LEEF format. For more

information, see the IBM Security zSecure Suite: CARLa-Driven Components
Installation and Deployment Guide.
3 Create a log source in JSA for IBM RACF to retrieve your LEEF formatted event

logs. For more information, see Creating an IBM RACF Log Source in JSA.
4 Optional. Create a custom event property for IBM RACF in JSA. For more

information, see the Custom Event Properties for IBM z/OS technical note.
Before You Begin
Before you can configure the data collection process, you must complete the basic
zSecure installation process.
The following prerequisites are required:
•

You must ensure parmlib member IFAPRDxx is not disabled for IBM Security
zSecure Audit on your z/OS image.

•

The SCKRLOAD library must be APF-authorized.

Configuring DSMs

IBM RACF

315

•

You must configure a process to periodically refresh your CKFREEZE and
UNLOAD data sets.

•

You must configure an SFTP, FTP, or SCP server on your z/OS image for JSA
to download your LEEF event files.

•

You must allow SFTP, FTP, or SCP traffic on firewalls located between JSA and
your z/OS image.

After installing the software, you must also perform the post-installation activities to
create and modify the configuration. For instructions on installing and configuring
zSecure, see the IBM Security zSecure Suite: CARLa-Driven Components
Installation and Deployment Guide.
Creating an IBM RACF Log Source in JSA
The Log File protocol allows JSA to retrieve archived log files from a remote host.
Log files are transferred, one at a time, to JSA for processing. The log file protocol
can manage plain text event logs, compressed files, or archives. Archives must
contain plain-text files that can be processed one line at a time. Multi-line event
logs are not supported by the log file protocol. IBM z/OS with zSecure writes log
files to a specified directory as gzip archives. JSA extracts the archive and
processes the events, which are written as one event per line in the file.
To retrieve these events, you must create a log source using the Log File protocol.
JSA requires credentials to log in to the system hosting your LEEF formatted event
files and a polling interval.
Procedure
Step 5 Click the Admin tab.
Step 6 Click the Log Sources icon.
Step 7 Click Add.
Step 8 In the Log Source Name field, type a name for the log source.
Step 9 In the Log Source Description field, type a description for the log source.
Step 10 From the Log Source Type list box, select IBM Resource Access Control

Facility (RACF).
Step 11 From the Protocol Configuration list box, select Log File.

Configuring DSMs

316

IBM
Step 12 Configure the following values:

Table 49-8 IBM RACF Log File Protocol Parameters

Parameter

Description

Log Source Identifier

Type an IP address, host name, or name to identify the event
source. IP addresses or host names are recommended as
they allow JSA to identify a log file to a unique event source.
For example, if your network contains multiple devices, such
as multiple z/OS images or a file repository containing all of
your event logs, you should specify a name, IP address, or
hostname for the image or location that uniquely identifies
events for the IBM RACF log source. This allows events to be
identified at the image or location level in your network that
your users can identify.

Service Type

From the list box, select the protocol you want to use when
retrieving log files from a remote server. The default is SFTP.
•

SFTP - SSH File Transfer Protocol

•

FTP - File Transfer Protocol

•

SCP - Secure Copy

Note: The underlying protocol used to retrieve log files for the
SCP and SFTP service type requires that the server specified
in the Remote IP or Hostname field has the SFTP subsystem
enabled.
Remote IP or
Hostname

Type the IP address or host name of the device storing your
event log files.

Remote Port

Type the TCP port on the remote host that is running the
selected Service Type. The valid range is 1 to 65535.
The options include:
•

FTP - TCP Port 21

•

SFTP - TCP Port 22

•

SCP - TCP Port 22

Note: If the host for your event files is using a non-standard
port number for FTP, SFTP, or SCP, you must adjust the port
value accordingly.
Remote User

Type the user name or userid necessary to log in to the host
containing your event files.
•

If your log files are located on your IBM z/OS image, type
the userid necessary to log in to your IBM z/OS. The userid
can be up to 8 characters in length.

•

If your log files are located on a file repository, type the
user name necessary to log in to the file repository. The
user name can be up to 255 characters in length.

Remote Password

Type the password necessary to log in to the host.

Confirm Password

Confirm the password necessary to log in to the host.
Configuring DSMs

IBM RACF

317

Table 49-8 IBM RACF Log File Protocol Parameters (continued)

Parameter

Description

SSH Key File

If you select SCP or SFTP as the Service Type, this
parameter allows you to define an SSH private key file. When
you provide an SSH Key File, the Remote Password field is
ignored.

Remote Directory

Type the directory location on the remote host from which the
files are retrieved, relative to the user account you are using
to log in.

Recursive

Select this check box if you want the file pattern to search sub
folders in the remote directory. By default, the check box is
clear.
The Recursive option is ignored if you configure SCP as the
Service Type.

FTP File Pattern

If you select SFTP or FTP as the Service Type, this option
allows you to configure the regular expression (regex)
required to filter the list of files specified in the Remote
Directory. All matching files are included in the processing.
IBM z/OS mainframe using IBM Security zSecure Audit writes
event files using the pattern RACF..gz
The FTP file pattern you specify must match the name you
assigned to your event files. For example, to collect files
starting with zOS and ending with .gz, type the following:
RACF.*\.gz
Use of this parameter requires knowledge of regular
expressions (regex). For more information, see the following
website:
http://download.oracle.com/javase/tutorial/essential/regex/

FTP Transfer Mode

This option only displays if you select FTP as the Service
Type.
The binary transfer mode is required for event files stored in a
binary or compressed format, such as zip, gzip, tar, or
tar+gzip archive files.

SCP Remote File

If you select SCP as the Service Type you must type the file
name of the remote file.

Start Time

Type the time of day you want the processing to begin. For
example, type 00:00 to schedule the Log File protocol to
collect event files at midnight.
This parameter functions with the Recurrence value to
establish when and how often the Remote Directory is
scanned for files. Type the start time, based on a 24 hour
clock, in the following format: HH:MM.

Recurrence

Type the frequency, beginning at the Start Time, that you
want the remote directory to be scanned. Type this value in
hours (H), minutes (M), or days (D).
For example, type 2H if you want the remote directory to be
scanned every 2 hours from the start time. The default is 1H.
Configuring DSMs

318

IBM

Table 49-8 IBM RACF Log File Protocol Parameters (continued)

Parameter

Description

Run On Save

Select this check box if you want the log file protocol to run
immediately after you click Save.
After the Run On Save completes, the log file protocol follows
your configured start time and recurrence schedule.
Selecting Run On Save clears the list of previously processed
files for the Ignore Previously Processed File parameter.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not
want this protocol to exceed. The valid range is 100 to 5000.

Processor

From the list box, select gzip.
Processors allow event file archives to be expanded and
contents processed for events. Files are only processed after
they are downloaded to JSA. JSA can process files in zip,
gzip, tar, or tar+gzip archive format.

Ignore Previously
Processed File(s)

Select this check box to track and ignore files that have
already been processed by the log file protocol.
JSA examines the log files in the remote directory to
determine if a file has been previously processed by the log
file protocol. If a previously processed file is detected, the log
file protocol does not download the file for processing. All files
that have not been previously processed are downloaded.
This option only applies to FTP and SFTP Service Types.

Change Local
Directory?

Select this check box to define a local directory on your JSA
for storing downloaded files during processing.
We recommend that you leave this check box clear. When
this check box is selected, the Local Directory field is
displayed, which allows you to configure the local directory to
use for storing files.

Event Generator

From the Event Generator list box, select LineByLine.
The Event Generator applies additional processing to the
retrieved event files. Each line of the file is a single event. For
example, if a file has 10 lines of text, 10 separate events are
created.

Step 13 Click Save.
Step 14 On the Admin tab, click Deploy Changes.

The IBM RACF configuration is complete. If your IBM RACF requires custom event
properties, see the Custom Event Properties for IBM z/OS technical note.

Configuring DSMs

IBM RACF

Integrate IBM RACF
with JSA Using Audit
Scripts

319

The IBM Resource Access Control Facility (RACF®) DSM for JSA allows you to
integrate with an IBM z/OS mainframe using IBM RACF for auditing transactions.
JSA records all relevant and available information from the event.
To integrate the IBM RACF events into JSA:
1 The IBM mainframe system records all security events as Service Management

Framework (SMF) records in a live repository.
2 At midnight, the IBM RACF data is extracted from the live repository using the SMF

dump utility. The RACFICE utility IRRADU00 (an IBM utility) creates a log file
containing all of the events and fields from the previous day in a SMF record
format.
3 The QEXRACF program pulls data from the SMF formatted file, as described

above. The program only pulls the relevant events and fields for JSA and writes
that information in a condensed format for compatibility. The information is also
saved in a location accessible by JSA.
4 JSA uses the log file protocol source to pull the QEXRACF output file and retrieves

the information on a scheduled basis. JSA then imports and process this file.
Configure IBM RACF to integrate with JSA
To integrate an IBM mainframe RACF with JSA:
Step 1 From the Juniper Networks support website

(http://www.juniper.net/customers/support/), download the following compressed
file:
qexracf_bundled.tar.gz
Step 2 On a Linux-based operating system, extract the file:

tar -zxvf qexracf_bundled.tar.gz

The following files are contained in the archive:
qexracf_jcl.txt
qexracfloadlib.trs
qexracf_trsmain_JCL.txt
Step 3 Load the files onto the IBM mainframe using any terminal emulator file transfer

method.
Upload the qexracf_trsmain_JCL.txt and qexracf_jcl.txt files using the
TEXT protocol.
Upload the QexRACF loadlib.trs file using binary mode and append to a
pre-allocated data set. The QexRACF loadlib.trs file is a tersed file containing
the executable (the mainframe program QEXRACF). When you upload the .trs file
from a workstation, pre-allocate a file on the mainframe with the following DCB
attributes: DSORG=PS, RECFM=FB, LRECL=1024, BLKSIZE=6144. The file
transfer type must be binary mode and not text.

Configuring DSMs

320

IBM
Step 4 Customize the qexracf_trsmain_JCL.txt file according to your

installation-specific requirements.
The qexracf_trsmain_JCL.txt file uses the IBM utility Trsmain to uncompress
the program stored in the QexRACF loadlib.trs file.
An example of the qexracf_trsmain_JCL.txt file includes:
//TRSMAIN
JOB (yourvalidjobcard),Q1 labs,
// MSGCLASS=V
//DEL
EXEC PGM=IEFBR14
//D1
DD
DISP=(MOD,DELETE),DSN=.QEXRACF.TRS
//
UNIT=SYSDA,
//
SPACE=(CYL,(10,10))
//TRSMAIN EXEC PGM=TRSMAIN,PARM='UNPACK'
//SYSPRINT DD SYSOUT=*,DCB=(LRECL=133,BLKSIZE=12901,RECFM=FBA)
//INFILE
DD DISP=SHR,DSN=.QEXRACF.TRS
//OUTFILE
DD DISP=(NEW,CATLG,DELETE),
//
DSN=.LOAD,
//
SPACE=(CYL,(10,10,5),RLSE),UNIT=SYSDA
//

You must update the file with your installation specific information for parameters,
such as, jobcard, data set naming conventions, output destinations, retention
periods, and space requirements.
The .trs input file is an IBM TERSE formatted library and is extracted by running
the JCL, which calls the TRSMAIN. This tersed file, when extracted, creates a PDS
linklib with the QEXRACF program as a member.
Step 5 You can STEPLIB to this library or choose to move the program to one of the

LINKLIBs that are in the LINKLST. The program does not require authorization.
Step 6 After uploading, copy the program to an existing link listed library or add a

STEPLIB DD statement with the correct dataset name of the library that will
contain the program.
Step 7 The qexracf_jcl.txt file is a text file containing a sample JCL deck to provide

you with the necessary JCL to run the IBM IRRADU00 utility. This allows JSA to
obtain the necessary IBM RACF events. Configure the job card to meet your local
standards.
An example of the qexracf_jcl.txt file includes:
//QEXRACF JOB (),Q1 LABS,
// MSGCLASS=P,
// REGION=0M
//*
//*QEXRACF JCL version 1.0 April 2009
//*
//*************************************************************
//*
Change below dataset names to sites specific datasets
names
*
//*************************************************************
//SET1 SET SMFOUT='.CUSTNAME.IRRADU00.OUTPUT',

Configuring DSMs

IBM RACF

321

//
SMFIN='',
//
QRACFOUT='.QEXRACF.OUTPUT'
//*************************************************************
//*
Delete old datasets *
//*************************************************************
//DEL
EXEC PGM=IEFBR14
//DD2
DD
DISP=(MOD,DELETE),DSN=&QRACFOUT,
//
UNIT=SYSDA,
//
SPACE=(TRK,(1,1)),
//
DCB=(RECFM=FB,LRECL=80)
//*************************************************************
//*
Allocate new dataset *
//*************************************************************
//ALLOC EXEC PGM=IEFBR14
//DD1
DD
DISP=(NEW,CATLG),DSN=&QRACFOUT,
//
SPACE=(CYL,(1,10)),UNIT=SYSDA,
//
DCB=(RECFM=VB,LRECL=1028,BLKSIZE=6144)
//************************************************************
//* Execute IBM IRRADU00 utility to extract RACF smf records *
//*************************************************************
//IRRADU00 EXEC PGM=IFASMFDP
//SYSPRINT DD SYSOUT=*
//ADUPRINT DD SYSOUT=*
//OUTDD
DD DSN=&SMFOUT,SPACE=(CYL,(100,100)),DISP=(,CATLG),
//
DCB=(RECFM=FB,LRECL=8192,BLKSIZE=40960),
//
UNIT=SYSALLDA
//SMFDATA DD DISP=SHR,DSN=&SMFIN
//SMFOUT
DD DUMMY
//SYSIN
DD *
INDD(SMFDATA,OPTIONS(DUMP))
OUTDD(SMFOUT,TYPE(30:83))
ABEND(NORETRY)
USER2(IRRADU00)
USER3(IRRADU86)
/*
//EXTRACT EXEC PGM=QEXRACF,DYNAMNBR=10,
//
TIME=1440
//*STEPLIB
DD DISP=SHR,DSN=
//SYSTSIN
DD DUMMY
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//RACIN
DD DISP=SHR,DSN=&SMFOUT
//RACOUT
DD DISP=SHR,DSN=&QRACFOUT
//
//*************************************************************
//* FTP Output file from C program (Qexracf) to an FTP server *
//* QRadar will go to that FTP Server to get file
*
//* Note you need to replace , ,*
//*  and 
*
Configuring DSMs

322

IBM

//*************************************************************
//*FTP EXEC PGM=FTP,REGION=3800K
//*INPUT DD *
//*
//*
//*
//*ASCII
//*PUT ''
//
//*QUIT
//*OUTPUT
DD SYSOUT=*
//*SYSPRINT DD SYSOUT=*
//*
//*
Step 8 After the output file is created, you must send this file to an FTP server. This

ensures that every time you run the utility, the output file is sent to a specific FTP
server for processing at the end of the above script. If the z/OS platform is
configured to serve files through FTP or SFTP, or allow SCP, then no interim server
is required and JSA can pull those files directly from the mainframe. If an interim
FTP server is needed, JSA requires a unique IP address for each IBM RACF log
source or they will be joined as one system.
Create an IBM RACF log source
The Log File protocol allows JSA to retrieve archived log files from a remote host.
Log files are transferred, one at a time, to JSA for processing. The log file protocol
can manage plain text event logs, compressed files, or archives. Archives must
contain plain-text files that can be processed one line at a time. Multi-line event
logs are not supported by the log file protocol. IBM RACF with z/OS writes log files
to a specified directory as gzip archives. JSA extracts the archive and processes
the events, which are written as one event per line in the file.
To retrieve these events, you must create a log source using the Log File protocol.
JSA requires credentials to log in to the system hosting your event files and a
polling interval.
Procedure
Step 9 Click the Admin tab.
Step 10 Click the Log Sources icon.
Step 11 Click Add.
Step 12 In the Log Source Name field, type a name for the log source.
Step 13 In the Log Source Description field, type a description for the log source.
Step 14 From the Log Source Type list box, select IBM Resource Access Control

Faclilty (RACF).
Step 15 From the Protocol Configuration list box, select Log File.

