Juniper Secure Analytics DSM Configuration Guide Netsight Jsa Configuring
User Manual: Netsight
Open the PDF directly: View PDF .
Page Count: 808
Download | |
Open PDF In Browser | View PDF |
Juniper Secure Analytics Configuring DSMs Release 2014.1 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net Published: 2014-11-27 Copyright Notice Copyright © 2014 Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. The following terms are trademarks or registered trademarks of other companies: JavaTM and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. FCC Statement The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Juniper Networks’ installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device. Disclaimer THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT, SUBJECT TO THE MODIFICTAIONS SET FORTH BELOW ON THIS PAGE, ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY. Juniper Secure Analytics Configuring DSMs Release 2014.1 Copyright © 2014, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History November 2014—Juniper Secure Analytics Configuring DSMs The information in this document is current as of the date listed in the revision history. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula.html, as modified by the following text, which shall be treated under the EULA as an Entitlement Document taking precedence over any conflicting provisions of such EULA as regards such software: As regards software accompanying the STRM products (the “Program”), such software contains software licensed by Q1Labs and is further accompanied by third-party software that is described in the applicable documentation or materials provided by Juniper Networks. 2 CONTENTS ABOUT THIS GUIDE Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Technical Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 1 OVERVIEW 2 INSTALLING DSMS Scheduling Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Viewing Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Manually Installing a DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3 3COM 8800 SERIES SWITCH 4 AMBIRON TRUSTWAVE IPANGEL 5 APACHE HTTP SERVER Configuring Apache HTTP Server with Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Configuring Apache HTTP Server with Syslog-ng . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 6 APC UPS 7 AMAZON AWS CLOUDTRAIL AWS CloudTrail DSM Integration Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Enabling Communication between JSA and AWS CloudTrail . . . . . . . . . . . . . . . . . . 40 Configuring an Amazon AWS CloudTrail Log Source in JSA . . . . . . . . . . . . . . . . . . 40 7 APPLE MAC OS X 8 APPLICATION SECURITY DBPROTECT 9 ARBOR NETWORKS PEAKFLOW 10 ARBOR NETWORKS PRAVAIL Arbor Networks Pravail DSM Integration Process . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Configuring your Arbor Networks Pravail system for Communication with JSA. . . . .54 Configuring an Arbor Networks Pravail Log Source in Configuring DSMs . . . . . . . . .55 10 ARPEGGIO SIFT-IT 11 ARRAY NETWORKS SSL VPN 12 ARUBA MOBILITY CONTROLLERS 13 AVAYA VPN GATEWAY Avaya VPN Gateway DSM Integration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66 Configuring your Avaya VPN Gateway System for Communication with JSA . . . . . .66 Configuring an Avaya VPN Gateway Log Source in JSA. . . . . . . . . . . . . . . . . . . . . .67 13 BALABIT IT SECURITY Configuring BalaBIt IT Security for Microsoft Windows Events . . . . . . . . . . . . . . . . .69 Configuring BalaBit IT Security for Microsoft ISA or TMG Events . . . . . . . . . . . . . . .73 14 BARRACUDA Barracuda Spam & Virus Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Barracuda Web Application Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 Barracuda Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 15 BIT9 PARITY 16 BLUECAT NETWORKS ADONIS 17 BLUE COAT SG Creating a Custom Event Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92 Retrieving Blue Coat Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 Creating Additional Custom Format Key-Value Pairs. . . . . . . . . . . . . . . . . . . . . . . . .99 18 BRIDGEWATER 19 BROCADE FABRIC OS 20 CA TECHNOLOGIES CA ACF2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 CA SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 CA Top Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 21 CHECK POINT Check Point FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Check Point Provider-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 22 CILASOFT QJRN/400 23 CISCO Cisco ACE Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Cisco Aironet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Cisco ACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Cisco ASA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Cisco CallManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Cisco CatOS for Catalyst Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Cisco CSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Cisco FWSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Cisco IDS/IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Cisco IronPort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Cisco NAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Cisco Nexus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Cisco IOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Cisco Pix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Cisco VPN 3000 Concentrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Cisco Wireless Services Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Cisco Wireless LAN Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Cisco Identity Services Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 24 CITRIX Citrix NetScaler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Citrix Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 25 CRYPTOCARD CRYPTO-SHIELD 26 CYBER-ARK VAULT 27 CYBERGUARD FIREWALL/VPN APPLIANCE 28 DAMBALLA FAILSAFE 29 DIGITAL CHINA NETWORKS (DCN) 30 ENTERASYS Enterasys Dragon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211 Enterasys HiGuard Wireless IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218 Enterasys HiPath Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220 Enterasys Stackable and Standalone Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . .221 Enterasys XSR Security Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222 Enterasys Matrix Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223 Enterasys NetSight Automatic Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . .224 Enterasys Matrix K/N/S Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225 Enterasys NAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226 Enterasys 800-Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227 31 EXTREME NETWORKS EXTREMEWARE 32 F5 NETWORKS F5 Networks BIG-IP AFM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231 F5 Networks BIG-IP APM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236 F5 Networks BIG-IP ASM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237 F5 Networks BIG-IP LTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239 F5 Networks FirePass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241 33 FAIR WARNING 34 FIDELIS XPS 35 FIREEYE 36 FORESCOUT COUNTERACT 37 FORTINET FORTIGATE Fortinet FortiGate DSM Integration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257 Configuring a Fortinet FortiGate Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 38 FOUNDRY FASTIRON 39 GENERIC FIREWALL 40 GENERIC AUTHORIZATION SERVER 41 GREAT BAY BEACON 42 HBGARY ACTIVE DEFENSE 43 HONEYCOMB LEXICON FILE INTEGRITY MONITOR (FIM) 44 HP HP ProCurve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 HP Tandem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Hewlett Packard UNIX (HP-UX). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 45 HUAWEI Huawei AR Series Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Huawei S Series Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 46 IBM IBM AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 IBM AS/400 iSeries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 IBM CICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 IBM Lotus Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 IBM Proventia Management SiteProtector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 IBM ISS Proventia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 IBM RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 IBM DB2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 IBM WebSphere Application Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 IBM Informix Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 IBM IMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 IBM Guardium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 IBM Security Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 IBM Tivoli Access Manager for E-business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 IBM z/Secure Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358 IBM Tivoli Endpoint Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 IBM zSecure Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 IBM Security Network Protection (XGS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 IBM Security Network IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 47 ISC BIND 48 IMPERVA SECURESPHERE 49 INFOBLOX NIOS 50 IT-CUBE AGILESI 51 ITRON SMART METER 52 JUNIPER NETWORKS Juniper Networks AVT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389 Juniper DDoS Secure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391 Juniper DX Application Acceleration Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391 Juniper EX Series Ethernet Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392 Juniper IDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 Juniper Networks Secure Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395 Juniper Infranet Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398 Juniper Networks Firewall and VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399 Juniper Networks Network and Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . .399 Juniper Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401 Juniper Steel-Belted Radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404 Juniper Networks vGW Virtual Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406 Juniper Security Binary Log Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408 Juniper Junos WebApp Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411 Juniper Networks WLC Series Wireless LAN Controller . . . . . . . . . . . . . . . . . . . . .414 53 KASPERSKY SECURITY CENTER 54 LIEBERMAN RANDOM PASSWORD MANAGER 55 LINUX Linux DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427 Linux IPtables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428 Linux OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .430 56 MCAFEE McAfee Intrushield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435 McAfee ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440 McAfee Application / Change Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449 McAfee Web Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452 McAfee Web Gateway DSM Integration Process. . . . . . . . . . . . . . . . . . . . . . . . . . .455 57 METAINFO METAIP 58 MICROSOFT Microsoft Exchange Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Microsoft IAS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Microsoft DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Microsoft IIS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Microsoft ISA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Microsoft Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Microsoft SQL Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Microsoft SharePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Microsoft Windows Security Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 Microsoft Operations Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Microsoft System Center Operations Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Microsoft Endpoint Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493 59 MOTOROLA SYMBOL AP 60 NETAPP DATA ONTAP 61 NAME VALUE PAIR NVP Log Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 62 NIKSUN 63 NOKIA FIREWALL Integrating with a Nokia Firewall Using Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Integrating With a Nokia Firewall Using OPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 64 NOMINUM VANTIO 65 NORTEL NETWORKS Nortel Multiprotocol Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Nortel Application Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520 Nortel Contivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Nortel Ethernet Routing Switch 2500/4500/5500. . . . . . . . . . . . . . . . . . . . . . . . . . . 521 Nortel Ethernet Routing Switch 8300/8600 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Nortel Secure Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524 Nortel Secure Network Access Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 Nortel Switched Firewall 5100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526 Nortel Switched Firewall 6000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528 Nortel Threat Protection System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 Nortel VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531 66 NOVELL EDIRECTORY 67 OBSERVEIT 68 OPENBSD 69 OPEN LDAP 70 OPEN SOURCE SNORT 71 ORACLE Oracle Audit Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555 Oracle DB Listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .559 Oracle Audit Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .563 Oracle OS Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .564 Oracle BEA WebLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .566 Oracle Acme Packet Session Border Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . .571 Oracle Fine Grained Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .574 72 OSSEC 73 PALO ALTO NETWORKS 74 PIREAN ACCESS: ONE 75 POSTFIX MAIL TRANSFER AGENT 76 PROFTPD 77 PROOFPOINT ENTERPRISE PROTECTION AND ENTERPRISE PRIVACY 78 RADWARE DEFENSEPRO 79 RAZ-LEE ISECURITY 80 REDBACK ASE 81 RSA AUTHENTICATION MANAGER Configuring Syslog for RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 Configuring the Log File Protocol for RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609 82 SAFENET DATASECURE 83 SAMHAIN LABS Configuring Syslog to Collect Samhain Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615 Configuring JDBC to Collect Samhain Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616 84 SENTRIGO HEDGEHOG 85 SECURE COMPUTING SIDEWINDER 86 SOLARWINDS ORION 87 SONICWALL 88 SOPHOS Sophos Enterprise Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627 Sophos PureMessage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634 Sophos Astaro Security Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .641 Sophos Web Security Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .642 89 SOURCEFIRE Sourcefire Defense Center (DC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643 Sourcefire Intrusion Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .649 90 SPLUNK Collect Windows Events Forwarded from Splunk Appliances . . . . . . . . . . . . . . . . .651 91 SQUID WEB PROXY 92 STARENT NETWORKS 93 STEALTHBITS STEALTHINTERCEPT STEALTHbits StealthINTERCEPT DSM Integration Process. . . . . . . . . . . . . . . . . .663 Configuring your STEALTHbits StealthINTERCEPT System for Communication with JSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .664 Configuring a STEALTHbits StealthINTERCEPT Log Source in JSA . . . . . . . . . . .665 94 STONESOFT MANAGEMENT CENTER 95 SUN SOLARIS Sun Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .671 Sun Solaris DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .672 Sun Solaris Sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .674 Sun Solaris Basic Security Mode (BSM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .675 Sun ONE LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .680 96 SYBASE ASE 97 SYMANTEC Symantec Endpoint Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687 Symantec SGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .688 Symantec System Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .688 Symantec Data Loss Prevention (DLP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .692 Symantec PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .696 98 SYMARK 99 THREATGRID MALWARE THREAT INTELLIGENCE PLATFORM 100 TIPPING POINT Tipping Point Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709 Tipping Point X505/X506 Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712 101 TOP LAYER IPS 102 TREND MICRO Trend Micro InterScan VirusWall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715 Trend Micro Control Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716 Trend Micro Office Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717 Trend Micro Deep Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721 103 TRIPWIRE 104 TROPOS CONTROL 105 TRUSTEER APEX LOCAL EVENT AGGREGATOR 106 UNIVERSAL DSM 107 UNIVERSAL LEEF Configuring a Universal LEEF Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733 Forwarding Events to JSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737 Creating a Universal LEEF Event Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737 108 VENUSTECH VENUSENSE 109 VERDASYS DIGITAL GUARDIAN 110 VERICEPT CONTENT 360 DSM 111 VMWARE VMware ESX and ESXi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751 VMware vCenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756 VMware vCloud Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757 VMware vShield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760 112 VORMETRIC DATA SECURITY Vormetric Data Security DSM Integration Process. . . . . . . . . . . . . . . . . . . . . . . . . .763 Configuring your Vormetric Data Security Systems for Communication with JSA . .764 Configuring a Vormetric Data Security Log Source in JSA. . . . . . . . . . . . . . . . . . . .766 113 WEBSENSE V-SERIES Websense TRITON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .767 Websense V-Series Data Security Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .769 Websense V-Series Content Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .771 114 ZSCALER NANOLOG STREAMING SERVICE 115 SUPPORTED DSMS INDEX ABOUT THIS GUIDE The Juniper Secure Analytics Configuring DSMs guide provides you with information for configuring Device Support Modules (DSMs). DSMs allow Juniper Secure Analytics (JSA) to integrate events from security appliances, software, and devices in your network that forward events to JSA or Log Analytics. All references to JSA or JSA is intended to refer both the JSA and Log Analytics product. Audience This guide is intended for the system administrator responsible for setting up event collection for JSA in your network. This guide assumes that you have administrative access and a knowledge of your corporate network and networking technologies. Documentation Conventions Table 2-1 lists conventions that are used throughout this guide. Table 2-1 Icons Icon Technical Documentation Type Description Information note Information that describes important features or instructions. Caution Information that alerts you to potential loss of data or potential damage to an application, system, device, or network. Warning Information that alerts you to potential personal injury. You can access technical documentation, technical notes, and release notes directly from the Juniper Customer Support website at https://www.juniper.net/support/. Once you access the Juniper Customer Support Configuring DSMs 16 ABOUT THIS GUIDE website, locate the product and software release for which you require documentation. Your comments are important to us. Please send your e-mail comments about this guide or any of the Juniper Networks documentation to: techpubs-comments@juniper.net. Include the following information with your comments: Requesting Technical Support • Document title • Page number Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. • JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf . • Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/. • JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: • Find CSC offerings: http://www.juniper.net/customers/support/ • Find product documentation: http://www.juniper.net/techpubs/ • Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ • Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/ • Search technical bulletins for relevant hardware and software notifications: https://www.juniper.net/alerts/ • Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/ • Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/ Configuring DSMs Requesting Technical Support 17 To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/ Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. • Use the Case Management tool in the CSC at http://www.juniper.net/cm/ . • Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, visit us at http://www.juniper.net/support/requesting-support.html. Configuring DSMs 18 ABOUT THIS GUIDE Configuring DSMs 1 OVERVIEW The DSM Configuration guide is intended to assist with device configurations for systems, software, or appliances that provide events to Juniper Secure Analytics (JSA). Device Support Modules (DSMs) parse event information for JSA products to log and correlate events received from external sources such as security equipment (for example, firewalls), and network equipment (for example, switches and routers). Events forwarded from your log sources are displayed in the Log Activity tab. All events are correlated and security and policy offenses are created based on correlation rules. These offenses are displayed on the Offenses tab. For more information, see the Juniper Secure Analytics Users Guide. NOTE Note: Information found in this documentation about configuring Device Support Modules (DSMs) is based on the latest RPM files located on the Juniper Customer Support website at http://www.juniper.net/customer/support/. To configure JSA to receive events from devices, you must: 1 Configure the device to send events to JSA. 2 Configure log sources for JSA to receive events from specific devices. For more information, see the Log Sources Users Guide. Configuring DSMs 2 INSTALLING DSMS You can download and install weekly automatic software updates for DSMs, protocols, and scanner modules. After Device Support Modules (DSMs) are installed the Juniper Secure Analytics (JSA) console provides any rpm file updates to managed hosts after the configuration changes are deployed. If you are using high availability (HA), DSMs, protocols, and scanners are installed during replication between the primary and secondary host. During this installation process, the secondary displays the status Upgrading. For more information, see Managing High Availability in the Juniper Secure Analytics Administration Guide. CAUTION CAUTION: Uninstalling a Device Support Module (DSM) is not supported in JSA. If you need technical assistance, contact Juniper Customer Support. For more information, see Requesting Technical Support. Scheduling Automatic Updates You can schedule when automatic updates are downloaded and installed on your JSA console. JSA performs automatic updates on a recurring schedule according to the settings on the Update Configuration page; however, if you want to schedule an update or a set of updates to run at a specific time, you can schedule an update using the Schedule the Updates window. Scheduling your own automatic updates is useful when you want to schedule a large update to run during off-peak hours, thus reducing any performance impacts on your system. If no updates are displayed in the Updates window, either your system has not been in operation long enough to retrieve the weekly updates or no updates have been issued. If this occurs, you can manually check for new updates Procedure Step 1 Click the Admin tab. Step 2 On the navigation menu, click System Configuration. Configuring DSMs 22 INSTALLING DSMS Step 3 Click the Auto Update icon. Step 4 Optional. If you want to schedule specific updates, select the updates you want to schedule. Step 5 From the Schedule list box, select the type of update you want to schedule. Options include: NOTE • All Updates • Selected Updates • DSM, Scanner, Protocol Updates • Minor Updates Note: Protocol updates installed automatically require you to restart Tomcat. For more information on manually restarting Tomcat, see the Log Sources Users Guide. Step 6 Using the calendar, select the start date and time of when you want to start your scheduled updates. Step 7 Click OK. The selected updates are now scheduled. Viewing Updates You can view or install any pending software updates for JSA through the Admin tab. Procedure Step 1 Click the Admin tab. Step 2 On the navigation menu, click System Configuration. Step 3 Click the Auto Update icon. The Updates window is displayed. The window automatically displays the Check for Updates page, providing the following information: Table 2-1 Check for Updates Window Parameters Parameter Description Updates were installed Specifies the date and time the last update was installed. Next Update install is scheduled Specifies the date and time the next update is scheduled to be installed. If there is no date and time indicated, the update is not scheduled to run. Name Specifies the name of the update. Type Specifies the type of update. Types include: • DSM, Scanner, Protocol Updates • Minor Updates Configuring DSMs Viewing Updates 23 Table 2-1 Check for Updates Window Parameters (continued) Parameter Description Status Specifies the status of the update. Status types include: Date to Install • New - The update is not yet scheduled to be installed. • Scheduled - The update is scheduled to be installed. • Installing - The update is currently installing. • Failed - The updated failed to install. Specifies the date on which this update is scheduled to be installed. The Check for Updates page toolbar provides the following functions: Table 2-2 Auto Updates Toolbar Function Description Hide Select one or more updates, and then click Hide to remove the selected updates from the Check for Updates page. You can view and restore the hidden updates on the Restore Hidden Updates page. For more information, see the Juniper Secure Analytics Administrator Guide. Install From this list box, you can manually install updates. When you manually install updates, the installation process starts within a minute. Schedule From this list box, you can configure a specific date and time to manually install selected updates on your console. This is useful when you want to schedule the update installation during off-peak hours. Unschedule From this list box, you can remove preconfigured schedules for manually installing updates on your console. Search By Name In this text box, you can type a keyword and then press Enter to locate a specific update by name. Next Refresh This counter displays the amount of time until the next automatic refresh. The list of updates on the Check for Updates page automatically refreshes every 60 seconds. The timer is automatically paused when you select one or more updates. Pause Click this icon to pause the automatic refresh process. To resume automatic refresh, click the Play icon. Refresh Click this icon to manually refresh the list of updates. Step 