Configuring DSMs

IBM RACF

323

Step 16 Configure the following values:

Table 49-9 IBM RACF Log File Protocol Parameters

Parameter

Description

Log Source Identifier

Type an IP address, host name, or name to identify the event
source. IP addresses or host names are recommended as
they allow JSA to identify a log file to a unique event source.
For example, if your network contains multiple devices, such
as multiple z/OS images or a file repository containing all of
your event logs, you should specify a name, IP address, or
hostname for the image or location that uniquely identifies
events for the IBM RACF log source. This allows events to be
identified at the image or location level in your network that
your users can identify.

Service Type

From the list box, select the protocol you want to use when
retrieving log files from a remote server. The default is SFTP.
•

SFTP - SSH File Transfer Protocol

•

FTP - File Transfer Protocol

•

SCP - Secure Copy

Note: The underlying protocol used to retrieve log files for the
SCP and SFTP service type requires that the server specified
in the Remote IP or Hostname field has the SFTP subsystem
enabled.
Remote IP or
Hostname

Type the IP address or host name of the device storing your
event log files.

Remote Port

Type the TCP port on the remote host that is running the
selected Service Type. The valid range is 1 to 65535.
The options include:
•

FTP - TCP Port 21

•

SFTP - TCP Port 22

•

SCP - TCP Port 22

Note: If the host for your event files is using a non-standard
port number for FTP, SFTP, or SCP, you must adjust the port
value accordingly.
Remote User

Type the user name or userid necessary to log in to the host
containing your event files.
•

If your log files are located on your IBM z/OS image, type
the userid necessary to log in to your IBM z/OS. The userid
can be up to 8 characters in length.

•

If your log files are located on a file repository, type the
user name necessary to log in to the file repository. The
user name can be up to 255 characters in length.

Remote Password

Type the password necessary to log in to the host.

Confirm Password

Confirm the password necessary to log in to the host.
Configuring DSMs

324

IBM

Table 49-9 IBM RACF Log File Protocol Parameters (continued)

Parameter

Description

SSH Key File

If you select SCP or SFTP as the Service Type, this
parameter allows you to define an SSH private key file. When
you provide an SSH Key File, the Remote Password field is
ignored.

Remote Directory

Type the directory location on the remote host from which the
files are retrieved, relative to the user account you are using
to log in.
Note: For FTP only. If your log files reside in the remote user’s
home directory, you can leave the remote directory blank. This
is to support operating systems where a change in the
working directory (CWD) command is restricted.

Recursive

Select this check box if you want the file pattern to search sub
folders in the remote directory. By default, the check box is
clear.
The Recursive option is ignored if you configure SCP as the
Service Type.

FTP File Pattern

If you select SFTP or FTP as the Service Type, this option
allows you to configure the regular expression (regex)
required to filter the list of files specified in the Remote
Directory. All matching files are included in the processing.
The FTP file pattern you specify must match the name you
assigned to your event files. For example, to collect files
starting with zOS and ending with .gz, type the following:
Use of this parameter requires knowledge of regular
expressions (regex). For more information, see the following
website:
http://download.oracle.com/javase/tutorial/essential/regex/

FTP Transfer Mode

This option only displays if you select FTP as the Service
Type.
From the list box, select the transfer mode you want to apply
to this log source:
•

Binary - Select Binary for log sources that require binary
data files or compressed zip, gzip, tar, or tar+gzip archive
files.

•

ASCII - Select ASCII for log sources that require an ASCII
FTP file transfer.

SCP Remote File

If you select SCP as the Service Type you must type the file
name of the remote file.

Start Time

Type the time of day you want the processing to begin. For
example, type 00:00 to schedule the Log File protocol to
collect event files at midnight.
This parameter functions with the Recurrence value to
establish when and how often the Remote Directory is
scanned for files. Type the start time, based on a 24 hour
clock, in the following format: HH:MM.
Configuring DSMs

IBM RACF

325

Table 49-9 IBM RACF Log File Protocol Parameters (continued)

Parameter

Description

Recurrence

Type the frequency, beginning at the Start Time, that you
want the remote directory to be scanned. Type this value in
hours (H), minutes (M), or days (D).
For example, type 2H if you want the remote directory to be
scanned every 2 hours from the start time. The default is 1H.

Run On Save

Select this check box if you want the log file protocol to run
immediately after you click Save.
After the Run On Save completes, the log file protocol follows
your configured start time and recurrence schedule.
Selecting Run On Save clears the list of previously processed
files for the Ignore Previously Processed File parameter.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not
want this protocol to exceed. The valid range is 100 to 5000.

Processor

From the list box, select gzip.
Processors allow event file archives to be expanded and
contents processed for events. Files are only processed after
they are downloaded to JSA. JSA can process files in zip,
gzip, tar, or tar+gzip archive format.

Ignore Previously
Processed File(s)

Select this check box to track and ignore files that have
already been processed by the log file protocol.
JSA examines the log files in the remote directory to
determine if a file has been previously processed by the log
file protocol. If a previously processed file is detected, the log
file protocol does not download the file for processing. All files
that have not been previously processed are downloaded.
This option only applies to FTP and SFTP Service Types.

Change Local
Directory?

Select this check box to define a local directory on your JSA
system for storing downloaded files during processing.
We recommend that you leave this check box clear. When
this check box is selected, the Local Directory field is
displayed, which allows you to configure the local directory to
use for storing files.

Event Generator

From the Event Generator list box, select LineByLine.
The Event Generator applies additional processing to the
retrieved event files. Each line of the file is a single event. For
example, if a file has 10 lines of text, 10 separate events are
created.

Step 17 Click Save.
Step 18 On the Admin tab, click Deploy Changes.

The IBM RACF configuration is complete. If your IBM RACF requires custom event
properties, see the Custom Event Properties for IBM z/OS technical note.

Configuring DSMs

326

IBM

IBM DB2

Integrating IBM DB2
with LEEF Events

JSA has two options for integrating events from IBM DB2®:
•

Integrating IBM DB2 with LEEF Events

•

Integrating IBM DB2 Audit Events

The IBM DB2 DSM allows you to integrate DB2 events in LEEF format from an
IBM z/OS® mainframe using IBM Security zSecure®.
Using a zSecure process, events from the System Management Facilities (SMF)
are recorded to an event file in the Log Enhanced Event format (LEEF). JSA
retrieves the LEEF event log files using the log file protocol and processes the
events. You can schedule JSA to retrieve events on a polling interval, which allows
you to retrieve the events on the schedule you have defined.
To integrate IBM DB2 events:
1 Confirm your installation meets any prerequisite installation requirements. For

more information, see Before You Begin.
2 Configure your IBM DB2 image to write events in LEEF format. For more

information, see the IBM Security zSecure Suite: CARLa-Driven Components
Installation and Deployment Guide.
3 Create a log source in JSA for IBM DB2 to retrieve your LEEF formatted event

logs. For more information, see Creating a Log Source.
4 Optional. Create a custom event property for IBM DB2 in JSA. For more

information, see the Custom Event Properties for IBM z/OS technical note.
Before You Begin

Before you can configure the data collection process, you must complete the basic
zSecure installation process.
The following prerequisites are required:
•

You must ensure parmlib member IFAPRDxx is not disabled for IBM Security
zSecure Audit on your IBM DB2 z/OS image.

•

The SCKRLOAD library must be APF-authorized.

•

You must configure a process to periodically refresh your CKFREEZE and
UNLOAD data sets.

•

You must configure an SFTP, FTP, or SCP server on your z/OS image for JSA
to download your LEEF event files.

•

You must allow SFTP, FTP, or SCP traffic on firewalls located between JSA and
your z/OS image.

After installing the software, you must also perform the post-installation activities to
create and modify the configuration. For instructions on installing and configuring
zSecure, see the IBM Security zSecure Suite: CARLa-Driven Components
Installation and Deployment Guide.

Configuring DSMs

IBM DB2

Creating a Log
Source

327

The Log File protocol allows JSA to retrieve archived log files from a remote host.
Log files are transferred, one at a time, to JSA for processing. The log file protocol
can manage plain text event logs, compressed files, or archives. Archives must
contain plain-text files that can be processed one line at a time. Multi-line event
logs are not supported by the log file protocol. IBM z/OS with zSecure writes log
files to a specified directory as gzip archives. JSA extracts the archive and
processes the events, which are written as one event per line in the file.
To retrieve these events, you must create a log source using the Log File protocol.
JSA requires credentials to log in to the system hosting your LEEF formatted event
files and a polling interval.
Procedure

Step 5 Click the Admin tab.
Step 6 Click the Log Sources icon.
Step 7 Click Add.
Step 8 In the Log Source Name field, type a name for the log source.
Step 9 In the Log Source Description field, type a description for the log source.
Step 10 From the Log Source Type list box, select IBM DB2.
Step 11 From the Protocol Configuration list box, select Log File.
Step 12 Configure the following values:

Table 49-10 IBM DB2 Log File Protocol Parameters

Parameter

Description

Log Source Identifier

Type an IP address, host name, or name to identify the event
source. IP addresses or host names are recommended as
they allow JSA to identify a log file to a unique event source.
For example, if your network contains multiple devices, such
as multiple z/OS images or a file repository containing all of
your event logs, you should specify a name, IP address, or
hostname for the image or location that uniquely identifies
events for the IBM DB2 log source. This allows events to be
identified at the image or location level in your network that
your users can identify.

Service Type

From the list box, select the protocol you want to use when
retrieving log files from a remote server. The default is SFTP.
•

SFTP - SSH File Transfer Protocol

•

FTP - File Transfer Protocol

•

SCP - Secure Copy

Note: The underlying protocol used to retrieve log files for the
SCP and SFTP service type requires that the server specified
in the Remote IP or Hostname field has the SFTP subsystem
enabled.
Configuring DSMs

328

IBM

Table 49-10 IBM DB2 Log File Protocol Parameters (continued)

Parameter

Description

Remote IP or
Hostname

Type the IP address or host name of the device storing your
event log files.

Remote Port

Type the TCP port on the remote host that is running the
selected Service Type. The valid range is 1 to 65535.
The options include:
•

FTP - TCP Port 21

•

SFTP - TCP Port 22

•

SCP - TCP Port 22

Note: If the host for your event files is using a non-standard
port number for FTP, SFTP, or SCP, you must adjust the port
value accordingly.
Remote User

Type the user name or userid necessary to log in to the host
containing your event files.
•

If your log files are located on your IBM z/OS image, type
the userid necessary to log in to your IBM z/OS. The userid
can be up to 8 characters in length.

•

If your log files are located on a file repository, type the
user name necessary to log in to the file repository. The
user name can be up to 255 characters in length.

Remote Password

Type the password necessary to log in to the host.

Confirm Password

Confirm the password necessary to log in to the host.

SSH Key File

If you select SCP or SFTP as the Service Type, this
parameter allows you to define an SSH private key file. When
you provide an SSH Key File, the Remote Password field is
ignored.

Remote Directory

Type the directory location on the remote host from which the
files are retrieved, relative to the user account you are using
to log in.

Recursive

Select this check box if you want the file pattern to search sub
folders in the remote directory. By default, the check box is
clear.
The Recursive option is ignored if you configure SCP as the
Service Type.

Configuring DSMs

IBM DB2

329

Table 49-10 IBM DB2 Log File Protocol Parameters (continued)

Parameter

Description

FTP File Pattern

If you select SFTP or FTP as the Service Type, this option
allows you to configure the regular expression (regex)
required to filter the list of files specified in the Remote
Directory. All matching files are included in the processing.
IBM z/OS mainframe using IBM Security zSecure Audit writes
event files using the pattern DB2..gz
The FTP file pattern you specify must match the name you
assigned to your event files. For example, to collect files
starting with zOS and ending with .gz, type the following:
DB2.*\.gz
Use of this parameter requires knowledge of regular
expressions (regex). For more information, see the following
website:
http://download.oracle.com/javase/tutorial/essential/regex/

FTP Transfer Mode

This option only displays if you select FTP as the Service
Type. From the list box, select Binary.
The binary transfer mode is required for event files stored in a
binary or compressed format, such as zip, gzip, tar, or
tar+gzip archive files.

SCP Remote File

If you select SCP as the Service Type you must type the file
name of the remote file.

Start Time

Type the time of day you want the processing to begin. For
example, type 00:00 to schedule the Log File protocol to
collect event files at midnight.
This parameter functions with the Recurrence value to
establish when and how often the Remote Directory is
scanned for files. Type the start time, based on a 24 hour
clock, in the following format: HH:MM.

Recurrence

Type the frequency, beginning at the Start Time, that you
want the remote directory to be scanned. Type this value in
hours (H), minutes (M), or days (D).
For example, type 2H if you want the remote directory to be
scanned every 2 hours from the start time. The default is 1H.

Run On Save

Select this check box if you want the log file protocol to run
immediately after you click Save.
After the Run On Save completes, the log file protocol follows
your configured start time and recurrence schedule.
Selecting Run On Save clears the list of previously processed
files for the Ignore Previously Processed File parameter.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not
want this protocol to exceed. The valid range is 100 to 5000.

Configuring DSMs

330

IBM

Table 49-10 IBM DB2 Log File Protocol Parameters (continued)

Parameter

Description

Processor

From the list box, select gzip.
Processors allow event file archives to be expanded and
contents processed for events. Files are only processed after
they are downloaded to JSA. JSA can process files in zip,
gzip, tar, or tar+gzip archive format.

Ignore Previously
Processed File(s)

Select this check box to track and ignore files that have
already been processed by the log file protocol.
JSA examines the log files in the remote directory to
determine if a file has been previously processed by the log
file protocol. If a previously processed file is detected, the log
file protocol does not download the file for processing. All files
that have not been previously processed are downloaded.
This option only applies to FTP and SFTP Service Types.

Change Local
Directory?

Select this check box to define a local directory on your JSA
for storing downloaded files during processing.
We recommend that you leave this check box clear. When
this check box is selected, the Local Directory field is
displayed, which allows you to configure the local directory to
use for storing files.

Event Generator

From the Event Generator list box, select LineByLine.
The Event Generator applies additional processing to the
retrieved event files. Each line of the file is a single event. For
example, if a file has 10 lines of text, 10 separate events are
created.

Step 13 Click Save.
Step 14 On the Admin tab, click Deploy Changes.

The IBM DB2 LEEF configuration is complete. If your configuration requires
custom event properties, see the Custom Event Properties for IBM z/OS technical
note.
Integrating IBM DB2
Audit Events

The IBM DB2 DSM allows you to integrate your DB2 audit logs into JSA for
analysis.
The db2audit command creates a set of comma-delimited text files with a .del
extension that defines the scope of audit data for JSA when auditing is configured
and enabled. Comma-delimited files created by the db2audit command include:
•

audit.del

•

checking.del

•

context.del

•

execute.del

•

objmaint.del
Configuring DSMs

IBM DB2

•

secmaint.del

•

sysadmin.del

•

validate.del

331

To integrate the IBM DB2 DSM with JSA, you must:
1 Use the db2audit command to ensure the IBM DB2 records security events. See

your IBM DB2 vendor documentation for more information.
2 Extract the DB2 audit data of events contained in the instance to a log file,

depending on your version of IBM DB2:
•

If you are using DB2 v9.5 and above, see Extract audit data: DB2 v9.5 and
above.