4 To view details on an update, select the update. The description and any error messages are displayed in the right pane of the window. Configuring DSMs 24 INSTALLING DSMS Manually Installing a DSM You can use the Juniper Customer Support website to download and manually install the latest RPM files for JSA. http://www.juniper.net/customer/support/ Most users do not need to download updated DSMs as auto updates installs the latest rpm files on a weekly basis. If your system is restricted from the Internet, you might need to install rpm updates manually. The DSMs provided on the Juniper Customer Support website, or through auto updates contain improved event parsing for network security products and enhancements for event categorization in the JSA Identifier Map (QID map). CAUTION CAUTION: Uninstalling a Device Support Module (DSM) is not supported in JSA. If you need technical assistance, contact Juniper Customer Support. For more information, see Requesting Technical Support. Installing a Single DSM The Juniper Customer Support website contain individual DSMs that you can download and install using the command-line. Procedure Step 1 Download the DSM file to your system hosting JSA. Step 2 Using SSH, log in to JSA as the root user. Username: root Password:Step 3 Navigate to the directory that includes the downloaded file. Step 4 Type the following command: rpm -Uvh Where is the name of the downloaded file. For example: rpm -Uvh DSM-CheckPointFirewall-7.0-209433.noarch.rpm Step 5 Log in to JSA. https:// Where is the IP address of the JSA console or Event Collector. Step 6 On the Admin tab, click Deploy Changes. The installation is complete. Configuring DSMs Manually Installing a DSM Installing a DSM Bundle 25 The Juniper Customer Support website contains a DSM bundle which is updated daily with the latest DSM versions that you can install. Procedure Step 1 Download the DSM bundle to your system hosting JSA. Step 2 Using SSH, log in to JSA as the root user. Username: root Password: Step 3 Navigate to the directory that includes the downloaded file. Step 4 Type the following command to extract the DSM bundle: tar -zxvf JSA_bundled-DSM- .tar.gz Where is your release of JSA. Step 5 Type the following command: for FILE in *Common*.rpm DSM-*.rpm; do rpm -Uvh "$FILE"; done The installation of the DSM bundle can take several minutes to complete. Step 6 Log in to JSA. https:// Where is the IP address of JSA. Step 7 On the Admin tab, click Deploy Changes. The installation is complete. Configuring DSMs 3 3COM 8800 SERIES SWITCH The 3COM 8800 Series Switch DSM for Juniper Secure Analytics (JSA) accepts events using syslog. Supported Event Types Configure Your 3COM 8800 Series Switch JSA records all relevant status and network condition events forwarded from your 3Com 8800 Series Switch using syslog. You can configure your 3COM 8800 Series Switch to forward syslog events to JSA. Procedure Step 1 Log in to the 3Com 8800 Series Switch user interface. Step 2 Enable the information center. info-center enable Step 3 Configure the host with the IP address of your JSA system as the loghost, the severity level threshold value as informational, and the output language to English. info-center loghost facility language english Where: is the IP address of your JSA. is the facility severity. Step 4 Configure the ARP and IP information modules to log. info-center source arp channel loghost log level informational info-center source ip channel loghost log level informational The configuration is complete. The log source is added to JSA as 3COM 8800 Series Switch events are automatically discovered. Events forwarded to JSA by 3COM 880 Series Switches are displayed on the Log Activity tab. Configuring DSMs 28 3COM 8800 SERIES SWITCH Configure a Log Source JSA automatically discovers and creates a log source for syslog events from 3COM 8800 Series Switches. These configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select 3Com 8800 Series Switch. Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 3-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your 3COM 8800 Series Switch. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring DSMs 4 AMBIRON TRUSTWAVE ipANGEL The Ambiron TrustWave ipAngel DSM for Juniper Secure Analytics (JSA) accepts events using syslog. Supported Event Types Before You Begin Configure a Log Source JSA records all Snort-based events from the ipAngel console. Before you configure JSA to integrate with ipAngel, you must forward your cache and access logs to your JSA. The events in your cache and access logs that are forwarded from Ambiron TrustWave ipAngel are not automatically discovered. For information on forwarding device logs to JSA, see your vendor documentation. To integrate Ambiron TrustWave ipAngel events with JSA, you must manually configure a log source. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Ambiron TrustWave ipAngel Intrusion Prevention System (IPS). Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 4-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Ambiron TrustWave ipAngel appliance. Configuring DSMs 30 AMBIRON TRUSTWAVE IPANGEL Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Events forwarded to JSA by Ambiron TrustWave ipAngel are displayed on the Log Activity tab. Configuring DSMs 5 APACHE HTTP SERVER The Apache HTTP Server DSM for Juniper Secure Analytics (JSA) accepts Apache events using syslog or syslog-ng. JSA records all relevant HTTP status events. The procedure in this section applies to Apache DSMs operating on UNIX/Linux platforms only. CAUTION CAUTION: Do not run both syslog and syslog-ng at the same time. Select one of the following configuration methods: Configuring Apache HTTP Server with Syslog • Configuring Apache HTTP Server with Syslog • Configuring Apache HTTP Server with Syslog-ng You can configure your Apache HTTP Server to forward events with the syslog protocol. Procedure Step 1 Log in to the server hosting Apache, as the root user. Step 2 Edit the Apache configuration file httpd.conf. Step 3 Add the following information in the Apache configuration file to specify the custom log format: LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" Where is a variable name you provide to define the log format. Step 4 Add the following information in the Apache configuration file to specify a custom path for the syslog events: CustomLog “|/usr/bin/logger -t httpd -p . ” Where: is a syslog facility, for example, local0. Configuring DSMs 32 APACHE HTTP SERVER is a syslog priority, for example, info or notice. is a variable name you provide to define the custom log format. The log format name must match the log format defined in Step 4. For example, CustomLog “|/usr/bin/logger -t httpd -p local1.info” MyApacheLogs Step 5 Type the following command to disabled hostname lookup: HostnameLookups off Step 6 Save the Apache configuration file. Step 7 Edit the syslog configuration file. /etc/syslog.conf Step 8 Add the following information to your syslog configuration file: . @ Where: is the syslog facility, for example, local0. This value must match the value you typed in Step 4. is the syslog priority, for example, info or notice. This value must match the value you typed in Step 4. indicates you must press the Tab key. is the IP address of the JSA console or Event Collector. Step 9 Save the syslog configuration file. Step 10 Type the following command to restart the syslog service: /etc/init.d/syslog restart Step 11 Restart Apache to complete the syslog configuration. The configuration is complete. The log source is added to JSA as syslog events from Apache HTTP Servers are automatically discovered. Events forwarded to JSA by Apache HTTP Servers are displayed on the Log Activity tab of JSA. Configuring a Log Source in JSA You can configure a log source manually for Apache HTTP Server events in JSA. JSA automatically discovers and creates a log source for syslog events from Apache HTTP Server. However, you can manually create a log source for JSA to receive syslog events. These configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Configuring DSMs Configuring Apache HTTP Server with Syslog-ng 33 Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Apache HTTP Server. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 5-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Apache installations. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. For more information on Apache, see http://www.apache.org/. Configuring Apache HTTP Server with Syslog-ng You can configure your Apache HTTP Server to forward events with the syslog-ng protocol. Procedure Step 1 Log in to the server hosting Apache, as the root user. Step 2 Edit the Apache configuration file. /etc/httpd/conf/httpd.conf Step 3 Add the following information to the Apache configuration file to specify the LogLevel: LogLevel info The LogLevel might already be configured to the info level depending on your Apache installation. Step 4 Add the following to the Apache configuration file to specify the custom log format: LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" Where is a variable name you provide to define the custom log format. Step 5 Add the following information to the Apache configuration file to specify a custom path for the syslog events: CustomLog "|/usr/bin/logger -t 'httpd' -u /var/log/httpd/apache_log.socket" The log format name must match the log format defined in Step 4. Configuring DSMs 34 APACHE HTTP SERVER Step 6 Save the Apache configuration file. Step 7 Edit the syslog-ng configuration file. /etc/syslog-ng/syslog-ng.conf Step 8 Add the following information to specify the destination in the syslog-ng configuration file: source s_apache { unix-stream("/var/log/httpd/apache_log.socket" max-connections(512) keep-alive(yes)); }; destination auth_destination { (" " port(514)); }; log{ source(s_apache); destination(auth_destination); }; Where: is the IP address of the JSA console or Event Collector. is the protocol you select to forward the syslog event. Step 9 Save the syslog-ng configuration file. Step 10 Type the following command to restart syslog-ng: service syslog-ng restart Step 11 You are now ready to configure the log source in JSA. The configuration is complete. The log source is added to JSA as syslog events from Apache HTTP Servers are automatically discovered. Events forwarded to JSA by Apache HTTP Servers are displayed on the Log Activity tab of JSA. Configuring a Log Source You can configure a log source manually for Apache HTTP Server events in JSA. JSA automatically discovers and creates a log source for syslog-ng events from Apache HTTP Server. However, you can manually create a log source for JSA to receive syslog events. These configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Configuring DSMs Configuring Apache HTTP Server with Syslog-ng 35 Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Apache HTTP Server. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 5-2 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Apache installations. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. For more information on Apache, see http://www.apache.org/. Configuring DSMs 6 APC UPS The APC UPS DSM for Juniper Secure Analytics (JSA) accepts syslog events from the APC Smart-UPS family of products. NOTE Supported Event Types Before You Begin Note: Events from the RC-Series Smart-UPS are not supported. JSA supports the following APC Smart-UPS syslog events: • UPS events • Battery events • Bypass events • Communication events • Input power events • Low battery condition events • SmartBoost events • SmartTrim events To integrate Smart-UPS events with JSA, you must manually create a log source to receive syslog events. Before you can receive events in JSA, you must configure a log source, then configure your APC UPS to forward syslog events. Syslog events forwarded from APC Smart-UPS series devices are not automatically discovered. JSA can receive syslog events on port 514 for both TCP and UDP. Configuring a Log Source in JSA JSA does not automatically discover or create log sources for syslog events from APC Smart-UPS series appliances. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Configuring DSMs 38 APC UPS Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select APC UPS. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 6-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your APC Smart-UPS series appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. You are now ready to configure your APC Smart-UPS to forward syslog events to JSA. Configuring Your APC UPD to Forward Syslog Events You can configure syslog event forwarding on your APC UPS. Procedure Step 1 Log in to the APC Smart-UPS web interface. Step 2 In the navigation menu, select Network > Syslog. Step 3 From the Syslog list box, select Enable. Step 4 From the Facility list box, select a facility level for your syslog messages. Step 5 In the Syslog Server field, type the IP address of your JSA console or Event Collector. Step 6 From the Severity list box, select Informational. Step 7 Click Apply. The syslog configuration is complete. Events forwarded to JSA by your APC UPS are displayed on the Log Activity tab. Configuring DSMs 7 AMAZON AWS CLOUDTRAIL The Juniper Secure Analytics (JSA) DSM for Amazon AWS CloudTrail can collect audit events from your Amazon AWS CloudTrail S3 bucket. Table 7-1 provides the specifications of the Amazon AWS CloudTrail DSM. Table 7-1 Amazon AWS CloudTrail DSM Specifications Specification Value Manufacturer Amazon DSM Amazon AWS CloudTrail Supported versions 1.0 Protocol Log File JSA recorded events All relevant events Automatically discovered No Includes identity No More information http://docs.aws.amazon.com/awscloudtrail/latest/use rguide/whatisawscloudtrail.html Configuring DSMs 40 AMAZON AWS CLOUDTRAIL AWS CloudTrail DSM Integration Process To integrate Amazon AWS CloudTrail with JSA, use the following procedure: 1 Obtain and install a certificate to enable communication between your Amazon AWS CloudTrail S3 bucket and JSA. 2 Install the most recent version of the Log File Protocol RPM on your JSA consolev. You can install a protocol by using the procedure to manually install a DSM. 3 Install the Amazon AWS CloudTrail DSM on your JSA console. 