•

If you are using DB2 v8.x to v9.4, see Extract audit data: DB2 v8.x to v9.4

3 Use the log file protocol source to pull the output instance log file and send that

information back to JSA on a scheduled basis. JSA then imports and processes
this file. See Creating a log source for IBM DB2.

NOTE

Note: The IBM DB2 DSM does not support the IBM z/OS mainframe operating
system.
Extract audit data: DB2 v9.5 and above
To extract audit data when you are using IBM DB2 v9.5 and above:

Step 1 Log into a DB2 account with SYSADMIN privilege.
Step 2 Move the audit records from the database instance to the audit log:

db2audit flush

For example, the flush command response might resemble the following:
AUD00001 Operation succeeded.
Step 3 Archive and move the active instance to a new location for future extraction:

db2audit archive

For example, an archive command response might resemble the following:
Node AUD Archived or Interim Log File
Message
---- --- -----------------------------0 AUD00001 dbsaudit.instance.log.0.20091217125028
AUD00001 Operation succeeded.

NOTE

Note: In DB2 v9.5 and above, the archive command replaces the prune command.
The archive command moves the active audit log to a new location, effectively
pruning all non-active records from the log. An archive command must be
complete before an extract can be performed.

Configuring DSMs

332

IBM
Step 4 Extract the data from the archived audit log and write the data to .del files:

db2audit extract delasc from files
db2audit.instance.log.0.200912171528

For example, an archive command response might resemble the following:
AUD00001 Operation succeeded.

NOTE

Note: Double-quotation marks (“) are used as the default text delimiter in the
ASCII files, do not change the delimiter.

Step 5 Move the .del files to a storage location where JSA can pull the file. The movement

of the comma-delimited (.del) files should be synchronized with the file pull interval
in JSA.
You are now ready to configure JSA to receive DB2 log files. See Creating a log
source for IBM DB2.
Extract audit data: DB2 v8.x to v9.4
To extract audit data when you are using IBM DB2 v8.x to v9.4.
Step 1 Log into a DB2 account with SYSADMIN privilege.
Step 2 Type the following start command to audit a database instance:

db2audit start

For example, the start command response might resemble the following:
AUD00001 Operation succeeded.
Step 3 Move the audit records from the instance to the audit log:

db2audit flush

For example, the flush command response might resemble the following:
AUD00001 Operation succeeded.
Step 4 Extract the data from the archived audit log and write the data to .del files:

db2audit extract delasc

For example, an archive command response might resemble the following:
AUD00001 Operation succeeded.

NOTE

Note: Double-quotation marks (“) are used as the default text delimiter in the
ASCII files, do not change the delimiter.

Step 5 Remove non-active records:

db2audit prune all
Step 6 Move the .del files to a storage location where JSA can pull the file. The movement

of the comma-delimited (.del) files should be synchronized with the file pull interval
in JSA.

Configuring DSMs

IBM DB2

333

You are now ready to create a log source in JSA to receive DB2 log files.
Creating a log source for IBM DB2
A log file protocol source allows JSA to retrieve archived log files from a remote
host.
The IBM DB2 DSM supports the bulk loading of log files using the log file protocol
source. When configuring your IBM DB2 to use the log file protocol, make sure the
hostname or IP address configured in the IBM DB2 system is the same as
configured in the Remote Host parameter in the Log File protocol configuration.
For more information, see the Log Sources Users Guide.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 Click the Log Sources icon.
Step 4 Click Add.
Step 5 In the Log Source Name field, type a name for the log source.
Step 6 In the Log Source Description field, type a description for the log source.
Step 7 From the Log Source Type list box, select IBM DB2.
Step 8 From the Protocol Configuration list box, select Log File.
Step 9 Configure the following values:

Table 49-11 IBM DB2 Log File Protocol Parameters

Parameter

Description

Log Source Identifier

Type an IP address, host name, or name to identify the event
source. IP addresses or host names are recommended as
they allow JSA to identify a log file to a unique event source.
For example, if your network contains multiple devices, such
as multiple z/OS images or a file repository containing all of
your event logs, you should specify a name, IP address, or
hostname for the image or location that uniquely identifies
events for the IBM DB2 log source. This allows events to be
identified at the image or location level in your network that
your users can identify.

Configuring DSMs

334

IBM

Table 49-11 IBM DB2 Log File Protocol Parameters (continued)

Parameter

Description

Service Type

From the list box, select the protocol you want to use when
retrieving log files from a remote server. The default is SFTP.
•

SFTP - SSH File Transfer Protocol

•

FTP - File Transfer Protocol

•

SCP - Secure Copy

Note: The underlying protocol used to retrieve log files for the
SCP and SFTP service type requires that the server specified
in the Remote IP or Hostname field has the SFTP subsystem
enabled.
Remote IP or
Hostname

Type the IP address or host name of the device storing your
event log files.

Remote Port

Type the TCP port on the remote host that is running the
selected Service Type. The valid range is 1 to 65535.
The options include:
•

FTP - TCP Port 21

•

SFTP - TCP Port 22

•

SCP - TCP Port 22

Note: If the host for your event files is using a non-standard
port number for FTP, SFTP, or SCP, you must adjust the port
value accordingly.
Remote User

Type the user name necessary to log in to the host containing
your event files.
The username can be up to 255 characters in length.

Remote Password

Type the password necessary to log in to the host.

Confirm Password

Confirm the password necessary to log in to the host.

SSH Key File

If you select SCP or SFTP as the Service Type, this
parameter allows you to define an SSH private key file. When
you provide an SSH Key File, the Remote Password field is
ignored.

Remote Directory

Type the directory location on the remote host from which the
files are retrieved, relative to the user account you are using
to log in.
Note: For FTP only. If your log files reside in the remote user’s
home directory, you can leave the remote directory blank. This
is to support operating systems where a change in the
working directory (CWD) command is restricted.

Recursive

Select this check box if you want the file pattern to search sub
folders in the remote directory. By default, the check box is
clear.
The Recursive option is ignored if you configure SCP as the
Service Type.

Configuring DSMs

IBM DB2

335

Table 49-11 IBM DB2 Log File Protocol Parameters (continued)

Parameter

Description

FTP File Pattern

If you select SFTP or FTP as the Service Type, this option
allows you to configure the regular expression (regex)
required to filter the list of files specified in the Remote
Directory. All matching files are included in the processing.
The FTP file pattern you specify must match the name you
assigned to your event files. For example, to collect
comma-delimited files ending with .del, type the following:

.*.del
Use of this parameter requires knowledge of regular
expressions (regex). For more information, see the following
website:
http://download.oracle.com/javase/tutorial/essential/regex/
FTP Transfer Mode

From the list box, select ASCII for comma-delimited, text, or
ASCII log sources that require an ASCII FTP file transfer
mode.
This option only displays if you select FTP as the Service
Type.

SCP Remote File

If you select SCP as the Service Type you must type the file
name of the remote file.

Start Time

Type the time of day you want the processing to begin. For
example, type 00:00 to schedule the Log File protocol to
collect event files at midnight.
This parameter functions with the Recurrence value to
establish when and how often the Remote Directory is
scanned for files. Type the start time, based on a 24 hour
clock, in the following format: HH:MM.

Recurrence

Type the frequency, beginning at the Start Time, that you
want the remote directory to be scanned. Type this value in
hours (H), minutes (M), or days (D).
For example, type 2H if you want the remote directory to be
scanned every 2 hours from the start time. The default is 1H.

Run On Save

Select this check box if you want the log file protocol to run
immediately after you click Save.
After the Run On Save completes, the log file protocol follows
your configured start time and recurrence schedule.
Selecting Run On Save clears the list of previously processed
files for the Ignore Previously Processed File parameter.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not
want this protocol to exceed. The valid range is 100 to 5000.

Processor

From the list box, select None.
Processors allow event file archives to be expanded and
contents processed for events. Files are only processed after
they are downloaded to JSA. JSA can process files in zip,
gzip, tar, or tar+gzip archive format.
Configuring DSMs

336

IBM

Table 49-11 IBM DB2 Log File Protocol Parameters (continued)

Parameter

Description

Ignore Previously
Processed File(s)

Select this check box to track and ignore files that have
already been processed by the log file protocol.
JSA examines the log files in the remote directory to
determine if a file has been previously processed by the log
file protocol. If a previously processed file is detected, the log
file protocol does not download the file for processing. All files
that have not been previously processed are downloaded.
This option only applies to FTP and SFTP Service Types.

Change Local
Directory?

Select this check box to define a local directory on your JSA
for storing downloaded files during processing.
We recommend that you leave this check box clear. When
this check box is selected, the Local Directory field is
displayed, which allows you to configure the local directory to
use for storing files.

Event Generator

From the Event Generator list box, select LineByLine.
The Event Generator applies additional processing to the
retrieved event files. Each line of the file is a single event. For
example, if a file has 10 lines of text, 10 separate events are
created.

Step 10 Click Save.
Step 11 On the Admin tab, click Deploy Changes.

The configuration for IBM DB2 is complete.

IBM WebSphere
Application Server

The IBM WebSphere® Application Server DSM for JSA accepts events using the
log file protocol source.
JSA records all relevant application and security events from the WebSphere
Application Server log files.

Configuring IBM
WebSphere

You can configure IBM WebSphere Application Server events for JSA.
Procedure

Step 1 Using a web browser, log in to the IBM WebSphere administrative console.
Step 2 Click Environment > WebSphere Variables.
Step 3 Define Cell as the Scope level for the variable.
Step 4 Click New.
Step 5 Configure the following values:

•

Name - Type a name for the cell variable.

•

Description - Type a description for the variable (optional).

Configuring DSMs

IBM WebSphere Application Server

•

337

Value - Type a directory path for the log files.

For example:
{QRADAR_LOG_ROOT} =
/opt/IBM/WebSphere/AppServer/profiles/Custom01/logs/QRadar

You must create the target directory specified in Step 5 before proceeding.
Step 6 Click OK.
Step 7 Click Save.
Step 8 You must restart the WebSphere Application Server to save the configuration

changes.

NOTE

Note: If the variable you created affects a cell, you must restart all WebSphere
Application Servers in the cell before you continue.
You are now ready to customize the logging option for the IBM WebSphere
Application Server DSM.

Customizing the
Logging Option

You must customize the logging option for each application server WebSphere
uses and change the settings for the JVM Logs (Java Virtual Machine logs).
Procedure

Step 1 Select Servers > Application Servers.
Step 2 Select your WebSphere Application Server to load the server properties.
Step 3 Select Logging and Tracing > JVM Logs.
Step 4 Configure a name for the JVM log files.

For example:
System.Out log file name:
${QRADAR_LOG_ROOT}/${WAS_SERVER_NAME}-SystemOut.log

System.Err log file name:
${QRADAR_LOG_ROOT}/${WAS_SERVER_NAME}-SystemErr.log
Step 5 Select a time of day to save the log files to the target directory.
Step 6 Click OK.
Step 7 You must restart the WebSphere Application Server to save the configuration

changes.

NOTE

Note: If the JVM Logs changes affect the cell, you must restart all of the
WebSphere Application Servers in the cell before you continue.
You are now ready to import the file into JSA using the Log File Protocol.

Configuring DSMs

338

IBM

Create a Log Source

The log file protocol allows JSA to retrieve archived log files from a remote host.
The IBM WebSphere Application Server DSM supports the bulk loading of log files
using the log file protocol source.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 Click the Log Sources icon.
Step 4 Click Add.
Step 5 In the Log Source Name field, type a name for the log source.
Step 6 In the Log Source Description field, type a description for the log source.
Step 7 From the Log Source Type list box, select IBM WebSphere Application Server.
Step 8 Using the Protocol Configuration list box, select Log File.
Step 9 Configure the following values:

Table 49-12 Log File Parameters

Parameter

Description

Log Source Identifier

Type an IP address, hostname, or name to identify your IBM
WebSphere Application Server as an event source in JSA. IP
addresses or host names are recommended as they allow
JSA to identify a log file to a unique event source.
For example, if your network contains multiple IBM
WebSphere Application Serves that provides logs to a file
repository, you should specify the IP address or hostname of
the device that created the event log. This allows events to be
identified at the device level in your network, instead of
identifying the file repository.

Service Type

From the list box, select the protocol you want to use when
retrieving log files from a remove server. The default is SFTP.
•

SFTP - SSH File Transfer Protocol

•

FTP - File Transfer Protocol

•

SCP - Secure Copy

Note: The underlying protocol used to retrieve log files for the
SCP and SFTP service type requires that the server specified
in the Remote IP or Hostname field has the SFTP subsystem
enabled.
Remote IP or
Hostname

Type the IP address or host name of your IBM WebSphere
Application Server storing your event log files.

Configuring DSMs

IBM WebSphere Application Server

339

Table 49-12 Log File Parameters (continued)

Parameter

Description

Remote Port

Type the TCP port on the remote host that is running the
selected Service Type. The valid range is 1 to 65535.
The options include:
•

FTP - TCP Port 21

•

SFTP - TCP Port 22

•

SCP - TCP Port 22

Note: If the host for your event files is using a non-standard
port number for FTP, SFTP, or SCP, you must adjust the port
value accordingly.
Remote User

Type the user name necessary to log in to the host containing
your event files.
The username can be up to 255 characters in length.

Remote Password

Type the password necessary to log in to the host.

Confirm Password

Confirm the password necessary to log in to the host.

SSH Key File

If you select SCP or SFTP as the Service Type, this
parameter allows you to define an SSH private key file.
The Remote Password field is ignored when you provide an
SSH Key File.

Remote Directory

Type the directory location on the remote host to the cell and
file path you specified in Step 5. This is the directory you
created containing your IBM WebSphere Application Server
event files.
Note: For FTP only. If your log files reside in the remote user’s
home directory, you can leave the remote directory blank. This
is to support operating systems where a change in the
working directory (CWD) command is restricted.

Recursive

Select this check box if you want the file pattern to search sub
folders. By default, the check box is clear.
The Recursive option is ignored if you configure SCP as the
Service Type.

FTP File Pattern

If you select SFTP or FTP as the Service Type, this option
allows you to configure the regular expression (regex)
required to filter the list of files specified in the Remote
Directory. All matching files are included in the processing.
The FTP file pattern you specify must match the name you
assigned to your JVM logs in Step 4. For example, to collect
system logs, type the following:
System.*\.log
Use of this parameter requires knowledge of regular
expressions (regex). For more information, see the following
website:
http://download.oracle.com/javase/tutorial/essential/regex/

Configuring DSMs

340

IBM

Table 49-12 Log File Parameters (continued)

Parameter

Description

FTP Transfer Mode

This option only appears if you select FTP as the Service
Type. The FTP Transfer Mode parameter allows you to define
the file transfer mode when retrieving log files over FTP.
From the list box, select the transfer mode you want to apply
to this log source:
•

Binary - Select Binary for log sources that require binary
data files or compressed zip, gzip, tar, or tar+gzip archive
files.

•

ASCII - Select ASCII for log sources that require an ASCII
FTP file transfer.
You must select NONE for the Processor parameter and
LINEBYLINE the Event Generator parameter when using
ASCII as the FTP Transfer Mode.