4 Configure the Amazon AWS CloudTrail log source in JSA. Related tasks Enabling Communication between JSA and AWS CloudTrail • Manually Installing a DSM • Enabling Communication between JSA and AWS CloudTrail • Configuring an Amazon AWS CloudTrail Log Source in JSA A certificate is required for the HTTP connection between JSA and Amazon AWS CloudTrail. Procedure To enable communication between JSA and AWS CloudTrail: Step 1 Access your Amazon AWS CloudTrail S3 bucket. Step 2 Export the certificate as a DER-encoded binary certificate to your desktop system. The file extension must be .DER. Step 3 Copy the certificate to the /opt/qradar/conf/trusted_certificates directory on the JSA host on which you plan to configure the log source. Configuring an Amazon AWS CloudTrail Log Source in JSA To collect Amazon AWS CloudTrail events, you must configure a log source in JSA. When you configure the log source, use the location and keys that are required to access your Amazon AWS CloudTrail S3 bucket. Before you begin Ensure that the following components are installed and deployed on your JSA host: • PROTOCOL-LogFileProtocol-build_number.noarch.rpm • DSM-AmazonAWSCloudTrail-build_number.noarch.rpm Also ensure that audit logging is enabled on your Amazon AWS CloudTrail S3 bucket. For more information, see your vendor documentation. Configuring DSMs Configuring an Amazon AWS CloudTrail Log Source in JSA 41 About this task Table 7-2 provides more information about some of the extended parameters. Table 7-2 Amazon AWS CloudTrail Log source Parameters Parameter Description Bucket Name The name of the AWS CloudTrail S3 bucket where the log files are stored. AWS Access Key The public access key required to access the AWS CloudTrail S3 bucket. AWS Secret Key The private access key required to access the AWS CloudTrail S3 bucket. Remote Directory The root directory location on the AWS CloudTrail S3 bucket from which the files are retrieved, for example, \user_account_name FTP File Pattern .*?\.json\.gz Processor GZIP Event Generator Amazon AWS JSON Applies additional processing to the retrieved event files. Recurrence Defines how often the Log File Protocol connects to the Amazon cloud API, checks for new files, and retrieves them if they exist. Every access to an AWS S3 bucket incurs a cost to the account that owns the bucket. Therefore, a smaller recurrence value increases the cost. Procedure To configure Amazon AWS CloudTrail log source in JSA: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 In the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 From the Log Source Type list, select Amazon AWS CloudTrail. Step 7 From the Protocol Configuration list, select Log File. Step 8 From the Service Type field, select AWS. Step 9 Configure the remaining parameters. Step 10 Click Save. Step 11 On the Admin tab, click Deploy Changes. Configuring DSMs 7 APPLE MAC OS X The Apple Mac OS X DSM for Juniper Secure Analytics (JSA) accepts events using syslog. Supported Event Types Before You Begin JSA records all relevant firewall, web server access, web server error, privilege escalation, and informational events. To integrate Mac OS X events with JSA, you must manually create a log source to receive syslog events. To complete this integration, you must configure a log source, then configure your Mac OS X to forward syslog events. Syslog events forwarded from Mac OS X devices are not automatically discovered. It is recommended that you create a log source, then forward events to JSA. Syslog events from Mac OS X can be forwarded to JSA on TCP port 514 or UDP port 514. Configuring a Log Source JSA does not automatically discover or create log sources for syslog events from Apple Mac OS X. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Mac OS X. Step 9 Using the Protocol Configuration list box, select Syslog. Configuring DSMs 44 APPLE MAC OS X Step 10 Configure the following values: Table 8-1 Mac OS X Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Apple Mac OS X device. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. You are now ready to configure your Apple Mac OS X device to forward syslog events to JSA. Configuring Syslog on Your Apple Mac OS X You can configure syslog on systems running Mac OS X operating systems. Procedure Step 1 Using SSH, log in to your Mac OS X device as a root user. Step 2 Open the /etc/syslog.conf file. Step 3 Add the following line to the top of the file. Make sure all other lines remain intact: *.* @ Where is the IP address of the JSA. Step 4 Save and exit the file. Step 5 Send a hang-up signal to the syslog daemon to make sure all changes are enforced: sudo killall - HUP syslogd The syslog configuration is complete. Events forwarded to JSA by your Apple Mac OS X are displayed on the Log Activity tab. For more information on configuring Mac OS X, see your Mac OS X vendor documentation. Configuring DSMs 8 APPLICATION SECURITY DBPROTECT You can integrate Application Security DbProtect with Juniper Secure Analytics (JSA). Supported Event Types The Application Security DbProtect DSM for JSA accepts syslog events from DbProtect devices installed with the Log Enhanced Event Format (LEEF) Service. Before You Begin To forward syslog events from Application Security DbProtect to JSA requires the LEEF Relay module. The LEEF Relay module for DbProtect translates the default events messages to Log Enhanced Event Format (LEEF) messages for JSA, enabling JSA to record all relevant DbProtect events. Before you can receive events in JSA, you must install and configure the LEEF Service for your DbProtect device to forward syslog events. The DbProtect LEEF Relay requires that you install the .NET 4.0 Framework, which is bundled with the LEEF Relay installation. Installing the DbProtect LEEF Relay Module NOTE The DbProtect LEEF Relay module for DbProtect must be installed on the same server as the DbProtect console. This allows the DbProtect LEEF Relay to work alongside an existing installation using the standard hardware and software prerequisites for a DbProtect console. Note: Windows 2003 hosts require the Windows Imaging Components (wic_x86.exe). The Windows Imaging Components are located on the Windows Server Installation CD and must be installed before you continue. For more information, see your Windows 2003 Operating System documentation. Procedure Step 1 Download the DbProtect LEEF Relay module for DbProtect from the Application Security, Inc. customer portal. http://www.appsecinc.com Step 2 Save the setup file to the same host as your DbProtect console. Step 3 Double click setup.exe to start the DbProtect LEEF Relay installation. The Microsoft .NET Framework 4 Client Profile is displayed. Configuring DSMs 46 APPLICATION SECURITY DBPROTECT Step 4 Click Accept, if you agree with the Microsoft .NET Framework 4 End User License Agreement. The Microsoft .NET Framework 4 is installed on your DbProtect console. After the installation is complete, the DbProtect LEEF Relay module installation Wizard is displayed. Step 5 Click Next. The Installation Folder window is displayed. Step 6 To select the default installation path, click Next. If you change the default installation directory, make note of the file location as it is required later. The Confirm Installation window is displayed. Step 7 Click Next. The DbProtect LEEF Relay module is installed. Step 8 Click Close. You are now ready to configure the DbProtect LEEF Relay module. Configuring the DbProtect LEEF Relay NOTE After the installation of the DbProtect LEEF Relay is complete, you can configure the service to forward events to JSA. Note: The DbProtect LEEF Relay must be stopped before you edit any configuration values. Procedure Step 1 Navigate to the DbProtect LEEF Relay installation directory. C:\Program Files (x86)\AppSecInc\AppSecLEEFConverter Step 2 Edit the DbProtect LEEF Relay configuration file: AppSecLEEFConverter.exe.config Step 3 Configure the following values: Table 9-1 DbProtect LEEF Relay Configuration Parameters Parameter Description SyslogListenerPort Optional. Type the listen port number the DbProtect LEEF Relay uses to listen for syslog messages from the DbProtect console. By default, the DbProtect LEEF Relay listens on port 514. SyslogDestinationHost Type the IP address of your JSA console or Event Collector. SyslogDestinationPort Type 514 as the destination port for LEEF formatted syslog messages forwarded to JSA. Configuring DSMs 47 Table 9-1 DbProtect LEEF Relay Configuration Parameters (continued) Parameter Description LogFileName Optional. Type a file name for the DbProtect LEEF Relay to write debug and log messages. The LocalSystem user account that runs the DbProtect LEEF Relay service must have write privileges to the file path you specify. Step 4 Save the configuration changes to the file. Step 5 On your desktop of the DbProtect console, select Start > Run. The Run window is displayed. Step 6 Type the following: services.msc Step 7 Click OK. The Services window is displayed. Step 8 In the details pane, verify the DbProtect LEEF Relay is started and set to automatic startup. Step 9 To change a service property, right-click on the service name, and then click Properties. Step 10 Using the Startup type list box, select Automatic. Step 11 If the DbProtect LEEF Relay is not started, click Start. You are now ready to configure alerts for your DbProtect console. Configure DbProtect alerts You can configure sensors on your DbProtect console to generate alerts. Procedure Step 1 Log in to your DbProtect console. Step 2 Click the Activity Monitoring tab. Step 3 Click the Sensors tab. Step 4 Select a sensor and click Reconfigure. Any database instances that are configured for your database are displayed. Step 5 Select any database instances and click Reconfigure. Step 6 Click Next until the Sensor Manager Policy window is displayed. Step 7 Select the Syslog check box and click Next. Step 8 The Syslog Configuration window is displayed. Step 9 In the Send Alerts to the following Syslog console field, type the IP address of your DbProtect console. Step 10 In the Port field, type the port number you configured in the SyslogListenerPort field of the DbProtect LEEF Relay. Configuring DSMs 48 APPLICATION SECURITY DBPROTECT By default, 514 is the default Syslog listen port for the DbProtect LEEF Relay. For more information, see Configuring the DbProtect LEEF Relay, Step 3. Step 11 Click Add. Step 12 Click Next until you reach the Deploy to Sensor window. Step 13 Click Deploy to Sensor. The configuration is complete. Events forwarded to JSA by your DbProtect console are added as a log source and automatically displayed on the Log Activity tab. Configuring a Log Source JSA automatically discovers and creates a log source for syslog events from Application Security DbProtect. These configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Application Security DbProtect. Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 9-2 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Application Security DbProtect device. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Configuring DSMs 9 ARBOR NETWORKS PEAKFLOW Juniper Secure Analytics (JSA) can collect and categorize syslog events from Arbor Networks Peakflow SP appliances that are in your network. Configuration Overview Arbor Networks Peakflow SP appliances store the syslog events locally. To collect local syslog events, you must configure your Peakflow SP appliance to forward the syslog events to a remote host. JSA automatically discovers and creates log sources for syslog events that are forwarded from Arbor Networks Peakflow SP appliances. JSA supports syslog events that are forwarded from Peakflow V5.8. To configure Arbor Networks Peakflow SP, complete the following tasks: 1 On your Peakflow SP appliance, create a notification group for JSA. 2 On your Peakflow SP appliance, configure the global notification settings. 3 On your Peakflow SP appliance, configure your alert notification rules. 