SCP Remote File

If you select SCP as the Service Type you must type the file
name of the remote file.

Start Time

Type the time of day you want the processing to begin. This
parameter functions with the Recurrence value to establish
when and how often the Remote Directory is scanned for files.
Type the start time, based on a 24 hour clock, in the following
format: HH:MM.

Recurrence

Type the frequency, beginning at the Start Time, that you
want the remote directory to be scanned. Type this value in
hours (H), minutes (M), or days (D). For example, 2H if you
want the directory to be scanned every 2 hours. The default is
1H.
Note: We recommend when scheduling a Log File protocol,
you select a recurrence time for the log file protocol shorter
than the scheduled write interval of the WebSphere
Application Server log files. This ensures that WebSphere
events are collected by the Log File Protocol before a the new
log file overwrites the old event log.

Run On Save

Select this check box if you want the log file protocol to run
immediately after you click Save. After the Run On Save
completes, the log file protocol follows your configured start
time and recurrence schedule.
Selecting Run On Save clears the list of previously processed
files for the Ignore Previously Processed File parameter.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not
want this protocol to exceed. The valid range is 100 to 5000.

Processor

If the files located on the remote host are stored in a zip, gzip,
tar, or tar+gzip archive format, select the processor that
allows the archives to be expanded and contents processed.

Configuring DSMs

IBM Informix Audit

341

Table 49-12 Log File Parameters (continued)

Parameter

Description

Ignore Previously
Processed File(s)

Select this check box to track files that have already been
processed. Files that have been previously processed are not
processed a second time.
This check box only applies to FTP and SFTP Service Types.

Change Local
Directory?

Select this check box to define the local directory on your JSA
that you want to use for storing downloaded files during
processing. We recommend that you leave the check box
clear. When the check box is selected, the Local Directory
field is displayed, which allows you to configure the local
directory to use for storing files.

Event Generator

From the Event Generator list box, select WebSphere
Application Server.
The Event Generator applies additional processing, which is
specific to retrieved event files for IBM WebSphere
Application Server events.

Step 10 Click Save.
Step 11 On the Admin tab, click Deploy Changes.

The configuration is complete. For more information about IBM WebServer
Application Server, see your vendor documentation.

IBM Informix Audit

The IBM Informix® Audit DSM allows JSA to integrate IBM Informix audit logs into
JSA for analysis.
JSA retrieves the IBM Informix archived audit log files from a remote host using the
Log File protocol configuration. JSA records all configured IBM Informix Audit
events.
For more information about IBM Informix auditing configuration, see your IBM
Informix documentation at the following website:
http://publib.boulder.ibm.com/infocenter/idshelp/v10/index.jsp?topic=/com.ibm.tfg.
doc/tfg26.htm
When configuring your IBM Informix to use the log file protocol, make sure the
hostname or IP address configured in the IBM Informix is the same as configured
in the Remote Host parameter in the Log File protocol configuration.
You are now ready to configure the log source and protocol in JSA:

Step 1 To configure JSA to receive events from an IBM Informix device, you must select

the IBM Informix Audit option from the Log Source Type list box.
Step 2 To configure the log file protocol, you must select the Log File option from the

Protocol Configuration list box.

Configuring DSMs

342

IBM
Step 3 We recommend that you use a secure protocol for transferring files, such as

Secure File Transfer Protocol (SFTP).
For more information on configuring log sources and protocols, see the Log
Sources Users Guide.

IBM IMS

The IBM Information Management System (IMS) DSM for JSA allows you to use
an IBM mainframe to collect events and audit IMS database transactions.

Configuration
Overview

To integrate IBM IMS events with JSA, you must download scripts that allow IBM
IMS events to be written to a log file.
Overview of the event collection process:
1 The IBM mainframe records all security events as Service Management

Framework (SMF) records in a live repository.
2 The IBM IMS data is extracted from the live repository using the SMF dump utility.

The SMF file contains all of the events and fields from the previous day in raw SMF
format.
3 The qeximsloadlib.trs program pulls data from the SMF formatted file. The

qeximsloadlib.trs program only pulls the relevant events and fields for JSA

and writes that information in a condensed format for compatibility. The information
is saved in a location accessible by JSA.
4 JSA uses the log file protocol source to retrieve the output file information for JSA

on a scheduled basis. JSA then imports and processes this file.
Configure IBM IMS

To integrate IBM IMS with JSA:
Procedure

Step 1 From the Juniper Networks support website

(http://www.juniper.net/customers/support/), download the following compressed
file:
QexIMS_bundled.tar.gz
Step 2 On a Linux-based operating system, extract the file:

tar -zxvf

qexims_bundled.tar.gz

The following files are contained in the archive:
qexims_jcl.txt - Job Control Language file
qeximsloadlib.trs - Compressed program library (requires IBM TRSMAIN)
qexims_trsmain_JCL.txt - Job Control Language for TRSMAIN to decompress the
.trs file

Configuring DSMs

IBM IMS

343

Step 3 Load the files onto the IBM mainframe using the following methods:
a

Upload the sample qexims_trsmain_JCL.txt and qexims_jcl.txt files
using the TEXT protocol.

b Upload the qeximsloadlib.trs file using BINARY mode transfer and append

to a pre-allocated data set. The qeximsloadlib.trs file is a tersed file
containing the executable (the mainframe program QexIMS). When you upload
the .trs file from a workstation, pre-allocate a file on the mainframe with the
following DCB attributes: DSORG=PS, RECFM=FB, LRECL= 1024,
BLKSIZE=6144. The file transfer type must be binary mode and not text.

NOTE

Note: QexIMS is a small C mainframe program that reads the output of the IMS
log file (EARLOUT data) line by line. QexIMS adds a header to each record
containing event information, for example, record descriptor, the date, and time.
The program places each field into the output record, suppresses trailing blank
characters, and delimits each field with the pipe character. This output file is
formatted for JSA and the blank suppression reduces network traffic to JSA. This
program does not consume CPU or I/O disk resources.

Step 4 Customize the qexims_trsmain_JCL.txt file according to your installation

specific information for parameters.
For example, jobcard, data set naming conventions, output destinations, retention
periods, and space requirements.
The qexims_trsmain_JCL.txt file uses the IBM utility TRSMAIN to extract the
program stored in the qeximsloadlib.trs file.
An example of the qexims_trsmain_JCL.txt file includes:
//TRSMAIN
JOB (yourvalidjobcard),Q1 labs,
// MSGCLASS=V
//DEL
EXEC PGM=IEFBR14
//D1
DD
DISP=(MOD,DELETE),DSN=.QEXIMS.TRS
//
UNIT=SYSDA,
//
SPACE=(CYL,(10,10))
//TRSMAIN EXEC PGM=TRSMAIN,PARM='UNPACK'
//SYSPRINT DD SYSOUT=*,DCB=(LRECL=133,BLKSIZE=12901,RECFM=FBA)
//INFILE
DD DISP=SHR,DSN=.QEXIMS.TRS
//OUTFILE
DD DISP=(NEW,CATLG,DELETE),
//
DSN=.LOAD,
//
SPACE=(CYL,(1,1,5),RLSE),UNIT=SYSDA
//

The .trs input file is an IBM TERSE formatted library and is extracted by running
the JCL, which calls the TRSMAIN. This tersed file, when extracted, creates a PDS
linklib with the qexims program as a member.
Step 5 You can STEPLIB to this library or choose to move the program to one of the

LINKLIBs that are in LINKLST. The program does not require authorization.

Configuring DSMs

344

IBM
Step 6 The qexims_jcl.txt file is a text file containing a sample JCL. You must

configure the job card to meet your configuration.
The qexims_jcl.txt sample file includes:
//QEXIMS JOB (T,JXPO,JKSD0093),DEV,NOTIFY=Q1JACK,
// MSGCLASS=P,
// REGION=0M
//*
//*QEXIMS JCL VERSION 1.0 FEBRUARY 2011
//*
//************************************************************
//* Change dataset names to site specific dataset names *
//************************************************************
//SET1 SET IMSOUT='Q1JACK.QEXIMS.OUTPUT',
//
IMSIN='Q1JACK.QEXIMS.INPUT.DATA'
//************************************************************
//*
Delete old datasets *
//************************************************************
//DEL
EXEC PGM=IEFBR14
//DD1
DD
DISP=(MOD,DELETE),DSN=&IMSOUT,
//
UNIT=SYSDA,
//
SPACE=(CYL,(10,10)),
//
DCB=(RECFM=FB,LRECL=80)
//************************************************************
//*
Allocate new dataset
//************************************************************
//ALLOC EXEC PGM=IEFBR14
//DD1
DD
DISP=(NEW,CATLG),DSN=&IMSOUT,
//
SPACE=(CYL,(21,2)),
//
DCB=(RECFM=VB,LRECL=1028,BLKSIZE=6144)
//EXTRACT EXEC PGM=QEXIMS,DYNAMNBR=10,
//
TIME=1440
//STEPLIB
DD DISP=SHR,DSN=Q1JACK.C.LOAD
//SYSTSIN
DD DUMMY
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//IMSIN
DD DISP=SHR,DSN=&IMSIN
//IMSOUT
DD DISP=SHR,DSN=&IMSOUT
//*FTP EXEC PGM=FTP,REGION=3800K
//*INPUT DD *
//*
//*
//*
//*ASCII
//*PUT '' /TARGET DIRECTORY>/
//*QUIT
//*OUTPUT
DD SYSOUT=*
//*SYSPRINT DD SYSOUT=*
//*

Configuring DSMs

IBM IMS

345

Step 7 After the output file is created, you must choose one of the following options:
a

Schedule a job to transfer the output file to an interim FTP server.
Each time the job completes, the output file is forwarded to an intermin FTP
server. You must configure the following parameters in the sample JCL to
successfully forward the output to an interim FTP server:
For example:
//*FTP EXEC PGM=FTP,REGION=3800K
//*INPUT DD *
//*
//*
//*
//*ASCII
//*PUT '' /TARGET DIRECTORY>/
//*QUIT
//*OUTPUT
DD SYSOUT=*
//*SYSPRINT DD SYSOUT=*

Where:
 is the IP address or host name of the interim FTP server to
receive the output file.
 is the user name required to access the interim FTP server.
 is the password required to access the interim FTP server.
 is the name of the output file saved to the interim FTP server.

For example:
PUT 'Q1JACK.QEXIMS.OUTPUT.C320' /192.168.1.101/IMS/QEXIMS.OUT
PUT.C320

NOTE

Note: You must remove commented lines beginning with //* for the script to
properly forward the output file to the interim FTP server.
You are now ready to configure the Log File protocol.
b

Schedule JSA to retrieve the output file from IBM IMS.
If the mainframe is configured to serve files through FTP, SFTP, or allow SCP,
then no interim FTP server is required and JSA can pull the output file directly
from the mainframe. The following text must be commented out using //* or
deleted from the qexims_jcl.txt file:
//*FTP EXEC PGM=FTP,REGION=3800K
//*INPUT DD *
//*
//*
//*
//*ASCII
//*PUT '' /TARGET DIRECTORY>/
Configuring DSMs

346

IBM

//*QUIT
//*OUTPUT
DD SYSOUT=*
//*SYSPRINT DD SYSOUT=*

You are now ready to configure the Log File protocol.
Configure a Log
Source

A log file protocol source allows JSA to retrieve archived log files from a remote
host.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 Click the Log Sources icon.
Step 4 From the Log Source Type list box, select IBM IMS.
Step 5 Using the Protocol Configuration list box, select Log File.
Step 6 Configure the following parameters:

Table 49-1 Log File Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or hostname for the log source. The log
source identifier must be unique for the log source type.

Service Type

From the list box, select the protocol you want to use when
retrieving log files from a remove server. The default is SFTP.
•

SFTP - SSH File Transfer Protocol

•

FTP - File Transfer Protocol

•

SCP - Secure Copy

Note: The underlying protocol used to retrieve log files for the
SCP and SFTP service types requires that the server
specified in the Remote IP or Hostname field has the SFTP
subsystem enabled.
Remote IP or
Hostname

Type the IP address or hostname of the IBM IMS system.

Remote Port

Type the TCP port on the remote host that is running the
selected Service Type. If you configure the Service Type as
FTP, the default is 21. If you configure the Service Type as
SFTP or SCP, the default is 22.
The valid range is 1 to 65535.

Remote User

Type the username necessary to log in to your IBM IMS
system.
The username can be up to 255 characters in length.

Remote Password

Type the password necessary to log in to your IBM IMS
system.

Configuring DSMs

IBM IMS

347

Table 49-1 Log File Protocol Parameters (continued)

Parameter

Description

Confirm Password

Confirm the Remote Password to log in to your IBM IMS
system.

SSH Key File

If you select SCP or SFTP from the Service Type field you
can define a directory path to an SSH private key file. The
SSH Private Key File allows you to ignore the Remote
Password field.

Remote Directory

Type the directory location on the remote host from which the
files are retrieved. By default, the newauditlog.sh script writes
the human-readable logs files to the /var/log/ directory.

Recursive

Select this check box if you want the file pattern to also search
sub folders. The Recursive parameter is not used if you
configure SCP as the Service Type. By default, the check box
is clear.

FTP File Pattern

If you select SFTP or FTP as the Service Type, this option
allows you to configure the regular expression (regex)
required to filter the list of files specified in the Remote
Directory. All matching files are included in the processing.
For example, if you want to retrieve all files in the
...log format, use the
following entry: \d+\.\d+\.\w+\.log.
Use of this parameter requires knowledge of regular
expressions (regex). For more information, see the following
website:
http://download.oracle.com/javase/tutorial/essential/regex/

FTP Transfer Mode

This option only appears if you select FTP as the Service
Type. The FTP Transfer Mode parameter allows you to define
the file transfer mode when retrieving log files over FTP.
From the list box, select the transfer mode you want to apply
to this log source:
•

Binary - Select Binary for log sources that require binary
data files or compressed .zip, .gzip, .tar, or .tar+gzip
archive files.

•

ASCII - Select ASCII for log sources that require an ASCII
FTP file transfer. You must select NONE for the Processor
field and LINEBYLINE the Event Generator field when
using ASCII as the transfer mode.

SCP Remote File

If you select SCP as the Service Type, you must type the file
name of the remote file.

Start Time

Type the time of day you want the processing to begin. This
parameter functions with the Recurrence value to establish
when and how often the Remote Directory is scanned for files.
Type the start time, based on a 24 hour clock, in the following
format: HH:MM.

Configuring DSMs

348

IBM

Table 49-1 Log File Protocol Parameters (continued)

Parameter

Description

Recurrence

Type the frequency, beginning at the Start Time, that you
want the remote directory to be scanned. Type this value in
hours (H), minutes (M), or days (D).
For example, type 2H if you want the directory to be scanned
every 2 hours. The default is 1H.

Run On Save

Select this check box if you want the log file protocol to run
immediately after you click Save. After the Run On Save
completes, the log file protocol follows your configured start
time and recurrence schedule.
Selecting Run On Save clears the list of previously processed
files for the Ignore Previously Processed File(s) parameter.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not
want this protocol to exceed. The valid range is 100 to 5000.

Processor

If the files located on the remote host are stored in a .zip,
.gzip, .tar, or tar+gzip archive format, select the processor that
allows the archives to be expanded and contents processed.

Ignore Previously
Processed File(s)

Select this check box to track files that have already been
processed and you do not want the files to be processed a
second time. This only applies to FTP and SFTP Service
Types.

Change Local
Directory?

Select this check box to define the local directory on your JSA
system that you want to use for storing downloaded files
during processing. We recommend that you leave the check
box clear. When the check box is selected, the Local Directory
field is displayed, which allows you to configure the local
directory to use for storing files.

Event Generator

From the Event Generator list box, select LINEBYLINE.

Step 7 Click Save.

The configuration is complete. Events that are retrieved using the log file protocol
are displayed on the Log Activity tab of JSA.

IBM Guardium

IBM Guardium® is a database activity and audit tracking tool for system
administrators to retrieve detailed auditing events across database platforms.

NOTE

Supported Event
Types

Note: These instructions require that you install the 8.2p45 fix for InfoSphere
Guardium. For more information on this fix, see the Fix Central website at
http://www.ibm.com/support/fixcentral/.
JSA collects informational, error, alert, and warnings from IBM Guardium using
syslog. JSA receives IBM Guardium Policy Builder events in the Log Event
Extended Format (LEEF).

Configuring DSMs

IBM Guardium

349

JSA can only automatically discover and map events the default policies that ship
with IBM Guardium. Any user configured events require are displayed as
unknowns in JSA and you must manually map the unknown events.
Configuration
Overview

The following list outlines the process required to integrate IBM Guardium with
JSA.
1 Create a syslog destination for policy violation events. For more information, see

Creating a Syslog Destination for Events.
2 Configure your existing policies to generate syslog events. For more information,

see Configuring Policies to Generate Syslog Events.
3 Install the policy on IBM Guardium. For more information, see Installing an IBM

Guardium Policy.
4 Configure the log source in JSA. For more information, see Configure a Log

Source.
5 Identify and map unknown policy events in JSA. For more information, see

Creating an Event Map for IBM Guardium Events.

Creating a Syslog
Destination for
Events

To create a syslog destination for these events on IBM Guardium, you must log in
to the command-line interface (CLI) and define the IP address for JSA.
Procedure

Step 1 Using SSH, log in to IBM Guardium as the root user.

Username: 
Password: 
Step 2 Type the following command to configure the syslog destination for informational

events:
store remote add daemon.info : 

For example, store remote add daemon.info 10.10.1.1:514 tcp
Where:
 is the IP address of your JSA console or Event Collector.
 is the syslog port number used to communicate to the JSA console or
Event Collector.
 is the protocol used to communicate to the JSA console or Event

Collector.
Step 3 Type the following command to configure the syslog destination for warning

events:
store remote add daemon.warning : 

Where:
 is the IP address of your JSA console or Event Collector.

Configuring DSMs

350

IBM

 is the syslog port number used to communicate to the JSA console or
Event Collector.
 is the protocol used to communicate to the JSA console or Event

Collector.
Step 4 Type the following command to configure the syslog destination for error events:

store remote add daemon.err : 

Where:
 is the IP address of your JSA console or Event Collector.
 is the syslog port number used to communicate to the JSA console or

Event Collector.
 is the protocol used to communicate to the JSA console or Event

Collector.
Step 5 Type the following command to configure the syslog destination for alert events:

store remote add daemon.alert : 

Where:
 is the IP address of your JSA console or Event Collector.
 is the syslog port number used to communicate to the JSA console or
Event Collector.
 is the protocol used to communicate to the JSA console or Event

Collector.
You are now ready to configure a policy for IBM InfoSphere Guardium.
Configuring Policies
to Generate Syslog
Events

Policies in IBM Guardium are responsible for reacting to events and forwarding the
event information to JSA.
Procedure

Step 1 Click the Tools tab.
Step 2 From the left-hand navigation, select Policy Builder.
Step 3 From the Policy Finder pane, select an existing policy and click Edit Rules.
Step 4 Click Edit this Rule individually.

The Access Rule Definition is displayed.
Step 5 Click Add Action.
Step 6 From the Action list box, select one of the following alert types:

•

Alert Per Match - A notification is provided for every policy violation.

•

Alert Daily - A notification is provided the first time a policy violation occurs that
day.

•

Alert Once Per Session - A notification is provided per policy violation for
unique session.

Configuring DSMs

IBM Guardium

•

351

Alert Per Time Granularity - A notification is provided per your selected time
frame.

Step 7 From the Message Template list box, select JSA.
Step 8 From Notification Type, select SYSLOG.
Step 9 Click Add, then click Apply.
Step 10 Click Save.
Step 11 Repeat Step 2 to Step 10 for all rules within the policy you want to forward to JSA.

For more information on configuring a policy, see your IBM InfoSphere Guardium
vendor documentation. After you have configured all of your policies, you are now
ready to install the policy on your IBM Guardium system.

NOTE

Installing an IBM
Guardium Policy

Note: Due to the configurable policies, JSA can only automatically discover the
default policy events. If you have customized policies that forward events to JSA,
you must manually create a log source to capture those events.
Any new or edited policy in IBM Guardium must be installed before the updated
alert actions or rule changes can occur.
Procedure

Step 1 Click the Administration Console tab.
Step 2 From the left-hand navigation, select Configuration > Policy Installation.
Step 3 From the Policy Installer pane, select a policy you modified in Step 3, Configuring

Policies to Generate Syslog Events.
Step 4 From the drop-down list, select Install and Override.

A confirmation is displayed to install the policy to all Inspection Engines.
Step 5 Click OK.

For more information on installing a policy, see your IBM InfoSphere Guardium
vendor documentation. After you have installed all of your policies, you are ready
to configure the log source in JSA.
Configure a Log
Source

JSA only automatically discovers default policy events from IBM Guardium.
Due to the configurable nature of policies, we recommend that you configure a log
source manually for IBM Guardium.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 Click the Log Sources icon.
Step 4 Click Add.

Configuring DSMs

352

IBM
Step 5 In the Log Source Name field, type a name for the log source.
Step 6 In the Log Source Description field, type a description for the log source.
Step 7 From the Log Source Type list box, select IBM Guardium.
Step 8 From the Protocol Configuration list box, select Syslog.
Step 9 Configure the following values:

Table 49-2 IBM Guardium Syslog Configuration

Parameter

Description

Log Source Identifier

Type the IP address or hostname for the IBM InfoSphere
Guardium appliance.

For more information on configuring log sources, see the Log Sources Users
Guide.
Step 10 Click Save.
Step 11 On the Admin tab, click Deploy Changes.

The IBM Infosphere Guardium configuration is complete.
Creating an Event
Map for IBM
Guardium Events

Event mapping is required for a number of IBM Guardium events. Due to the
customizable nature of policy rules, most events, except the default policy events
do not contain a predefined JSA Identifier (QID) map to categorize security events.
You can individually map each event for your device to an event category in JSA.
Mapping events allows JSA to identify, coalesce, and track reoccurring events from
your network devices. Until you map an event, all events that are displayed in the
Log Activity tab for IBM Guardium are categorized as unknown. Unknown events
are easily identified as the Event Name column and Low Level Category columns
display Unknown.
Discovering unknown events
As your device forwards events to JSA, it can take time to categorize all of the
events for a device, as some events might not be generated immediately by the
event source appliance or software. It is helpful to know how to quickly search for
unknown events. When you know how to search for unknown events, we
recommend you repeat this search until you are comfortable that you have
identified the majority of your events.
Procedure

Step 1 Log in to JSA.
Step 1 Click the Log Activity tab.
Step 2 Click Add Filter.
Step 3 From the first list box, select Log Source.
Step 4 From the Log Source Group list box, select the log source group or Other.

Log sources that are not assigned to a group are categorized as Other.
Configuring DSMs

IBM Guardium

353

Step 5 From the Log Source list box, select your IBM Guardium log source.
Step 6 Click Add Filter.

The Log Activity tab is displayed with a filter for your log source.
Step 7 From the View list box, select Last Hour.

Any events generated by the IBM Guardium DSM in the last hour are displayed.
Events displayed as unknown in the Event Name column or Low Level Category
column require event mapping in JSA.

NOTE

Note: You can save your existing search filter by clicking Save Criteria.
You are now ready to modify the event map.
Modifying the event map
Modifying an event map allows you to manually categorize events to a JSA
Identifier (QID) map. Any event categorized to a log source can be remapped to a
new JSA Identifier (QID).

NOTE

Note: Events that do not have a defined log source cannot be mapped to an event.
Events without a log source display SIM Generic Log in the Log Source column.
Procedure

Step 1 On the Event Name column, double-click an unknown event for IBM Guardium.

The detailed event information is displayed.
Step 2 Click Map Event.
Step 3 From the Browse for QID pane, select any of the following search options to

narrow the event categories for a JSA Identifier (QID):
a

From the High-Level Category list box, select a high-level event
categorization.
For a full list of high-level and low-level event categories or category definitions,
see the Event Categories section of the Juniper Secure Analytics
Administration Guide.

b

From the Low-Level Category list box, select a low-level event categorization.

c

From the Log Source Type list box, select a log source type.
The Log Source Type list box allows you to search for QIDs from other log
sources. Searching for QIDs by log source is useful when events are similar to
another existing network device. For example, IBM Guardium provides policy
events, you might select another product that likely captures similar events.

d

To search for a QID by name, type a name in the QID/Name field.
The QID/Name field allows you to filter the full list of QIDs for a specific word,
for example, policy.

Configuring DSMs

354

IBM
Step 4 Click Search.

A list of QIDs are displayed.
Step 5 Select the QID you want to associate to your unknown event.
Step 6 Click OK.

JSA maps any additional events forwarded from your device with the same QID
that matches the event payload. The event count increases each time the event is
identified by JSA.
If you update an event with a new JSA Identifier (QID) map, past events stored in
JSA are not updated. Only new events are categorized with the new QID.

IBM Security
Directory Server

The Juniper Secure Analytics (JSA) DSM for IBM Security Directory Server can
collect event logs from your IBM Security Directory Server.
Table 49-1 identifies the specifications for the IBM Security Directory Server DSM.

Table 49-1 IBM Security Directory Server DSM Specifications
Specification

Value

Manufacturer

IBM

DSM

IBM Security Directory Server

RPM file name

DSM-IBMSecurityDirectoryServer-build_number.noarch.rpm

Supported
version

6.3.1 and later

Protocol

Syslog (LEEF)

JSA recorded
events

All relevant events

Automatically
discovered

Yes

Includes identity

Yes

For more
information

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?t
opic=%2Fcom.ibm.IBMDS.doc_6.3.1%2Fadmin_gd381.htm&pat
h=9_3_4_13_18_3

Configuring DSMs

IBM Security Directory Server

IBM Security
Directory Server
integration process

355

To integrate IBM Security Directory Server with JSA, use the following procedure:

1 If automatic updates are not enabled, download and install the most recent

versions of the following RPMs on your JSA console:
•

DSMCommon RPM

•

IBM Security Directory Server RPM

2 Configure each IBM Security Directory Server system in your network to enable

communication with JSA.
For more information, see Enabling communication between JSA and IBM
Security Directory Server
(http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ib
m.IBMDS.doc_6.3.1%2Fadmin_gd381.htm&path=9_3_4_13_18_3)
3 If JSA does not automatically discover the log source, for each IBM Security

Directory Server on your network, create a log source on the JSA console.
Related tasks
Manually installing a DSM
Configuring an IBM Security Directory Server Log Source in JSA

Configuring an IBM
Security Directory
Server Log Source in
JSA

To collect IBM Security Directory Server events, configure a log source in JSA.
Before you begin
Ensure that the
DSM-IBMSecurityDirectoryServer-build_number.noarch.rpm file is

installed and deployed on your JSA host:
Procedure
To configure an IBM Security Directory Server log source in JSA:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 In the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 From the Log Source Type list, select IBM Security Directory Server.
Step 7 From the Protocol Configuration list, select Syslog.
Step 8 Configure the remaining parameters.
Step 9 Click Save.
Step 10 On the Admin tab, click Deploy Changes.

Configuring DSMs

356

IBM

IBM Tivoli Access
Manager for
E-business

Configure Tivoli
Access Manager for
E-business

The IBM Tivoli® Access Manager for e-business DSM for JSA accepts access,
audit, and HTTP events forwarded from IBM Tivoli Access Manager.
JSA collects audit, access, and HTTP events from IBM Tivoli Access Manager for
e-business using syslog. Before you can configure JSA, you must configure Tivoli
Access Manager for e-business to forward events to a syslog destination.
You can configure syslog on your Tivoli Access Manager for e-business to forward
events.
Procedure
To configure Tivoli Access Manager for E-business:

Step 1 Log in to Tivoli Access Manager’s IBM Security Web Gateway.
Step 2 From the navigation menu, select Secure Reverse Proxy Settings > Manage >

Reverse Proxy.
The Reverse Proxy pane is displayed.
Step 3 From the Instance column, select an instance.
Step 4 Click the Manage list box and select Configuration > Advanced.

The text of the WebSEAL configuration file is displayed.
Step 5 Locate the Authorization API Logging configuration.

The remote syslog configuration begins with logcfg. For example,
# As an example, to send authorization events to a remote syslog
server:
# logcfg = audit.azn:rsyslog server=,port=514,log_id=
Step 6 Copy the remote syslog configuration (logcfg) to a new line without the comment

(#) marker.
Step 7 Edit the remote syslog configuration.

For example,
logcfg = audit.azn:rsyslog server=,port=514,log_id=
logcfg = audit.authn:rsyslog server=,port=514,log_id=
logcfg = http:rsyslog server=,port=514,log_id=

Where:
 is the IP address of your JSA console or Event Collector.
 is the name assigned to the log that is forwarded to JSA. For
example, log_id=WebSEAL-log.
Step 8 Click Submit.

The Deploy button is displayed in the navigation menu.

Configuring DSMs

IBM Tivoli Access Manager for E-business

357

Step 9 From the navigation menu, click Deploy.
Step 10 Click Deploy.

You must restart the reverse proxy instance to continue.
Step 11 From the Instance column, select your instance configuration.
Step 12 Click the Manage list box and select Control > Restart.

A status message is displayed after the restart completes. For more information on
configuring a syslog destination, see your IBM Tivoli Access Manager for
e-business vendor documentation. You are now ready to configure a log source in
JSA.
Configure a Log
Source

JSA automatically discovers syslog audit and access events, but does not
automatically discover HTTP events forwarded from IBM Tivoli Access Manager
for e-business.
Since JSA automatically discovers audit and access events, you are not required
to create a log source. However, you can manually create a log source for JSA to
receive IBM Tivoli Access Manager for e-business syslog events. The following
configuration steps for creating a log source are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 Click the Log Sources icon.
Step 4 Click Add.
Step 5 In the Log Source Name field, type a name for the log source.
Step 6 In the Log Source Description field, type a description for the log source.
Step 7 From the Log Source Type list box, select IBM Tivoli Access Manager for

e-business.
Step 8 From the Protocol Configuration list box, select Syslog.

Configuring DSMs

358

IBM
Step 9 Configure the following values:

Table 49-2 IBM Tivloi Access Manager for E-business Syslog Configuration

Parameter

Description

Log Source Identifier

Type the IP address or hostname for your IBM Tivoli Access
Manager for e-business appliance.
The IP address or hostname identifies your IBM Tivoli
Access Manager for e-business as a unique event source in
JSA.

For more information on configuring log sources, see the Log Sources Users
Guide.
Step 10 Click Save.
Step 11 On the Admin tab, click Deploy Changes.

The IBM Tivoli Access Manager for e-business configuration is complete.