4 On your JSA system, verify that the forwarded events are automatically discovered. Supported Event Types for Arbor Networks Peakflow SP The Arbor Networks Peakflow DSM for JSA collects events from several categories. Each event category contains low-level events that describe the action that is taken within the event category. For example, authentication events can have low-level categories of login successful or login failure. The following list defines the event categories that are collected by JSA from Peakflow SP appliances: • Denial of Service (DoS) events • Authentication events • Exploit events • Suspicious activity events • System events Configuring DSMs 50 ARBOR NETWORKS PEAKFLOW Configuring Remote Syslog in Peakflow SP To collect events, you must configure a new notification group or edit existing groups to add JSA as a remote syslog destination. Procedure To configure Remote Syslog in Peakflow SP: Step 1 Log in to the configuration interface for your Peakflow SP appliance as an administrator. Step 2 In the navigation menu, select Administration > Notification > Groups. Step 3 Click Add Notification Group. Step 4 In the Destinations field, type the IP address of your JSA system. Step 5 In the Port field, type 514 as the port for your syslog destination. Step 6 From the Facility list, select a syslog facility. Step 7 From the Severity list, select info. The informational severity collects all event messages at the informational event level and higher severity. Step 8 Click Save. Step 9 Click Configuration Commit. Configuring Global Notifications Settings for Alerts in Peakflow SP Global notifications in Peakflow SP provide system notifications that are not associated with rules. This procedure defines how to add JSA as the default notification group and enable system notifications. Procedure Step 1 Log in to the configuration interface for your Peakflow SP appliance as an administrator. Step 2 In the navigation menu, select Administration > Notification > Global Settings. Step 3 In the Default Notification Group field, select the notification group that you created for JSA syslog events. Step 4 Click Save. Step 5 Click Configuration Commit to apply the configuration changes. Step 6 Log in to the Peakflow SP command-line interface as an administrator. Step 7 Type the following command to list the current alert configuration: services sp alerts system_errors show Step 8 Optional. Type the following command to list the fields names that can be configured: services sp alerts system_errors ? Step 9 Type the following command to enable a notification for a system alert: services sp alerts system_errors notifications enable Where is the field name of the notification. Configuring DSMs 51 Step 10 Type the following command to commit the configuration changes: config write Configuring Alert Notification Rules in Peakflow SP To generate events, you must edit or add rules to use the notification group that JSA as a remote syslog destination. Procedure Step 1 Log in to the configuration interface for your Peakflow SP appliance as an administrator. Step 2 In the navigation menu, select Administration > Notification > Rules. Step 3 Select one of the following options: • Click a current rule to edit the rule. • Click Add Rule to create a new notification rule. Step 4 Configure the following values: Table 10-3 Notification Rule Parameters Parameter Description Name Type the IP address or host name as an identifier for events from your Peakflow SP installation. The log source identifier must be unique value. Resource Type a CIDR address or select a managed object from the list of Peakflow resources. Importance Select the importance of the rule. Notification Group Select the notification group that you assigned to forward syslog events to JSA. Step 5 Repeat these steps to configure any other rules you want to forward to JSA. Step 6 Click Save. Step 7 Click Configuration Commit to apply the configuration changes. JSA automatically discovers and creates a log source for Peakflow SP appliances. Events that are forwarded to JSA are displayed on the Log Activity tab. Configuring a Peakflow SP Log Source JSA automatically discovers and creates a log source for syslog events forwarded from Arbor Peakflow. These configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 In the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Configuring DSMs 52 ARBOR NETWORKS PEAKFLOW Step 6 In the Log Source Name field, type a name for your log source. Step 7 Optional. In the Log Source Description field, type a description for your log source. Step 8 From the Log Source Type list box, select Arbor Networks Peakflow. Step 9 From the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 10-4 Syslog Protocol Parameters Parameter Description Log Source Identifier Type the IP address or host name as an identifier for events from your Peakflow SP installation. The log source identifier must be unique value. Enabled Select this check box to enable the log source. By default, the check box is selected. Credibility Select the credibility of the log source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5. Target Event Collector Select the Event Collector to use as the target for the log source. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. By default, automatically discovered log sources inherit the value of the Coalescing Events list box from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source. Incoming Event Payload From the list box, select the incoming payload encoder for parsing and storing the logs. Store Event Payload Select this check box to enable the log source to store event payload information. By default, automatically discovered log sources inherit the value of the Store Event Payload list box from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. Configuring DSMs 10 ARBOR NETWORKS PRAVAIL The Juniper Secure Analytics (JSA) DSM for Arbor Networks Pravail can collect event logs from your Arbor Networks Pravail servers. Table 11-1 provides the specifications of the Arbor Networks Pravail DSM. Table 11-1 Arbor Networks Pravail DSM Specifications Specification Value Manufacturer Arbor Networks DSM Arbor Networks Pravail RPM file name DSM-ArborNetworksPravail-build_number.noarch.rpm Supported versions Protocol Syslog Configuring DSMs recorded events All relevant events Automatically discovered Yes Includes identity No More information http://www.stealthbits.com/resources Configuring DSMs 54 ARBOR NETWORKS PRAVAIL Arbor Networks Pravail DSM Integration Process To integrate Arbor Networks Pravail DSM with JSA, use the following procedure: 1 If automatic updates are not enabled, download and install the most recent Arbor Networks Pravail RPM on your JSA console. 2 For each instance of Arbor Networks Pravail, configure your Arbor Networks Pravail system to enable communication with JSA. 3 If Configuring DSMs automatically discovers the DSM, for each Arbor Networks Pravail server you want to integrate, create a log source on the JSA console. Related tasks Configuring your Arbor Networks Pravail system for Communication with JSA • Manually Installing a DSM • Configuring your Arbor Networks Pravail system for Communication with JSA • Configuring an Arbor Networks Pravail Log Source in Configuring DSMs To collect all audit logs and system events from Arbor Networks Pravail, you must add a destination that specifies JSA as the syslog server. Procedure To configure Arbor Networks Prevail System for communication with JSA: Step 1 Log in to your Arbor Networks Pravail server. Step 2 Click Settings & Reports. Step 3 Click Administration > Notifications. Step 4 On the Configure Notifications page, click Add Destinations. Step 5 Select Syslog. Step 6 Configure the following parameters: Table 11-2 Parameters to Configure Arbor Networks Pravail System Parameter Description Host The IP address for the Configuring DSMs Console Port 514 Severity Info Alert Types The alert types that you want to send to the Configuring DSMs Console Step 7 Click Save. Configuring DSMs Configuring an Arbor Networks Pravail Log Source in Configuring DSMs Configuring an Arbor Networks Pravail Log Source in Configuring DSMs 55 To collect Arbor Networks Pravail events, configure a log source in JSA. Procedure To configure an Arbor Networks Pravail log source in configuring DSMs: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 In the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 From the Log Source Type list, select Arbor Networks Pravail. Step 7 From the Protocol Configuration list, select Syslog. Step 8 Configure the remaining parameters. Step 9 Click Save. Step 10 On the Admin tab, click Deploy Changes. Configuring DSMs 10 ARPEGGIO SIFT-IT The Juniper Secure Analytics (JSA) SIFT-IT DSM accepts syslog events from Arpeggio SIFT-IT running on IBM iSeries® that are formatted using the Log Enhanced Event Protocol (LEEF). Supported Versions Supported Events JSA supports events from Arpeggio SIFT-IT 3.1 and above installed on IBM iSeries version 5 revision 3 (V5R3) and above. Arpeggio SIFT-IT supports syslog events from the journal QAUDJRN in LEEF format. For example, Jan 29 01:33:34 RUFUS LEEF:1.0|Arpeggio|SIFT-IT|3.1|PW_U|sev=3 usrName=ADMIN src=100.100.100.114 srcPort=543 jJobNam=QBASE jJobUsr=ADMIN jJobNum=1664 jrmtIP=100.100.100.114 jrmtPort=543 jSeqNo=4755 jPgm=QWTMCMNL jPgmLib=QSYS jMsgId=PWU0000 jType=U jUser=ROOT jDev=QPADEV000F jMsgTxt=Invalid user id ROOT. Device QPADEV000F. Events SIFT-IT forwards to JSA are determined with a configuration rule set file. SIFT-IT includes a default configuration rule set file that you can edit to meet your security or auditing requirements. For more information on configuring rule set files, see your SIFT-IT User Guide. Configuring a SIFT-IT Agent Arpeggio SIFT-IT is capable of forwarding syslog events in LEEF format with SIFT-IT agents. A SIFT-IT agent configuration defines the location of your JSA installation, the protocol and formatting of the event message, and the configuration rule set. Procedure Step 1 Log in to your IBM iSeries. Step 2 Type the following command and press Enter to add SIFT-IT to your library list: ADDLIBLE SIFTITLIB0 Step 3 Type the following command and press Enter to access the SIFT-IT main menu: GO SIFTIT Configuring DSMs 58 ARPEGGIO SIFT-IT Step 4 From the main menu, select 1. Work with SIFT-IT Agent Definitions. Step 5 Type 1 to add an agent definition for JSA and press Enter. Step 6 Configure the following agent parameters: a In the SIFT-IT Agent Name field, type a name. For example, JSA. b In the Description field, type a description for the agent. For example, Arpeggio agent for JSA. c In the Server host name or IP address field, type the location of your JSA console or Event Collector. d In the Connection type field, type either *TCP, *UDP, or *SECURE. The *SECURE option requires the TLS protocol. For more information, see the Log Sources Users Guide. e In the Remote port number field, type 514. By default, JSA supports both TCP and UDP syslog messages on port 514. f In the Message format options field, type *JSA. g Optional. Configure any additional parameters for attributes that are not JSA specific. The additional operational parameters are described in the SIFT-IT User Guide. h Press F3 to exit to the Work with SIFT-IT Agents Description menu. Step 7 Type 9 and press Enter to load a configuration rule set for JSA. Step 8 In the Configuration file field, type the path to your JSA configuration rule set file. For example, /sifitit/JSAconfig.txt Step 9 Press F3 to exit to the Work with SIFT-IT Agents Description menu. Step 10 Type 11 to start the JSA agent. The configuration is complete. Next steps Syslog events forwarded by Arpeggio SIFT-IT in LEEF format are automatically discovered by JSA. In most cases, the log source is automatically created in JSA after a small number of events are detected. If the event rate is extremely low, then you might be required to manually create a log source for Arpeggio SIFT-IT in JSA. Until the log source is automatically discovered and identified, the event type displays as Unknown on the Log Activity tab of JSA. Automatically discovered log sources can be viewed on the Admin tab of JSA by clicking the Log Sources icon. Configuring DSMs 59 Configuring a Log Source JSA automatically discovers and creates a log source for system authentication events forwarded from Arpeggio SIFT-IT. This procedure is optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Arpeggio SIFT-IT. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 12-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Arpeggio SIFT-IT installation. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Additional Information After you create your JSA agent definition, you can use your Arpeggio SIFT-IT software and JSA integration to customize your security and auditing requirements. This can include: • Creating custom configurations in Apreggio SIFT-IT with granular filtering on event attributes. For example, filtering on job name, user, file or object name, system objects, or ports. All events forwarded from SIFT-IT and the contents of the event payload in JSA are easily searchable. • Configuring rules in JSA to generate alerts or offenses for your security team to identify potential security threats, data loss, or breaches in real-time. • Configuring processes in Apreggio SIFT-IT to trigger real-time remediation of issues on your IBM iSeries. • Creating offenses for your security team from Arpeggio SIFT-IT events in JSA with the Offenses tab or configuring email job logs in SIFT-IT for your IBM iSeries administrators. Configuring DSMs 60 ARPEGGIO SIFT-IT • Creating multiple configuration rule sets for multiple agents that run simultaneously to handle specific security or audit events. For example, you can configure one JSA agent with a specific rule sets for forwarding all IBM iSeries events, then develop multiple configuration rule sets for specific compliance purposes. This allows you to easily manage configuration rule sets for compliance regulations, such as FISMA, PCI. HIPPA, SOX, or ISO 27001. All of the events forwarded by SIFT-IT JSA agents is contained in a single log source and categorized to be easily searchable. Configuring DSMs 11 ARRAY NETWORKS SSL VPN The Array Networks SSL VPN DSM for Juniper Secure Analytics (JSA) collects events from an ArrayVPN appliance using syslog. Supported Event Types JSA records all relevant SSL VPN events forwarded using syslog on TCP port 514 or UDP port 514. Configuring a Log Source To integrate Array Networks SSL VPN events with JSA, you must manually create a log source. JSA does not automatically discover or create log sources for syslog events from Array Networks SSL VPN. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Array Networks SSL VPN Access Gateways. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 13-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Array Networks SSL VPN appliance. Step 11 Click Save. Configuring DSMs 62 ARRAY NETWORKS SSL VPN Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Events forwarded to JSA by Array Networks SSL VPN are displayed on the Log Activity tab. Next Steps You are now ready to configure your Array Networks SSL VPN appliance to forward remote syslog events to JSA. For more information on configuring Array Networks SSL VPN appliances for remote syslog, please consult your Array Networks documentation. Configuring DSMs 12 ARUBA MOBILITY CONTROLLERS The Aruba Mobility Controllers DSM for Juniper Secure Analytics (JSA) accepts events using syslog. Supported Event Types Configure Your Aruba Mobility Controller JSA records all relevant events forwarded using syslog on TCP port 514 or UDP port 514. You can configure the Aruba Wireless Networks (Mobility Controller) device to forward syslog events to JSA. Procedure Step 1 Log in to the Aruba Mobility Controller user interface. Step 2 From the top menu, select Configuration. Step 3 From the Switch menu, select Management. Step 4 Click the Logging tab. Step 5 From the Logging Servers menu, select Add. Step 6 Type the IP address of the JSA server that you want to collect logs. Step 7 Click Add. Step 8 Optional. Change the logging level for a module: a Select the check box next to the name of the logging module. b Choose the logging level you want to change from the list box that is displayed at the bottom of the window. Step 9 Click Done. Step 10 Click Apply. The configuration is complete. The log source is added to JSA as Aruba Mobility Controller events are automatically discovered. Events forwarded to JSA by Aruba Mobility Controller are displayed on the Log Activity tab of JSA. Configuring DSMs 64 ARUBA MOBILITY CONTROLLERS Configuring a Log Source JSA automatically discovers and creates a log source for syslog events from Aruba Mobility Controllers. These configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Aruba Mobility Controller . Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 14-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Aruba Mobility Controller. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Events forwarded to JSA by Aruba Mobility Controller appliances are displayed on the Log Activity tab. Configuring DSMs 13 AVAYA VPN GATEWAY The Juniper Secure Analytics (JSA) DSM for Avaya VPN Gateway can collect event logs from your Avaya VPN Gateway servers. Table 15-1 identifies the specifications for the Avaya VPN Gateway DSM. Table 15-1 Avaya VPN Gateway DSM Specifications Specification Value Manufacturer Avaya Inc. DSM Avaya VPN Gateway RPM file name DSM-AvayaVPNGateway-7.1-799033.noarch.rpm DSM-AvayaVPNGateway-7.2-799036.noarch.rpm Supported versions 9.0.7.2 Protocol syslog JSA recorded events OS, System Control Process, Traffic Processing, Startup, Configuration Reload, AAA Subsystem, IPsec Subsystem Automatically discovered Yes Includes identity Yes More information http://www.avaya.com Configuring DSMs 66 AVAYA VPN GATEWAY Avaya VPN Gateway DSM Integration Process To integrate Avaya VPN Gateway DSM with JSA, use the following procedure: 1 If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console: • Syslog protocol RPM • DSMCommon RPM • Avaya VPN Gateway RPM 2 For each instance of Avaya VPN Gateway, configure your Avaya VPN Gateway system to enable communication with JSA. 3 If JSA automatically discovers the log source, for each Avaya VPN Gateway server you want to integrate, create a log source on the JSA console. Related tasks Configuring your Avaya VPN Gateway System for Communication with JSA • Manually Installing a DSM • Configuring your Avaya VPN Gateway System for Communication with JSA • Configuring an Avaya VPN Gateway Log Source in JSA To collect all audit logs and system events from Avaya VPN Gateway, you must specify JSA as the syslog server and configure the message format. Procedure To configure your Avaya VPN Gateway system for communication with JSA: Step 1 Log in to your Avaya VPN Gateway command-line interface (CLI). Step 2 Type the following command: /cfg/sys/syslog/add Step 3 At the prompt, type the IP address of your JSA system. Step 4 To apply the configuration, type the following command: apply Step 5 To verify that the IP address of your JSA system is listed, type the following command: /cfg/sys/syslog/list Configuring DSMs Configuring an Avaya VPN Gateway Log Source in JSA Configuring an Avaya VPN Gateway Log Source in JSA 67 To collect Avaya VPN Gateway events, configure a log source in JSA. Procedure To configure an Avaya VPN Gateway log source in JSA: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 In the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 From the Log Source Type list, select Avaya VPN Gateway. Step 7 From the Protocol Configuration list, select Syslog. Step 8 Configure the remaining parameters. Step 9 Click Save. Step 10 On the Admin tab, click Deploy Changes. Configuring DSMs 13 BALABIT IT SECURITY The BalaBit Syslog-ng Agent application can collect and forward syslog events for the Microsoft Security Event Log DSM and the Microsoft ISA DSM in Juniper Secure Analytics (JSA). To configure a BalaBIt IT Security agent, select a configuration: Configuring BalaBIt IT Security for Microsoft Windows Events Supported Event Types • Configuring BalaBIt IT Security for Microsoft Windows Events • Configuring BalaBit IT Security for Microsoft ISA or TMG Events The Microsoft Windows Security Event Log DSM in JSA can accept Log Extended Event Format (LEEF) events from BalaBit’s Syslog-ng Agent. The BalaBit Syslog-ng Agent forwards Windows events to JSA using syslog. • Windows security • Application • System • DNS • DHCP • Custom container event logs Configuring DSMs 70 BALABIT IT SECURITY Before You Begin Before you can receive events from BalaBit IT Security Syslog-ng Agents, you must install and configure the agent to forward events. Review the following configuration steps before you attempt to configure the BalaBit Syslog-ng Agent: 1 Install the BalaBit Syslog-ng Agent in your Windows host. For more information, see your BalaBit Syslog-ng Agent documentation. 2 Configure Syslog-ng Agent Events. 3 Configure JSA as a destination for the Syslog-ng Agent. 4 Restart the Syslog-ng Agent service. 5 Optional. Configure the log source in JSA. Configuring the Syslog-ng Agent Event Source Before you can forward events to JSA, you must specify what Windows-based events the Syslog-ng Agent collects. Procedure Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows > Configure syslog-ng Agent for Windows. The Syslog-ng Agent window is displayed. Step 2 Expand the syslog-ng Agent Settings pane, and select Eventlog Sources. Step 3 Double-click on Event Containers. The Event Containers Properties window is displayed. Step 4 From the Event Containers pane, select the Enable radio button. Step 5 Select a check box for each event type you want to collect: NOTE • Application - Select this check box if you want the device to monitor the Windows application event log. • Security - Select this check box if you want the device to monitor the Windows security event log. • System - Select this check box if you want the device to monitor the Windows system event log. Note: BalaBit’s Syslog-ng Agent supports additional event types, such as DNS or DHCP events using custom containers. For more information, see your BalaBit Syslog-ng Agent documentation. Step 6 Click Apply, and then click OK. The event configuration for your BalaBit Syslog-ng Agent is complete. You are now ready to configure JSA as a destination for Syslog-ng Agent events. Configuring DSMs Configuring BalaBIt IT Security for Microsoft Windows Events Configuring a Syslog Destination 71 The Syslog-ng Agent allows you to configure multiple destinations for your Windows-based events. To configure JSA as a destination, you must specify the IP address for JSA, and then configure a message template for the LEEF format. Procedure Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows > Configure syslog-ng Agent for Windows. The Syslog-ng Agent window is displayed. Step 2 Expand the syslog-ng Agent Settings pane, and click Destinations. Step 3 Double-click on Add new sever. The Server Property window is displayed. Step 4 On the Server tab, click Set Primary Server. Step 5 Configure the following parameters: a Server Name - Type the IP address of your JSA console or Event Collector. b Server Port - Type 514 as the TCP port number for events forwarded to JSA. Step 6 Click the Messages tab. Step 7 From the Protocol list box, select Legacy BSD Syslog Protocol. Step 8 In the Template field, define a custom template message for the protocol by typing: <${PRI}>${BSDDATE} ${HOST} LEEF:${MSG} The information typed in this field is space delimited. Step 9 From the Event Message Format pane, in the Message Template field, type the following to define the format for the LEEF events: 1.0|Microsoft|Windows|2k8r2|${EVENT_ID}|devTime=${R_YEAR}-${R_M ONTH}-${R_DAY}T ${R_HOUR}:${R_MIN}:${R_SEC}GMT${TZOFFSET} devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz cat=${EVENT_TYPE} sev=${EVENT_LEVEL} resource=${HOST} usrName=${EVENT_USERNAME} application=${EVENT_SOURCE} message=${EVENT_MSG} NOTE Note: The LEEF format uses tab as a delimiter to separate event attributes from each other. However, the delimiter does not start until after the last pipe character for {Event_ID}. The following fields must include a tab before the event name: devTime, devTimeFormat, cat, sev, resource, usrName, application, and message. You might need to use a text editor to copy and paste the LEEF message format into the Message Template field. Configuring DSMs 72 BALABIT IT SECURITY Step 10 Click OK. The destination configuration is complete. You are now ready to restart the Syslog-ng Agent service. Restart the Syslog-ng Agent Service Before the Syslog-ng Agent can forward LEEF formatted events, you must restart the Syslog-ng Agent service on the Windows host. Procedure Step 1 From the Start menu, select Start > Run. The Run window is displayed. Step 2 Type the following: services.msc Step 3 Click OK. The Services window is displayed. Step 4 In the Name column, right-click on Syslog-ng Agent for Windows, and select Restart. After the Syslog-ng Agent for Windows service restarts, the configuration is complete. Syslog events from the BalaBit Syslog-ng Agent are automatically discovered by JSA. The Windows events that are automatically discovered are displayed as Microsoft Windows Security Event Logs on the Log Activity tab. Configuring a Log Source JSA automatically discovers and creates a log source for syslog events from LEEF formatted messages. These configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your BalaBit Syslog-ng Agent log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Microsoft Windows Security Event Log. Step 9 Using the Protocol Configuration list box, select Syslog. Configuring DSMs Configuring BalaBit IT Security for Microsoft ISA or TMG Events 73 Step 10 Configure the following values: Table 16-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or hostname for the log source as an identifier for events from the BalaBit Syslog-ng Agent. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring BalaBit IT Security for Microsoft ISA or TMG Events You can integrate the BalaBit Syslog-ng Agent application to forward syslog events to JSA. Supported Event Types The BalaBit Syslog-ng Agent reads Microsoft ISA or Microsoft TMG event logs and forwards syslog events using the Log Extended Event Format (LEEF). The events forwarded by BalaBit IT Security are parsed and categorized by the Microsoft Internet and Acceleration (ISA) DSM for JSA. The DSM accepts both Microsoft ISA and Microsoft Threat Management Gateway (TMG) events. Before You Begin NOTE Before you can receive events from BalaBit IT Security Syslog-ng Agents, you must install and configure the agent to forward events. Note: This integration uses BalaBit’s Syslog-ng Agent for Windows and BalaBit’s Syslog-ng PE to parse and forward events to JSA for the DSM to interpret. Review the following configuration steps before you attempt to configure the BalaBit Syslog-ng Agent: Configuring DSMs 74 BALABIT IT SECURITY To configure the BalaBit Syslog-ng Agent, you must: 1 Install the BalaBit Syslog-ng Agent in your Windows host. For more information, see your BalaBit Syslog-ng Agent vendor documentation. 2 Configure the BalaBit Syslog-ng Agent. 3 Install a BalaBit Syslog-ng PE for Linux or Unix in relay mode to parse and forward events to JSA. For more information, see your BalaBit Syslog-ng PE vendor documentation. 