IBM z/Secure Audit

The IBM z/OS DSM for Juniper Secure Analytics (JSA) allows you to integrate with
an IBM z/OS mainframe using IBM Security zSecure Audit to collect security,
authorization, and audit events.
Using a zSecure process, events from the System Management Facilities (SMF)
are recorded to an event file in the Log Enhanced Event format (LEEF). JSA
retrieves the LEEF event log files using the log file protocol and processes the
events. You can schedule JSA to retrieve events on a polling interval, which allows
JSA to retrieve the events on the schedule you have defined.
To integrate IBM z/OS events from IBM Security zSecure Audit into JSA:
1 Confirm your installation meets any prerequisite installation requirements. For

more information, see Before You Begin.
2 Configure your IBM z/OS image. For more information, see the IBM Security

zSecure Suite: CARLa-Driven Components Installation and Deployment Guide.
3 Create a log source in JSA for IBM z/OS to retrieve your LEEF formatted event

logs. For more information, see Create an IBM z/OS Log Source.
4 Optional. Create a custom event property for IBM z/OS in JSA. For more

information, see the Custom Event Properties for IBM z/OS technical note.
Before You Begin

Before you can configure the data collection process, you must complete the basic
zSecure installation process.
The following prerequisites are required:
•

You must ensure parmlib member IFAPRDxx is not disabled for IBM Security
zSecure Audit on your z/OS image.

•

The SCKRLOAD library must be APF-authorized.
Configuring DSMs

IBM z/Secure Audit

359

•

You must configure a process to periodically refresh your CKFREEZE and
UNLOAD data sets.

•

You must configure an SFTP, FTP, or SCP server on your z/OS image for JSA
to download your LEEF event files.

•

You must allow SFTP, FTP, or SCP traffic on firewalls located between JSA and
your z/OS image.

After installing the software, you must also perform the post-installation activities to
create and modify the configuration. For instructions on installing and configuring
zSecure, see the IBM Security zSecure Suite: CARLa-Driven Components
Installation and Deployment Guide.
Create an IBM z/OS
Log Source

The Log File protocol allows JSA to retrieve archived log files from a remote host.
Log files are transferred, one at a time, to JSA for processing. The log file protocol
can manage plain text event logs, compressed files, or archives. Archives must
contain plain-text files that can be processed one line at a time. Multi-line event
logs are not supported by the log file protocol. IBM z/OS with zSecure writes log
files to a specified directory as gzip archives. JSA extracts the archive and
processes the events, which are written as one event per line in the file.
To retrieve these events, you must create a log source using the Log File protocol.
JSA requires credentials to log in to the system hosting your LEEF formatted event
files and a polling interval.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 Click the Log Sources icon.
Step 4 Click Add.
Step 5 In the Log Source Name field, type a name for the log source.
Step 6 In the Log Source Description field, type a description for the log source.
Step 7 From the Log Source Type list box, select IBM z/OS.
Step 8 From the Protocol Configuration list box, select Log File.

Configuring DSMs

360

IBM
Step 9 Configure the following values:

Table 49-3 z/OS Log File Parameters

Parameter

Description

Log Source Identifier

Type an IP address, host name, or name to identify the event
source. IP addresses or host names are recommended as
they allow JSA to identify a log file to a unique event source.
For example, if your network contains multiple devices, such
as multiple z/OS images or a file repository containing all of
your event logs, you should specify a name, IP address, or
hostname for the image or location that uniquely identifies
events for the IBM z/OS log source. This allows events to be
identified at the image or location level in your network that
your users can identify.

Service Type

From the list box, select the protocol you want to use when
retrieving log files from a remote server. The default is SFTP.
•

SFTP - SSH File Transfer Protocol

•

FTP - File Transfer Protocol

•

SCP - Secure Copy

Note: The underlying protocol used to retrieve log files for the
SCP and SFTP service type requires that the server specified
in the Remote IP or Hostname field has the SFTP subsystem
enabled.
Remote IP or
Hostname

Type the IP address or host name of the device storing your
event log files.

Remote Port

Type the TCP port on the remote host that is running the
selected Service Type. The valid range is 1 to 65535.
The options include:
•

FTP - TCP Port 21

•

SFTP - TCP Port 22

•

SCP - TCP Port 22

Note: If the host for your event files is using a non-standard
port number for FTP, SFTP, or SCP, you must adjust the port
value accordingly.
Remote User

Type the user name or userid necessary to log in to the host
containing your event files.
•

If your log files are located on your IBM z/OS image, type
the userid necessary to log in to your IBM z/OS. The userid
can be up to 8 characters in length.

•

If your log files are located on a file repository, type the
user name necessary to log in to the file repository. The
user name can be up to 255 characters in length.

Remote Password

Type the password necessary to log in to the host.

Confirm Password

Confirm the password necessary to log in to the host.
Configuring DSMs

IBM z/Secure Audit

361

Table 49-3 z/OS Log File Parameters (continued)

Parameter

Description

SSH Key File

If you select SCP or SFTP as the Service Type, this
parameter allows you to define an SSH private key file. When
you provide an SSH Key File, the Remote Password field is
ignored.

Remote Directory

Type the directory location on the remote host from which the
files are retrieved, relative to the user account you are using
to log in.

Recursive

Select this check box if you want the file pattern to search sub
folders in the remote directory. By default, the check box is
clear.
The Recursive option is ignored if you configure SCP as the
Service Type.

FTP File Pattern

If you select SFTP or FTP as the Service Type, this option
allows you to configure the regular expression (regex)
required to filter the list of files specified in the Remote
Directory. All matching files are included in the processing.
IBM z/OS mainframe using IBM Security zSecure Audit writes
event files using the pattern zOS..gz
The FTP file pattern you specify must match the name you
assigned to your event files. For example, to collect files
starting with zOS and ending with .gz, type the following:
zOS.*\.gz
Use of this parameter requires knowledge of regular
expressions (regex). For more information, see the following
website:
http://download.oracle.com/javase/tutorial/essential/regex/

FTP Transfer Mode

This option only displays if you select FTP as the Service
Type. From the list box, select Binary.
The binary transfer mode is required for event files stored in a
binary or compressed format, such as zip, gzip, tar, or
tar+gzip archive files.

SCP Remote File

If you select SCP as the Service Type you must type the file
name of the remote file.

Start Time

Type the time of day you want the processing to begin. For
example, type 00:00 to schedule the Log File protocol to
collect event files at midnight.
This parameter functions with the Recurrence value to
establish when and how often the Remote Directory is
scanned for files. Type the start time, based on a 24 hour
clock, in the following format: HH:MM.

Recurrence

Type the frequency, beginning at the Start Time, that you
want the remote directory to be scanned. Type this value in
hours (H), minutes (M), or days (D).
For example, type 2H if you want the remote directory to be
scanned every 2 hours from the start time. The default is 1H.
Configuring DSMs

362

IBM

Table 49-3 z/OS Log File Parameters (continued)

Parameter

Description

Run On Save

Select this check box if you want the log file protocol to run
immediately after you click Save.
After the Run On Save completes, the log file protocol follows
your configured start time and recurrence schedule.
Selecting Run On Save clears the list of previously processed
files for the Ignore Previously Processed File parameter.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not
want this protocol to exceed. The valid range is 100 to 5000.

Processor

From the list box, select gzip.
Processors allow event file archives to be expanded and
contents processed for events. Files are only processed after
they are downloaded to JSA. JSA can process files in zip,
gzip, tar, or tar+gzip archive format.

Ignore Previously
Processed File(s)

Select this check box to track and ignore files that have
already been processed by the log file protocol.
JSA examines the log files in the remote directory to
determine if a file has been previously processed by the log
file protocol. If a previously processed file is detected, the log
file protocol does not download the file for processing. All files
that have not been previously processed are downloaded.
This option only applies to FTP and SFTP Service Types.

Change Local
Directory?

Select this check box to define a local directory on your JSA
for storing downloaded files during processing.
We recommend that you leave this check box clear. When
this check box is selected, the Local Directory field is
displayed, which allows you to configure the local directory to
use for storing files.

Event Generator

From the Event Generator list box, select LineByLine.
The Event Generator applies additional processing to the
retrieved event files. Each line of the file is a single event. For
example, if a file has 10 lines of text, 10 separate events are
created.

Step 10 Click Save.
Step 11 On the Admin tab, click Deploy Changes.

The IBM z/OS with IBM zSecure configuration is complete. If your IBM z/OS for
zSecure requires custom event properties, see the Custom Event Properties for
IBM z/OS technical note.

Configuring DSMs

IBM Tivoli Endpoint Manager

IBM Tivoli Endpoint
Manager

363

The IBM Tivoli Endpoint Manager DSM for JSA accepts system events in Log
Extended Event Format (LEEF) retrieved from IBM Tivoli Endpoint Manager.
JSA uses the Tivoli Endpoint Manager SOAP protocol to retrieve events on a 30
second interval. As events are retrieved the IBM Tivoli Endpoint Manager DSM
parses and categorizes the events for JSA. The SOAP API for IBM Tivoli Endpoint
Manager is only available after you have installed with the Web Reports
application. The Web Reports application for Tivoli Endpoint Manager is required
to retrieve and integrate IBM Tivoli Endpoint Manager system event data with JSA.

NOTE

Note: JSA is compatible with IBM Tivoli Endpoint Manager versions 8.2.x.
However, we recommend that you update and use the latest version of IBM Tivoli
Endpoint Manager that is available.
To integrate IBM Tivoli Endpoint Manager with JSA, you must manually configure a
log source as events from IBM Tivoli Endpoint Manager are not automatically
discovered.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 Click the Log Sources icon.
Step 4 Click Add.
Step 5 In the Log Source Name field, type a name for the log source.
Step 6 In the Log Source Description field, type a description for the log source.
Step 7 From the Log Source Type list box, select IBM Tivoli Endpoint Manager.
Step 8 From the Protocol Configuration list box, select IBM Tivoli Endpoint Manager

SOAP.
Step 9 Configure the following values:

Table 49-4 IBM Tivoli Endpoint Manager SOAP Protocol Configuration

Parameter

Description

Log Source Identifier

Type the IP address or hostname for your IBM Tivoli
Endpoint Manager appliance.
The IP address or hostname identifies your IBM Tivoli
Endpoint Manager as a unique event source in JSA.

Configuring DSMs

364

IBM

Table 49-4 IBM Tivoli Endpoint Manager SOAP Protocol Configuration (continued)

Parameter

Description

Port

Type the port number used to connect to the IBM Tivoli
Endpoint Manager using the SOAP API.
By default, port 80 is the port number for communicating with
IBM Tivoli Endpoint Manager. If you are use HTTPS, you
must update this field to the HTTPS port number for your
network. Most configurations use port 443 for HTTPS
communications.

Use HTTPS

Select this check box to connect using HTTPS.
If you select this check box, the hostname or IP address you
specify uses HTTPS to connect to your IBM Tivoli Endpoint
Manager. If a certificate is required to connect using HTTPS,
you must copy any certificates required by the JSA Console
or managed host to the following directory:
/opt/qradar/conf/trusted_certificates
Note: JSA support certificates with the following file
extensions: .crt, .cert, or .der. Any required certificates
should be copied to the trusted certificates directory before
you save and deploy your changes.

Username

Type the username required to access your IBM Tivoli
Endpoint Manager.

Password

Type the password required to access your IBM Tivoli
Endpoint Manager.

Confirm Password

Confirm the password necessary to access your IBM Tivoli
Endpoint Manager.

For more information on configuring JSAto import IBM Tivoli Endpoint Manager
vulnerabilities assessment information, see the Juniper Secure Analytics
Managing Vulnerability Assessment Guide.
Step 10 Click Save.
Step 11 On the Admin tab, click Deploy Changes.

The IBM Tivoli Endpoint Manager configuration is complete.

IBM zSecure Alert

The IBM zSecure Alert DSM for JSA accepts alert events using syslog, allowing
JSA to receive alert events in real-time.
The alert configuration on your IBM zSecure Alert appliance determines which
alert conditions you want to monitor and forward to JSA. To collect events in JSA,
you must configure your IBM zSecure Alert appliance to forward events in a UNIX
syslog event format using the JSA IP address as the destination. For information
on configuring UNIX syslog alerts and destinations, see the IBM Security zSecure
Alert User Reference Manual.

Configuring DSMs

IBM Security Network Protection (XGS)

365

JSA automatically discovers and creates a log source for syslog events from IBM
zSecure Alert. However, you can manually create a log source for JSA to receive
syslog events. The following configuration steps are optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 Click the Log Sources icon.
Step 4 Click Add.
Step 5 In the Log Source Name field, type a name for your log source.
Step 6 In the Log Source Description field, type a description for the log source.
Step 7 From the Log Source Type list box, select IBM zSecure Alert.
Step 8 Using the Protocol Configuration list box, select Syslog.
Step 9 Configure the following values:

Table 49-5 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your IBM zSecure Alert.

Step 10 Click Save.
Step 11 On the Admin tab, click Deploy Changes.

The configuration is complete.

IBM Security
Network Protection
(XGS)

Supported Event
Types

The IBM Security Network Protection (XGS) DSM accepts events by using the Log
Enhanced Event Protocol (LEEF), enabling JSA to record all relevant events.
Before you configure an Network Security Protection (XGS) appliance in JSA, you
must configure remote syslog alerts for your IBM Security Network Protection
(XGS) rules or policies to forward events to JSA.
IBM Security Network Protection (XGS) appliances provides three types of event
to JSA:
•

System events

•

Access events

•

Security events

To integrate the device with JSA see the Network Security Protection (XGS) online
documentation:

Configuring DSMs

366

IBM

http://pic.dhe.ibm.com/infocenter/sprotect/v2r8m0/topic/com.ibm.alps.doc/tasks/al
ps_configuring_system_alerts.htm.
Configure IBM
Security Network
Protection (XGS)
Alerts

All event types are sent to JSA using a remote syslog alert object that is LEEF
enabled.
Remote syslog alert objects can be created, edited and deleted from each context
in which an events is generated. To configure a remote syslog alert object log in to
the Network Security Protection (XGS) local management interface as admin and
navigate to one of the following:
•

Manage > System Settings > System Alerts (System events)

•

Secure > Network Access Policy (Access events)

•

Secure > IPS Event Filter Policy (Security events)

•

Secure > Intrusion Prevention Policy (Security events)

•

Secure > Network Access Policy > Inspection > Intrusion Prevention
Policy

In the IPS Objects, the Network Objects pane, or the System Alerts page,
complete the following steps.
Procedure
Step 1 Click New > Alert > Remote Syslog.
Step 2 Select an existing remote syslog alert object, and then click Edit.
Step 3 Configure the following options:

Table 49-6 Syslog Configuration Parameters

Option

Description

Name

Type a name for the syslog alert configuration.

Remote Syslog Collector

Type the IP address of your JSA Console or Event
Collector.

Remote Syslog Collector Port

Type 514 for the Remote Syslog Collector Port.

Remote LEEF Enabled

Select this check box to enable LEEF formatted
events. This field is required.
Note: If you do not see this option, verify you have
software version 5.0 and fixpack 7 installed on your
IBM Security Network Protection appliance.

Comment

Optional. Type a comment for the syslog
configuration.

Step 4 Click Save Configuration.

The alert is added to the Available Objects list.
Step 5 Click Deploy to update your IBM Security Network Protection (XGS) appliance.

Configuring DSMs

IBM Security Network Protection (XGS)

367

The remote syslog alert object you created is now ready to be added to your
system, access, or security policies to forward events to JSA
Step 6 To make your IBM Security Network Protection (XGS) device send an event to

JSA, you must:
•

Add the LEEF alert object for JSA to one or more rules in a policy.

•

Add the LEEF alert object for JSA to the Added Objects pane n the System
Alerts page.

Step 7 Click Deploy to update your IBM Security Network Protection (XGS) appliance.

Further support information about the Network Security Protection (XGS) device
can be found by clicking help in the Network Security Protection (XGS) local
management interface browser client window or by accessing the online Network
Security Protection (XGS) documentation.
The configuration is complete. The log source is added to JSA as events IBM
Security Network Protection (XGS) are automatically discovered. Events
forwarded to JSA by IBM Security Network Protection (XGS) are displayed on the
Log Activity tab of JSA.
Configuring a Log
Source in JSA

JSA automatically discovers and creates a log source for LEEF-enabled syslog
events from IBM Security Network Protection (XGS). The following configuration
steps are optional.
Procedure

Step 1 Click the Admin tab.
Step 2 Click the Log Sources icon.
Step 3 Click Add.
Step 4 In the Log Source Name field, type a name for your log source.
Step 5 From the Log Source Type list box, select IBM Security Network Protection

(XGS).
Step 6 Using the Protocol Configuration list box, select Syslog.
Step 7 Configure the following values:

Table 49-7 Syslog Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your IBM Security Network
Protection (XGS).

Step 8 Click Save.
Step 9 On the Admin tab, click Deploy Changes.

Configuring DSMs

368

IBM

IBM Security
Network IPS

The IBM Security Network IPS DSM for JSA accepts LEEF-based events from IBM
Security Network IPS appliances using syslog.

Supported Versions

Supported Events

NOTE

Configuring your IBM
Security Network IPS
Appliances

JSA supports syslog events from IBM Security Network IPS appliances v4.6 and
above.
Events forwarded by the IBM Security Network IPS appliance are generated from
security alerts (including IPS and SNORT), health alerts, and system alerts. IPS
events include security, connection, user defined, and OpenSignture policy events.

Note: Ensure no firewall rules are blocking the communication between your IBM
Security Network IPS appliance and JSA.
To collect events with JSA, you must configure your IBM Security Network IPS
appliance to enable syslog forwarding of LEEF events.
Procedure

Step 1 Log in to your IPS Local Management Interface.
Step 2 From the navigation menu, select Manage System Settings > Appliance > LEEF

Log Forwarding.
Step 3 Select the Enable Local Log check box.
Step 4 In the Maximum File Size field, configure the maximum file size for your LEEF log

file.
Step 5 From the Remote Syslog Server pane, select the Enable check box.
Step 6 In the Syslog Server IP/Host field, type the IP address of your JSA Console or

Event Collector.
Step 7 In the UDP Port field, type 514 as the port for forwarding LEEF log events.
Step 8 From the event type list, enable any event types that are forwarded to JSA. The

options include Security Event, System Event, and Health Event.
The syslog configuration for your IBM Security Network IPS is complete.
Configuring a Log
Source in JSA

JSA automatically discovers and creates a log source for syslog events from IBM
Security Network IPS appliances. However, you can manually create a log source
for JSA to receive syslog events. This procedure is optional.
Procedure

Step 1 Click the Admin tab.
Step 2 Click the Log Sources icon.
Step 3 Click Add.
Step 4 In the Log Source Name field, type a name for your log source.
Configuring DSMs

IBM Security Network IPS

369

Step 5 From the Log Source Type list box, select IBM Security Network IPS.
Step 6 Using the Protocol Configuration list box, select Syslog.
Step 7 Configure the following values:

Table 49-8 Syslog Parameters

Parameter

Description

Log Source
Identifier

Type the IP address or host name for the log source as an
identifier for events from your IBM Security Network IPS appliance.

Enabled

Select this check box to enable the log source.
By default, the check box is selected.

Credibility

Select the credibility of the log source. The range is 0 - 10.
The credibility indicates the integrity of an event or offense as
determined by the credibility rating from the source devices.
Credibility increases if multiple sources report the same event. The
default is 5.

Target Event
Collector

Select the Event Collector to use as the target for the log source.

Coalescing
Events

Select this check box to enable the log source to coalesce (bundle)
events.
By default, automatically discovered log sources inherit the value
of the Coalescing Events list box from the System Settings in
JSA. When you create a log source or edit an existing
configuration, you can override the default value by configuring
this option for each log source.

Incoming Event
Payload

From the list box, select the incoming payload encoder for parsing
and storing the logs.

Store Event
Payload

Select this check box to enable the log source to store event
payload information.
By default, automatically discovered log sources inherit the value
of the Store Event Payload list box from the System Settings in
JSA. When you create a log source or edit an existing
configuration, you can override the default value by configuring
this option for each log source.

Step 8 Click Save.
Step 9 On the Admin tab, click Deploy Changes.

Configuring DSMs

370

IBM

Configuring DSMs

47

ISC BIND

You can integrate an Internet System Consortium (ISC) BIND device with Juniper
Secure Analytics (JSA). An ISC BIND device accepts events using syslog.
Configuring Syslog
for ISC BIND

You can configure syslog on your ISC BIND device to forward events to JSA.
Procedure

Step 1 Log in to the ISC BIND device.
Step 2 Open the following file to add a logging clause:

named.conf
logging {
channel  {
syslog ;
severity ;
print-category yes;
print-severity yes;
print-time yes;
};
category queries {
;
};
category notify {
;
};
category network {
;
};
category client {
;
};

Configuring DSMs

372

ISC BIND

};

For Example:
logging {
channel QRadar {
syslog local3;
severity info;
};
category queries {
QRadar;
};
category notify {
QRadar;
};
category network {
QRadar;
};
category client {
QRadar;
};
};
Step 3 Save and exit the file.
Step 4 Edit the syslog configuration to log to your JSA using the facility you selected in

Step 2:
.* @

Where  is the IP address of your JSA.
For example:
local3.* @192.16.10.10

NOTE

Note: JSA only parses logs with a severity level of info or higher.

Step 5 Restart the following services.

service syslog restart
service named restart

You are now ready to configure the log source in JSA.

Configuring DSMs

373

Configuring a Log
Source

JSA automatically discovers and creates a log source for syslog events from ISC
BIND. The following configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select ISC BIND.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 50-1 Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your ISC BIND appliance.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

48

IMPERVA SECURESPHERE

The Imperva SecureSphere DSM for Juniper Secure Analytics (JSA) records all
relevant events forwarded using syslog.
Configuration
Overview

To collect syslog events, you must configure your Imperva SecureSphere
appliance with an alert and a system event action that can be associated to a
firewall or system policy. Each time a firewall policy triggers an alert action or a
system event policy triggers an event action a syslog event is sent to JSA. JSA
supports syslog events from SecureSphere V6.2, V7.x, and V8.5.
To configure events for your SecureSphere appliance, complete the following
tasks:
1 On your Imperva SecureSphere appliance, create an alert action and associate the

alert action to your SecureSphere firewall policies.
2 your Imperva SecureSphere appliance, create a system alert action and associate

the action to your SecureSphere system event policies.
3 On your JSA system, verify that the syslog events are forwarded and that a log

source is automatically discovered.
Configuring an Alert
Action for Imperva
SecureSphere

You can configure your Imperva SecureSphere appliance to forward syslog events
for firewall policy alerts to JSA.
Procedure

Step 1 Log in to your SecureSphere device user interface using administrative privileges.
Step 2 Click the Policies tab.
Step 3 Click the Action Sets tab.
Step 4 To generate events for each alert generated by the SecureSphere device:
a

Click New to create a new action set for an alert.

b

Move the action to the Selected Actions list.

c

Expand the System Log action group.

d

In the Action Name field, type a name for your alert action.

Configuring DSMs

376

IMPERVA SECURESPHERE

e

Configure the following parameters:
-

Syslog host - Type the IP address of JSA to which you want to send events.

-

Syslog log level - Select INFO.

-

Message - Define a message string for your event type from Table 51-1.

Table 51-1 Imperva SecureSphere alert message strings

Type

Version

Message string

Database
alerts

V9.5 and
V10

LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Alert.alertType}
${Alert.immediateAction}|Alert ID=${Alert.dn}\tdevTimeFormat=[see note]
\tdevTime=${Alert.createTime}\tAlert type=${Alert.alertType}\tsrc=${Alert.sourceIp}
\tusrName=${Event.struct.user.user}\tApplication name=${Alert.applicationName}
\tdst=${Event.destInfo.serverIp}\tAlert Description=${Alert.description}
\tSeverity=${Alert.severity} \tImmediate Action=${Alert.immediateAction}
\tSecureSphere Version=${SecureSphereVersion}

File server V9.5 and
alerts
V10

LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Alert.alertType}
${Alert.immediateAction}|Alert ID={Alert.dn}\tdevTimeFormat=[see note]
\tdevTime=${Alert.createTime}\tAlert type=${Alert.alertType}\tsrc=${Alert.sourceIp}
\tusrName=${Event.struct.user.username}\tDomain=${Event.struct.user.domain}
\tApplication name=${Alert.applicationName}\tdst=${Event.destInfo.serverIp}
\tAlert Description=${Alert.description}\tSeverity=${Alert.severity}
\tImmediate Action=${Alert.immediateAction}
\tSecureSphere Version=${SecureSphereVersion}

Web
V9.5 and
application V10
firewall
alerts

LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Alert.alertType}
${Alert.immediateAction}|Alert ID=${Alert.dn}\tdevTimeFormat=[see note]
\tdevTime=${Alert.createTime}\tAlert type=${Alert.alertType}\tsrc=${Alert.sourceIp}
\tusrName=${Alert.username}\tApplication name=${Alert.applicationName}
\tService name=${Alert.serviceName}\tAlert Description=${Alert.description}
\tSeverity=${Alert.severity}\tSimulation Mode=${Alert.simulationMode}
\tImmediate Action=${Alert.immediateAction}

All alerts

DeviceType=ImpervaSecuresphere
Alert|an=$!{Alert.alertMetadata.alertName}|at=Securesphere
Alert|sp=$!{Event.sourceInfo.sourcePort}|s=$!{Event.sourceInfo.sourceIp}|d=$!{Event.d
estInfo.serverIp}|dp=$!{Event.destInfo.serverPort}|u=$!{Alert.username}|g=$!{Alert.serve
rGroupName}|ad=$!{Alert.description}

v6.2 and
v7.x
Release
Enterprise
Edition

NOTE

Note: The devTimeFormat does not include a value as the time format can be
configured on the SecureSphere appliance. Administrators must review the time
format of their SecureSphere appliance and specify the appropriate time format.
For example, dd MMM yyyy HH:mm:ss or yyyy-MM-dd HH:mm:ss.S.
f

Select the Run on Every Event check box.

g

Click Save.

h

Repeat this process to create an alert with another message type from
Table 51-1.

Configuring DSMs

377

Step 5 To trigger syslog events, you must associate your firewall policies to use your alert

actions.

Configuring a System
Event Action for
Imperva
SecureSphere

a

From the navigation menu, select Policies > Security > Firewall Policy.

b

Select the policy you want to edit to use the alert action.

c

Click the Policy tab.

d

From the Followed Action list, select your new action.

e

Ensure your policy is configured as enabled and is applied to the appropriate
server groups.

f

Click Save.

g

Repeat this step for all policies that require an alert.

You can configure your Imperva SecureSphere appliance to forward syslog system
policy events to JSA.

Step 1 Click the Policies tab.
Step 2 Click the Action Sets tab.
Step 3 To generate events for each event generated by the SecureSphere device:
a

Click New to create a new action set for an event.

b

Move the action to the Selected Actions list.

c

Expand the System Log action group.

d

In the Action Name field, type a name for your event action.

e

Configure the following parameters:
-

Syslog host - Type the IP address of JSA to which you want to send events.

-

Syslog log level - Select INFO.

-

Message - Define a message string for your event type from Table 51-2.

Table 51-2 Imperva SecureSphere System Event Message Strings

Type

Version

Message string

System
events

V9.5 and
V10

LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Event.eventType}|Event
ID=${Event.dn}\tdevTimeFormat=[see note]\tdevTime=${Event.createTime}\tEvent
Type=${Event.eventType}\tMessage=${Event.message}\tSeverity=${Event.severity.disp
layName} \tusrName=${Event.username}\tSecureSphere
Version=${SecureSphereVersion}

Configuring DSMs

378

IMPERVA SECURESPHERE

Table 51-2 Imperva SecureSphere System Event Message Strings (continued)

Type

Version

Message string

Database
audit
records

V9.5 and
V10

LEEF:1.0|Imperva|SecureSphere|${SecureSphereVersion}|${Event.struct.eventType}|S
erver Group=${Event.serverGroup}\tService Name=${Event.serviceName}\tApplication
Name=${Event.applicationName}\tSource Type=${Event.sourceInfo.eventSourceType}
\tUser Type=${Event.struct.user.userType}\tusrName=${Event.struct.user.user}\tUser
Group=${Event.struct.userGroup}\tAuthenticated=${Event.struct.user.authenticated}
\tApp User=${Event.struct.applicationUser}\tsrc=${Event.sourceInfo.sourceIp}
\tApplication=${Event.struct.application.application}
\tOS User=${Event.struct.osUser.osUser}\tHost=${Event.struct.host.host}
\tService Type=${Event.struct.serviceType}\tdst=${Event.destInfo.serverIp}
\tEvent Type=${Event.struct.eventType} \tOperation=${Event.struct.operations.name}
\tOperation type=${Event.struct.operations.operationType}
\tObject name=${Event.struct.operations.objects.name}
\tObject type=${Event.struct.operations.objectType}
\tSubject=${Event.struct.operations.subjects.name}
\tDatabase=${Event.struct.databases.databaseName}
\tSchema=${Event.struct.databases.schemaName}
\tTable Group=${Event.struct.tableGroups.displayName}
\tSensitive=${Event.struct.tableGroups.sensitive}
\tPrivileged=${Event.struct.operations.privileged}
\tStored Proc=${Event.struct.operations.storedProcedure}
\tCompleted Successfully=${Event.struct.complete.completeSuccessful}
\tRaw Data=${Event.struct.rawData.rawData}
\tParsed Query=${Event.struct.query.parsedQuery}
\tBind Vaiables=${Event.struct.rawData.bindVariables}
\tError=${Event.struct.complete.errorValue}
\tResponse Size=${Event.struct.complete.responseSize}
\tResponse Time=${Event.struct.complete.responseTime}
\tAffected Rows=${Event.struct.query.affectedRows}\tdevTimeFormat=[see note]
\tdevTime=${Event.createTime}

All events

v6.2 and
v7.x
Release
Enterprise
Edition

DeviceType=ImpervaSecuresphere Event|et=$!{Event.eventType}|dc=Securesphere
System Event|sp=$!{Event.sourceInfo.sourcePort}|s=$!{Event.sourceInfo.sourceIp}|
d=$!{Event.destInfo.serverIp}|dp=$!{Event.destInfo.serverPort}|u=$!{Event.username}|
t=$!{Event.createTime}|sev=$!{Event.severity}|m=$!{Event.message}

NOTE

Note: The devTimeFormat does not include a value as the time format can be
configured on the SecureSphere appliance. Administrators must review the time
format of their SecureSphere appliance and specify the appropriate time format.
For example, dd MMM yyyy HH:mm:ss or yyyy-MM-dd HH:mm:ss.S.
f

Select the Run on Every Event check box.

g

Click Save.

h

Repeat this process to create an alert with another message type from
Table 51-2.

Configuring DSMs

379

Step 4 To enable the action, you must edit your system event policies to use the action.

The below procedure details the steps to configure the action for a system event
policy. Repeat this procedure for all required policies.

Configuring a log
source

a

Go to Policies > System Events.

b

Select or create the system event policy you want to edit to use the event
action.

c

Click the Followed Action tab.

d

From the Followed Action list, select your system event action.

e

Click Save.

f

Repeat this step for all system event policies that require an action.

JSA automatically discovers and creates a log source for syslog events from
Imperva SecureSphere. The following configuration steps are optional.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 Click the Log Sources icon.
Step 4 Click Add.
Step 5 In the Log Source Name field, type a name for your log source.
Step 6 From the Log Source Type list box, select Imperva SecureSphere.
Step 7 Using the Protocol Configuration list box, select Syslog.
Step 8 Configure the following values:

Table 51-3 Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Imperva SecureSphere
appliance.

Enabled

Select this check box to enable the log source.
By default, the check box is selected.

Credibility

Select the credibility of the log source. The range is 0 - 10.
The credibility indicates the integrity of an event or offense
as determined by the credibility rating from the source
devices. Credibility increases if multiple sources report the
same event. The default is 5.

Target Event Collector Select the Event Collector to use as the target for the log
source.

Configuring DSMs

380

Table 51-3 Syslog Protocol Parameters (continued)

Parameter

Description

Coalescing Events

Select this check box to enable the log source to coalesce
(bundle) events.
By default, automatically discovered log sources inherit the
value of the Coalescing Events list box from the System
Settings in JSA. When you create a log source or edit an
existing configuration, you can override the default value by
configuring this option for each log source.

Incoming Event
Payload

From the list box, select the incoming payload encoder for
parsing and storing the logs.

Store Event Payload

Select this check box to enable the log source to store event
payload information.
By default, automatically discovered log sources inherit the
value of the Store Event Payload list box from the System
Settings in JSA. When you create a log source or edit an
existing configuration, you can override the default value by
configuring this option for each log source.

Step 9 Click Save.
Step 10 On the Admin tab, click Deploy Changes.

Configuring DSMs

49

INFOBLOX NIOS

The Infoblox NIOS DSM for Juniper Secure Analytics (JSA) accepts events using
syslog, enabling JSA to record all relevant events from an Infoblox NIOS device.
Before configuring JSA, you must configure your Infoblox NIOS device to send
syslog events to JSA. For more information on configuring logs on your Infoblox
NIOS device, see your Infoblox NIOS vendor documentation.
Table 52-1 identifies the specifications for the Infoblox NIOS DSM.
Table 52-1 Infoblox NIOS DSM Specifications
Specification

Value

Manufacturer

Infoblox

DSM

NIOS

Version

v6.x

Events accepted

Syslog

JSA recorded
events

•

ISC Bind events

•

Linux DHCP events

•

Linux Server events

•

Apache events

Option in QRadar Infoblox NIOS

Configuring a Log
Source

Auto discovered

No

Includes identity

Yes

For more
information

http://www.infoblox.com

To integrate Infoblox NIOS appliances with JSA, you must manually create a log
source to receive Infoblox NIOS events.
JSA does not automatically discover or create log sources for syslog events from
Infoblox NIOS appliances.

Configuring DSMs

382

INFOBLOX NIOS

Procedure
To integrate Infoblox NIOS appliances with JSA:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Infoblox NIOS.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the remaining parameters.
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The log source is added to JSA. Events forwarded to JSA by Infoblox NIOS are
displayed on the Log Activity tab.

Configuring DSMs

50

IT-CUBE AGILESI

The iT-CUBE agileSI DSM for Juniper Secure Analytics (JSA) can accept
security-based and audit SAP events from agileSI installations that are integrated
with your SAP system.
JSA uses the event data defined as security risks in your SAP environment to
generate offenses and correlate event data for your security team. SAP security
events are written in Log Event Extended Format (LEEF) to a log file produced by
agileSI. JSA retrieves the new events using the SMB Tail protocol. To retrieve
events from agileSI, you must create a log source using the SMB Tail protocol and
provide JSA credentials to log in and poll the LEEF formatted agileSI event file.
JSA is updated with new events each time the SMB Tail protocol polls the event file
for new SAP events.
Configuring AgileSI
to Forward Events

To configure agileSI, you must create a logical filename for your events and
configure the connector settings with the path to your agileSI event log.
The location of the LEEF formatted event file must be in a location viewable by
Samba and accessible with the credentials you configure for the log source in JSA.
Procedure

Step 1 In agileSI core system installation, define a logical file name for the output file

containing your SAP security events.
SAP provides a concept which enables you to use platform-independent logical file
names in your application programs. Create a logical file name and path using
transaction “FILE” (Logical File Path Definition) according to your organization’s
requirements.
Step 2 Log in to agileSI.

For example, http:///sap/bc/webdynpro/itcube/
ccf?sap-client=&sap-language=EN

Where:
 is the IP address and port number of your SAP system, such

as 10.100.100.125:50041.
 is the agent in your agileSI deployment.
Step 3 From the menu, click Display/Change to enable change mode for agileSI.

Configuring DSMs

384

IT-CUBE AGILESI

Step 4 From the toolbar, select Tools > Core Consumer Connector Settings.

The Core Consumer Connector Settings are displayed.
Step 5 Configure the following values:
a

From the Consumer Connector list box, select Q1 Labs.

b

Select the Active check box.

c

From the Connector Type list box, select File.

d

From the Logical File Name field, type the path to your logical file name you
configured in Step 1.
For example, /ITCUBE/LOG_FILES.
The file created for the agileSI events is labeled LEEFYYYYDDMM.TXT where
YYYYDDMM is the year, day, and month. The event file for the current day is
appended with new events every time the extractor runs. iT-CUBE agileSI
creates a new LEEF file for SAP events daily.

Step 6 Click Save.

The configuration for your connector is saved. Before you can complete the agileSI
configuration, you must deploy the changes for agileSI using extractors.
Step 7 From the toolbar, select Tools > Extractor Management.

The Extractor Management settings are displayed.
Step 8 Click Deploy all.

The configuration for agileSI events is complete. You are now ready to configure a
log source in JSA.
Configure an AgileSI
Log Source

JSA must be configured to log in and poll the event file using the SMB Tail
protocol.
The SMB Tail protocol logs in and retrieves events logged by agileSI in the
LEEFYYYDDMM.txt file.
Procedure

Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select iT-CUBE agileSI.
Step 9 Using the Protocol Configuration list box, select SMB Tail.

Configuring DSMs

385

Step 10 Configure the following values:

Table 53-1 SMB Tail protocol parameters

Parameter

Description

Log Source Identifier

Type the IP address, hostname, or name for the log source
as an identifier for your iT-CUBE agileSI events.

Server Address

Type the IP address of your iT-CUBE agileSI server.

Domain

Type the domain for your iT-CUBE agileSI server.
This parameter is optional if your server is not located in a
domain.

Username

Type the username required to access your iT-CUBE agileSI
server.
Note: The username and password you specify must be able
to read to the LEEFYYYYDDMM.txt file for your agileSI
events.

Password

Type the password required to access your iT-CUBE agileSI
server.

Confirm Password

Confirm the password required to access your iT-CUBE
agileSI server.

Log Folder Path

Type the directory path to access the LEEFYYYYDDMM.txt
file.
Parameters that support file paths allow you to define a drive
letter with the path information. For example, you can use
c$\LogFiles\ for an administrative share, or LogFiles\
for a public share folder path, but not c:\LogFiles.
If a log folder path contains an administrative share (C$),
users with NetBIOS access on the administrative share (C$)
have the proper access required to read the log files. Local
or domain administrators have sufficient privileges to access
log files that reside on administrative shares.

File Pattern

Type the regular expression (regex) required to filter the
filenames. All matching files are included for processing
when JSA polls for events.
For example, if you want to list all files ending with txt, use
the following entry: .*\.txt. Use of this parameter requires
knowledge of regular expressions (regex). For more
information, see the following website:
http://download.oracle.com/javase/tutorial/essential/regex/

Force File Read

Select this check box to force the protocol to read the log file.
By default, the check box is selected.
If the check box is clear the event file is read when JSA
detects a change in the modified time or file size.

Recursive

Select this check box if you want the file pattern to search
sub folders. By default, the check box is selected.

Configuring DSMs

386

IT-CUBE AGILESI

Table 53-1 SMB Tail protocol parameters (continued)

Parameter

Description

Polling Interval (in
seconds)

Type the polling interval, which is the number of seconds
between queries to the event file to check for new data.
The minimum polling interval is 10 seconds, with a maximum
polling interval of 3,600 seconds. The default is 10 seconds.

Throttle Events/Sec

Type the maximum number of events the SMB Tail protocol
forwards per second.
The minimum value is 100 EPS and the maximum is 20,000
EPS. The default is 100 EPS.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete. As your iT-CUBE agileSI log source retrieves new
events, the Log Activity tab in JSA is updated.

Configuring DSMs

51

ITRON SMART METER

The Itron Smart Meter DSM for Juniper Secure Analytics (JSA) collects events
from an Itron Openway Smart Meter using syslog.
The Itron Openway Smart Meter sends syslog events to JSA using Port 514. For
details of configuring your meter for syslog, see your Itron Openway Smart Meter
documentation.
JSA automatically discovers and creates a log source for syslog events from Itron
Openway Smart Meters. However, you can manually create a log source for JSA
to receive syslog events. The following configuration steps are optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Itron Smart Meter.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:

Table 54-1 Syslog Protocol Parameters

Parameter

Description

Log Source Identifier

Type the IP address or host name for the log source as an
identifier for events from your Itron Openway Smart Meter
installation.

Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.

The configuration is complete.

Configuring DSMs

52

JUNIPER NETWORKS

This section provides information on the following DSMs:

Juniper Networks
AVT

•

Juniper Networks AVT

•

Juniper DX Application Acceleration Platform

•

Juniper EX Series Ethernet Switch

•

Juniper IDP

•

Juniper Networks Secure Access

•

Juniper Infranet Controller

•

Juniper Networks Firewall and VPN

•

Juniper Networks Network and Security Manager

•

Juniper Junos OS

•

Juniper Steel-Belted Radius

•

Juniper Networks vGW Virtual Gateway

•

Juniper Security Binary Log Collector

•

Juniper Junos WebApp Secure

The Juniper Networks Application Volume Tracking (AVT) DSM for Juniper Secure
Analytics (JSA) accepts events using Java Database Connectivity (JDBC)
protocol.
JSA records all relevant events. To integrate with Juniper Networks NSM AVT
data, you must create a view in the database on the Juniper Networks NSM server.
You must also configure the Postgres database configuration on the Juniper
Networks NSM server to allow connections to the database since, by default, only
local connections are allowed.

NOTE

Note: This procedure is provided as a guideline. For specific instructions, see your
vendor documentation.

Configuring DSMs

390

JUNIPER NETWORKS

Procedure
Step 1 Log in to your Juniper Networks AVT device command-line interface (CLI).
Step 2 Open the following file:

/var/netscreen/DevSvr/pgsql/data/pg_hba.conf file
Step 3 Add the following line to the end of the file:

host all all /32 trust

Where  is the IP address of your JSA console or Event Collector
you want to connect to the database.
Step 4 Reload the Postgres service:

su - nsm -c "pg_ctl reload -D /var/netscreen/DevSvr/pgsql/data"
Step 5 As the Juniper Networks NSM user, create the view:

create view strm_avt_view as SELECT a.name, a.category,
v.srcip,v.dstip,v.dstport, v."last", u.name as userinfo, v.id,
v.device, v.vlan,v.sessionid, v.bytecnt,v.pktcnt, v."first" FROM
avt_part v JOIN app a ON v.app =a.id JOIN userinfo u ON
v.userinfo = u.id;

The view is created.
You are now ready to configure the log source in JSA.
To configure JSA to receive events from a Juniper Networks AVT device:
Step 1 From the Log Source Type list box, select Juniper Networks AVT.
Step 2 You must also configure the JDBC protocol for the log source. Use the following

parameters to configure the JDBC protocol:
a

Database Type - From the Database Type list box, select Postgres.

b

Database Name - Type profilerDb.

c

IP or Hostname - Type the IP address of the Juniper Networks NSM system.

d

Port - Type 5432.

e

Username - Type the username for the profilerDb database.

f

Password - Type the password for profilerDB database.

g

Table Name - Type strm_avt_view.

h

Select List - Type * for the select list.

i

Compare Field - Type id for the Compare Field.

j

Use Prepared Statements -The Use Prepared Statements check box must be
clear. The Juniper Networks AVT DSM does not support prepared statements.

k

Polling Interval - Type 10 for the Polling interval.

Note: The Database Name and Table Name parameters are case sensitive.

Configuring DSMs

Juniper DDoS Secure

NOTE

391

Note: For more information on configuring log sources and protocols, see the Log
Sources Users Guide.
For more information about the Juniper Networks AVT device, see your vendor
documentation.

Juniper DDoS
Secure

The Juniper DDoS Secure DSM for Juniper Secure Analytics (JSA) receives
events from Juniper DDoS Secure devices by using syslog in Log Event Extended
Format (LEEF) format. JSA records all relevant status and network condition
events.
Procedure
Step 1 Log in to Juniper DDoS Secure.
Step 2 Go to the Structured Syslog Server window.
Step 3 In the Server IP Address(es) field, type the IP address of the JSA Console.
Step 4 From the Format list, select LEEF.
Step 5 Optional. If you do not want to use the default of local0 in the Facility field, type

a facility.
Step 6 From the Priority list, select the syslog priority level that you want to include.

Events that meet or exceed the syslog priority level you select are forwarded to
JSA.
Step 7 Log in to JSA.
Step 8 Click the Admin tab.
Step 9 From the navigation menu, click Data Sources.
Step 10 Click the Log Sources icon.
Step 11 Click Add.
Step 12 From the Log Source Type list, select the Juniper DDoS Secure option.
Step 13 Configure the parameters.
Step 14 Click Save.

For more information about log source management, see the Log Sources Users
Guide.

Juniper DX
Application
Acceleration
Platform

The Juniper DX Application Acceleration Platforms off-load core networking and
I/O responsibilities from web and application servers to improve the performance
of web-based applications, increasing productivity of local, remote, and mobile
users.

Configuring DSMs

392

JUNIPER NETWORKS

The Juniper DX Application Acceleration Platform DSM for JSA accepts events
using syslog. JSA records all relevant status and network condition events. Before
configuring JSA, you must configure your Juniper device to forward syslog events.
Procedure
Step 1 Log in to the Juniper DX user interface.
Step 2 Browse to the desired cluster configuration (Services - Cluster Name), Logging

section.
Step 3 Select the Enable Logging check box.
Step 4 Select the desired Log Format.

JSA supports Juniper DX logs using the common and perf2 formats only.
Step 5 Select the desired Log Delimiter format.

JSA supports comma delimited logs only.
Step 6 In the Log Host section, type the IP address of your JSA system.
Step 7 In the Log Port section, type the UDP port on which you wish to export logs.
Step 8 You are now ready to configure the log source in JSA.

To configure JSA to receive events from a Juniper DX Application Acceleration
Platform:

From the Log Source Type list box, select the Juniper DX Application
Acceleration Platform option.
For more information on configuring log sources, see the Log Sources Users
Guide.

Juniper EX Series
Ethernet Switch

The Juniper EX Series Ethernet Switch DSM for JSA accepts events using syslog.
The Juniper EX Series Ethernet Switch DSM supports Juniper EX Series Ethernet
Switches running Junos OS. Before you can integrate JSA with a Juniper EX
Series Ethernet Switch, you must configure your Juniper EX Series Switch to
forward syslog events.
Procedure

Step 1 Log in to the Juniper EX Series Ethernet Switch command-line interface (CLI).
Step 2 Type the following command:

configure
Step 3 Type the following command:

set system syslog host