4 Configure syslog for BalaBit Syslog-ng PE. 5 Optional. Configure the log source in JSA. Configure the BalaBit Syslog-ng Agent Before you can forward events to JSA, you must specify the file source for Microsoft ISA or Microsoft TMG events in the Syslog-ng Agent collects. If your Microsoft ISA or Microsoft TMG appliance is generating event files for the Web Proxy Server and the Firewall Service, both files can be added. Configure the file source File sources allow you to define the base log directory and files monitored by the Syslog-ng Agent. Procedure Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows > Configure syslog-ng Agent for Windows. The Syslog-ng Agent window is displayed. Step 2 Expand the syslog-ng Agent Settings pane, and select File Sources. Step 3 Select the Enable radio button. Step 4 Click Add to add your Microsoft ISA and TMG event files. Step 5 From the Base Directory field, click Browse and select the folder for your Microsoft ISA or Microsoft TMG log files. Step 6 From the File Name Filter field, click Browse and select a log file containing your Microsoft ISA or Microsoft TMG events. NOTE Note: The File Name Filter field supports the wildcard (*) and question mark (?) characters to follow log files that are replaced after reaching a specific file size or date. Step 7 In the Application Name field, type a name to identify the application. Step 8 From the Log Facility list box, select Use Global Settings. Step 9 Click OK. Step 10 To add additional file sources, click Add and repeat this process from Step 4. Microsoft ISA and TMG store Web Proxy Service events and Firewall Service events in individual files. Configuring DSMs Configuring BalaBit IT Security for Microsoft ISA or TMG Events 75 Step 11 Click Apply, and then click OK. The event configuration is complete. You are now ready to configure a syslog destinations and formatting for your Microsoft TMG and ISA events. Configuring a syslog destination The event logs captured by Microsoft ISA or TMG cannot be parsed by the BalaBit Syslog-ng Agent for Windows, so you must forward your logs to a BalaBit Syslog-ng Premium Edition (PE) for Linux or Unix. To forward your TMG and ISA event logs, you must specify the IP address for your PE relay and configure a message template for the LEEF format. The BalaBit Syslog-ng PE acts as an intermediate syslog server to parse the events and forward the information to JSA. Procedure Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows > Configure syslog-ng Agent for Windows. The Syslog-ng Agent window is displayed. Step 2 Expand the syslog-ng Agent Settings pane, and click Destinations. Step 3 Double-click on Add new sever. Step 4 On the Server tab, click Set Primary Server. Step 5 Configure the following parameters: a Server Name - Type the IP address of your BalaBit Syslog-ng PE relay. b Server Port - Type 514 as the TCP port number for events forwarded to your BalaBit Syslog-ng PE relay. Step 6 Click the Messages tab. Step 7 From the Protocol list box, select Legacy BSD Syslog Protocol. Step 8 From the File Message Format pane, in the Message Template field, type the following format command: ${FILE_MESSAGE}${TZOFFSET} Step 9 Click Apply, and then click OK. The destination configuration is complete. You are now ready to filter comment lines from the event log. Filtering the log file for comment lines The event log file for Microsoft ISA or Microsoft TMG can contain comment markers, these comments must be filtered from the event message. Procedure Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows > Configure syslog-ng Agent for Windows. The Syslog-ng Agent window is displayed. Configuring DSMs 76 BALABIT IT SECURITY Step 2 Expand the syslog-ng Agent Settings pane, and select Destinations. Step 3 Right-click on your JSA syslog destination and select Event Filters > Properties. The Global event filters Properties window is displayed. Step 4 Configure the following values: • From the Global file filters pane, select Enable. • From the Filter Type pane, select Black List Filtering. Step 5 Click OK. Step 6 From the filter list menu, double-click Message Contents. The Message Contents Properties window is displayed. Step 7 From the Message Contents pane, select the Enable radio button. Step 8 In the Regular Expression field, type the following regular expression: ^# Step 9 Click Add. Step 10 Click Apply, and then click OK. The event messages containing comments are no longer forwarded. NOTE Configuring a BalaBit Syslog-ng PE Relay Note: You might be required to restart Syslog-ng Agent for Windows service to begin syslog forwarding. For more information, see your BalaBit Syslog-ng Agent documentation. The BalaBit Syslog-ng Agent for Windows sends Microsoft TMG and ISA event logs to a Balabit Syslog-ng PE installation, which is configured in relay mode. The relay mode installation is responsible for receiving the event log from the BalaBit Syslog-ng Agent for Windows, parsing the event logs in to the LEEF format, then forwarding the events to JSA using syslog. To configure your BalaBit Syslog-ng PE Relay, you must: 1 Install BalaBit Syslog-ng PE for Linux or Unix in relay mode. For more information, see your BalaBit Syslog-ne PE vendor documentation. 2 Configure syslog on your Syslog-ng PE relay. NOTE Note: For a sample syslog.conf file you can use to configure Microsoft TMG and ISA logs using your BalaBit Syslog-ng PE relay, see http://www.juniper.net/customers/support/. The BalaBit Syslog-ng PE formats the TMG and ISA events in the LEEF format based on the configuration of your syslog.conf file. The syslog.conf file is responsible for parsing the event logs and forwarding the events to JSA. Configuring DSMs Configuring BalaBit IT Security for Microsoft ISA or TMG Events 77 Procedure Step 1 Using SSH, log in to your BalaBit Syslog-ng PE relay command-line interface (CLI). Step 2 Edit the following file: /etc/syslog-ng/etc/syslog.conf Step 3 From the destinations section, add an IP address and port number for each relay destination. For example, ###### # destinations destination d_messages { file("/var/log/messages"); }; destination d_remote_tmgfw { tcp("JSA_IP" port(JSA_PORT) log_disk_fifo_size(10000000) template(t_tmgfw)); }; destination d_remote_tmgweb { tcp("JSA_IP" port(JSA_PORT) log_disk_fifo_size(10000000) template(t_tmgweb)); }; Where: JSA_IP is the IP address of your JSA console or Event Collector. JSA_PORT is the port number required for JSA to receive syslog events. By default, JSA receives syslog events on port 514. Step 4 Save the syslog configuration changes. Step 5 Restart Syslog-ng PE to force the configuration file to be read. The BalaBit Syslog-ng PE configuration is complete. Syslog events forwarded from the BalaBit Syslog-ng relay are automatically discovered by JSA as Microsoft Windows Security Event Log on the Log Activity tab. For more information, see the Juniper Secure Analytics Users Guide. NOTE Configuring a Log Source Note: When using multiple syslog destinations, messages are considered delivered after they successfully arrived at the primary syslog destination. JSA automatically discovers and creates a log source for syslog events from LEEF formatted messages provided by your BalaBit Syslog-ng relay. The following configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Configuring DSMs Configuring BalaBit IT Security for Microsoft ISA or TMG Events 78 Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for the log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Microsoft ISA. Step 9 From the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 16-2 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or hostname for the log source as an identifier for Microsoft ISA or Microsoft Threat Management Gateway events from the BalaBit Syslog-ng Agent. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The BalaBit IT Security configuration for Microsoft ISA and Microsoft TMG events is complete. Configuring DSMs 14 BARRACUDA This section includes information on configuring the following DSMs: Barracuda Spam & Virus Firewall Supported Event Types • Barracuda Spam & Virus Firewall • Barracuda Web Application Firewall • Barracuda Web Filter You can integrate Barracuda Spam & Virus Firewall with Juniper Secure Analytics (JSA). The Barracuda Spam & Virus Firewall DSM for JSA accepts both Mail syslog events and Web syslog events from Barracuda Spam & Virus Firewall appliances. Mail syslog events contain the event and action taken when the firewall processes email. Web syslog events record information on user activity and configuration changes on your Barracuda Spam & Virus Firewall appliance. Before You Begin Configuring Syslog Event Forwarding Before you can receive events in JSA, you must configure your Barracuda Spam & Virus Firewall to forward syslog events. Syslog messages are sent to JSA from Barracuda Spam & Virus Firewall using UDP port 514. You must verify any firewalls between JSA and your Barracuda Spam & Virus Firewall appliance allow UDP traffic on port 514. You can configure syslog forwarding for Barracuda Spam & Virus Firewall. Procedure Step 1 Log in to the Barracuda Spam & Virus Firewall web interface. Step 2 Click the Advanced tab. Step 3 From the Advanced menu, select Advanced Networking. Step 4 From the Mail Syslog field, type IP address of your JSA console or Event Collector. Step 5 Click Add.JSA Step 6 From the Web Interface Syslog field, type IP address of your JSA console or Event Collector. Configuring DSMs 80 BARRACUDA Step 7 Click Add. The syslog configuration is complete. Configuring a Log Source JSA automatically discovers and creates a log source for syslog events from Barracuda Spam & Virus Firewall appliances. The following configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Barracuda Spam & Virus Firewall. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 17-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Barracuda Spam & Virus Firewall appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Events forwarded to JSA by Barracuda Spam & Virus Firewall are displayed on the Log Activity tab. Barracuda Web Application Firewall Supported Event Types You can integrate Barracuda Web Application Firewall with JSA. The Barracuda Web Application Firewall DSM for JSA accepts system, web firewall log, access log, and audit log events using syslog. Barracuda Web Application Firewall to forward syslog events to JSA in a custom name-value pair event format. Syslog events from Barracuda Web Application Firewall appliances are provided to JSA using UDP port 514. Configuring DSMs Barracuda Web Application Firewall 81 Before You Begin Before you begin you must create a log source for JSA. JSA does not automatically discover events for Barracuda Web Application Firewall. After you configure this DSM, we recommend you verify any firewalls between Barracuda Web Application Firewall appliance and JSA allow UDP traffic on port 514. Configuring a Log Source To integrate Barracuda Web Application Firewall with JSA, you must manually create a log source to receive Barracuda Web Application Firewall events. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Barracuda Web Application Firewall. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 17-2 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Barracuda Web Application Firewall appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Configuring Syslog Event Forwarding You configure syslog forwarding for Barracuda Web Application Firewall. Procedure Step 1 Log in to the Barracuda Web Application Firewall web interface. Step 2 Click the Advanced tab. Step 3 From the Advanced menu, select Export Logs. Step 4 Click Syslog Settings. Step 5 Configure a syslog facility value for the following options: • Web Firewall Logs Facility - Select a syslog facility between Local0 and Local7. Configuring DSMs 82 BARRACUDA • Access Logs Facility - Select a syslog facility between Local0 and Local7. • Audit Logs Facility - Select a syslog facility between Local0 and Local7. • System Logs Facility - Select a syslog facility between Local0 and Local7. Setting a syslog unique facility for each log type allows the Barracuda Web Application Firewall to divide the logs in to different files. Step 6 Click Save Changes. The Export Log window is displayed. Step 7 In the Name field, type name of the syslog server. Step 8 In the Syslog field, type IP address of your JSA console or Event Collector. Step 9 From the Log Time Stamp option, select Yes. Step 10 From the Log Unit Name option, select Yes. Step 11 Click Add. Step 12 From the Web Firewall Logs Format list box, select Custom Format. Step 13 In the Web Firewall Logs Format field, type the following custom event format: t=%t|ad=%ad|ci=%ci|cp=%cp|au=%au Step 14 From the Access Logs Format list box, select Custom Format. Step 15 In the Access Logs Format field, type the following custom event format: t=%t|p=%p|s=%s|id=%id|ai=%ai|ap=%ap|ci=%ci|cp=%cp|si=%si|sp=%sp |cu=%cu Step 16 From the Access Logs Format list box, select Custom Format. Step 17 In the Access Logs Format field, type the following custom event format: t=%t|trt=%trt|an=%an|li=%li|lp=%lp Step 18 Click Save Changes. Step 19 From the navigation menu, select Basic > Administration. Step 20 From the System/Reload/Shutdown pane, click Restart. The syslog configuration is complete after your Barracuda Web Application Firewall restarts. Events forwarded to JSA by Barracuda Web Application Firewall are displayed on the Log Activity tab. Barracuda Web Filter Supported Event Types You can integrate Barracuda Web Filter appliance events with JSA. The Barracuda Web Filter DSM for JSA accepts web traffic and web interface events in syslog format forwarded by Barracuda Web Filter appliances. Web traffic events contain the event and action taken when the appliance processes web traffic. Web interface events contain user login activity and configuration changes to the Web Filter appliance. Configuring DSMs Barracuda Web Filter Before You Begin 83 Before you can receive events in JSA, you must configure your Barracuda Web Filter to forward syslog events. Syslog messages are forward to JSA using UDP port 514. You must verify any firewalls between JSA and your Barracuda Web Filter appliance allow UDP traffic on port 514. Configuring Syslog Event Forwarding You can configure syslog forwarding for Barracuda Web Filter. Procedure Step 1 Log in to the Barracuda Web Filter web interface. Step 2 Click the Advanced tab. Step 3 From the Advanced menu, select Syslog. Step 4 From the Web Traffic Syslog field, type IP address of your JSA console or Event Collector. Step 5 Click Add. Step 6 From the Web Interface Syslog field, type IP address of your JSA console or Event Collector. Step 7 Click Add. The syslog configuration is complete. Configuring a Log Source JSA automatically discovers and creates a log source for syslog events from Barracuda Web Filter appliances. The following configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Barracuda Web Filter. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 17-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Barracuda Web Filter appliance. Configuring DSMs 84 BARRACUDA Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Events forwarded by Barracuda Web Filter are displayed on the Log Activity tab of JSA. Configuring DSMs 15 BIT9 PARITY You can integrate Bit9 Parity events with Juniper Secure Analytics (JSA). Supported Event Types The Bit9 Parity DSM for JSA accepts syslog events using the Log Enhanced Event Format (LEEF), enabling JSA to record all relevant appliance events. Configuring Bit9 Parity To collect events, you must configure your Bit9 Parity device to forward syslog events in the LEEF format. Procedure Step 1 Log in to the Bit9 Parity console with Administrator or PowerUser privileges. Step 2 From the navigation menu on the left side of the console, select Administration > System Configuration. The System Configuration window is displayed. Step 3 Click Server Status. The Server Status window is displayed. Step 4 Click Edit. Step 5 In the Syslog address field, type the IP address of your JSA. Step 6 From the Syslog format list box, select LEEF (Q1 Labs). Step 7 Select the Syslog enabled check box. Step 8 Click Update. The configuration is complete. The log source is added to JSA as Bit9 Parity events are automatically discovered. Events forwarded to JSA by Bit9 Parity are displayed on the Log Activity tab of JSA. Configure a Log Source JSA automatically discovers and creates a log source for syslog events from Bit9 Parity. These configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Configuring DSMs 86 BIT9 PARITY Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Bit9 Parity. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 18-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Bit9 Parity device. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring DSMs 16 BLUECAT NETWORKS ADONIS The BlueCat Networks Adonis DSM for Juniper Secure Analytics (JSA) accepts events forwarded in Log Enhanced Event Protocol (LEEF) using syslog from BlueCat Adonis appliances managed with BlueCat Proteus. Supported Versions JSA supports BlueCat Networks Adonis appliances using version 6.7.1-P2 and above. You might be required to include a patch on your BlueCat Networks Adonis to integrate DNS and DHCP events with JSA. For more information, see KB-4670 and your BlueCat Networks documentation. Supported Event Types Event Type Format JSA is capable of collecting all relevant events related to DNS and DHCP queries. This includes the following events: • DNS IPv4 and IPv6 query events • DNS name server query events • DNS mail exchange query events • DNS text record query events • DNS record update events • DHCP discover events • DHCP request events • DHCP release events The LEEF format consists of a pipe ( | ) delimited syslog header and a space delimited event payload. For example, Aug 10 14:55:30 adonis671-184 LEEF:1.0|BCN|Adonis|6.7.1|DNS_Query|cat=A_record src=10.10.10.10 url=test.example.com If the syslog events forwarded from your BlueCat Adonis appliance are not formatted similarly to the sample above, you must examine your device configuration. Properly formatted LEEF event messages are automatically Configuring DSMs 88 BLUECAT NETWORKS ADONIS discovered by the BlueCat Networks Adonis DSM and added as a log source to JSA. Before You Begin BlueCat Adonis must be configured to generate events in Log Enhanced Event Protocol (LEEF) and redirect the event output by way of syslog to JSA. BlueCat Networks provides a script on their appliance to assist you with configuring syslog. To complete the syslog redirection, you must have administrative or root access to the command-line interface of the BlueCat Adonis or your BlueCat Proteus appliance. If the syslog configuration script is not present on your appliance, you can contact your BlueCat Networks representative. Configuring BlueCat Adonis You can configure your BlueCat Adonis appliance to forward DNS and DHCP events to JSA. Procedure Step 1 Using SSH, log in to your BlueCat Adonis appliance command-line interface. Step 2 Type the following command to start the syslog configuration script: /usr/local/bluecat/qradar/setup-qradar.sh Step 3 Type the IP address of your JSA console or Event Collector. Step 4 Type yes or no to confirm the IP address. The configuration is complete when a success message is displayed. The log source is added to JSA as BlueCat Networks Adonis syslog events are automatically discovered. Events forwarded to JSA are displayed on the Log Activity tab. If the events are not automatically discovered, you can manually configure a log source. Configuring a Log Source in JSA JSA automatically discovers and creates a log source for syslog events from BlueCat Networks Adonis. However, you can manually create a log source for JSA to receive syslog events. The following configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select BlueCat Networks Adonis. Step 9 Using the Protocol Configuration list box, select Syslog. Configuring DSMs 89 Step 10 Configure the following values: Table 19-2 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your BlueCat Networks Adonis appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring DSMs 17 BLUE COAT SG The Blue Coat SG DSM for Juniper Secure Analytics (JSA) allows you to integrate events from a Blue Coat SG appliance with JSA. JSA records all relevant and available information from name-value events that are separated by pipe (|) characters. JSA can receive events from your Blue Coat SG appliance using syslog or can retrieve events from the Blue Coat SG appliance using the Log File protocol. The instructions provided describe how to configure Blue Coat SG using a custom name-value pair format. However, JSA supports the following formats: • Custom Format • SQUID • NCSA • main • IM • Streaming • smartreporter • bcereportermain_v1 • bcreporterssl_v1 • p2p • SSL • bcreportercifs_v1 • CIFS • MAPI For more information about your Blue Coat SG Appliance, see your vendor documentation. Configuring DSMs 92 BLUE COAT SG Creating a Custom Event Format The Blue Coat SG DSM for JSA accepts custom formatted events from a Blue Coat SG appliance. Procedure Step 1 Using a web browser, log in to the Blue Coat Management console. Step 2 Select Configuration > Access Logging > Formats. Step 3 Select New. Step 4 Type a format name for the custom format. Step 5 Select Custom format string. Step 6 Type the following custom format for JSA: Bluecoat|src=$(c-ip)|srcport=$(c-port)|dst=$(cs-uri-address)|ds tport=$(cs-uri-port)|username=$(cs-username)|devicetime=$(gmtti me)|s-action=$(s-action)|sc-status=$(sc-status)|cs-method=$(csmethod)|time-taken=$(time-taken)|sc-bytes=$(sc-bytes)|cs-bytes= $(cs-bytes)|cs-uri-scheme=$(cs-uri-scheme)|cs-host=$(cs-host)|c s-uri-path=$(cs-uri-path)|cs-uri-query=$(cs-uri-query)|cs-uri-e xtension=$(cs-uri-extension)|cs-auth-group=$(cs-auth-group)|rs( Content-Type)=$(rs(Content-Type))|cs(User-Agent)=$(cs(User-Agen t))|cs(Referer)=$(cs(Referer))|sc-filter-result=$(sc-filter-res ult)|filter-category=$(sc-filter-category)|cs-uri=$(cs-uri) Step 7 Select Log Last Header from the list box. Step 8 Click OK. Step 9 Click Apply. NOTE Note: The custom format for JSA supports additional key-value pairs using the Blue Coat ELFF format. For more information, see Creating Additional Custom Format Key-Value Pairs. You are ready to enable access logging on your Blue Coat device. Creating a Log Facility To use the custom log format created for JSA, you must associate the custom log format for JSA to a facility. Procedure Step 1 Select Configuration > Access Logging > Logs. Step 2 Click New. Step 3 Configure the following parameters: • Log Name - Type a name for the log facility. • Log Format - Select the custom format you created in Creating a Custom Event Format,Step 4. • Description - Type a description for the log facility. Configuring DSMs Retrieving Blue Coat Events 93 Step 4 Click OK. Step 5 Click Apply. You are ready to enable logging on the Blue Coat device. For more information, see Enabling Access Logging. Enabling Access Logging You must enable access logging on your Blue Coat SG device. Procedure Step 1 Select Configuration > Access Logging > General. Step 2 Select the Enable Access Logging check box. If the Enable Access Logging check box is not selected, logging is disabled globally for all of the formats listed. Step 3 Click Apply. You are ready to configure the Blue Coat upload client. For more information, see Retrieving Blue Coat Events. Retrieving Blue Coat Events Events from your Blue Coat SG appliance are forwarded using the Blue Coat upload client. JSA can receive forwarded events using FTP or syslog. Log File Protocol Configuration • If you are using FTP, see Log File Protocol Configuration. • If you are using syslog, see Syslog Configuration. To use FTP, you must configure the Blue Coat upload client. Procedure Step 1 Select Configuration > Access Logging > Logs > Upload Client. Step 2 From the Log list box, select the log containing your custom format. Step 3 From the Client type list box, select FTP Client. Step 4 Select the text file option. If you select the gzip file option on your Blue Coat appliance, you must configure a Processor for your log source with the GZIP option. Step 5 Click Settings. Step 6 From the Settings For list box, select Primary FTP Server. Step 7 Configure the following values: a Host - Type the IP address of the FTP server receiving the Blue Coat events. b Port - Type the FTP port number. c Path - Type a directory path for the log files. d Username - Type the username required to access the FTP server. Configuring DSMs 94 BLUE COAT SG Step 8 Click OK. Step 9 Select the Upload Schedule tab. Step 10 From the Upload the access log option, select periodically. Step 11 Configure the Wait time between connect attempts. Step 12 Select if you want to upload the log file to the FTP daily or on an interval. Step 13 Click Apply. Configuring a Log Source in JSA Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 From the Log Source Type list box, select the Bluecoat SG Appliance option. Step 8 From the Protocol Configuration list box, select the Log File option. Step 9 Configure the following values: Table 20-1 Blue Coat SG log file protocol parameters Parameter Description Log Source Identifier Type an IP address, host name, or name to identify the event source. IP addresses or host names are recommended as they allow JSA to identify a log file to a unique event source. Service Type From the list box, select the protocol you want to use when retrieving log files from a remote server. The default is SFTP. • SFTP - SSH File Transfer Protocol • FTP - File Transfer Protocol • SCP - Secure Copy Note: The underlying protocol used to retrieve log files for the SCP and SFTP service type requires that the server specified in the Remote IP or Hostname field has the SFTP subsystem enabled. Remote IP or Hostname Type the IP address or host name of the device storing your event log files. Configuring DSMs Retrieving Blue Coat Events 95 Table 20-1 Blue Coat SG log file protocol parameters (continued) Parameter Description Remote Port Type the TCP port on the remote host that is running the selected Service Type. The valid range is 1 to 65535. The options include: • FTP - TCP Port 21 • SFTP - TCP Port 22 • SCP - TCP Port 22 Note: If the host for your event files is using a non-standard port number for FTP, SFTP, or SCP, you must adjust the port value accordingly. Remote User Type the user name necessary to log in to the host containing your event files. The username can be up to 255 characters in length. Remote Password Type the password necessary to log in to the host. Confirm Password Confirm the password necessary to log in to the host. SSH Key File If you select SCP or SFTP as the Service Type, this parameter allows you to define an SSH private key file. When you provide an SSH Key File, the Remote Password field is ignored. Remote Directory Type the directory location on the remote host from which the files are retrieved, relative to the user account you are using to log in. Note: For FTP only. If your log files reside in the remote user’s home directory, you can leave the remote directory blank. This is to support operating systems where a change in the working directory (CWD) command is restricted. Recursive Select this check box if you want the file pattern to search sub folders in the remote directory. By default, the check box is clear. The Recursive option is ignored if you configure SCP as the Service Type. FTP File Pattern If you select SFTP or FTP as the Service Type, this option allows you to configure the regular expression (regex) required to filter the list of files specified in the Remote Directory. All matching files are included in the processing. The FTP file pattern you specify must match the name you assigned to your event files. For example, to collect files ending with .log, type the following: .*\.log Use of this parameter requires knowledge of regular expressions (regex). For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/ Configuring DSMs 96 BLUE COAT SG Table 20-1 Blue Coat SG log file protocol parameters (continued) Parameter Description FTP Transfer Mode This option only appears if you select FTP as the Service Type. The FTP Transfer Mode parameter allows you to define the file transfer mode when retrieving log files over FTP. From the list box, select the transfer mode you want to apply to this log source: • Binary - Select Binary for log sources that require binary data files or compressed zip, gzip, tar, or tar+gzip archive files. • ASCII - Select ASCII for log sources that require an ASCII FTP file transfer. You must select NONE for the Processor parameter and LINEBYLINE the Event Generator parameter when using ASCII as the FTP Transfer Mode. SCP Remote File If you select SCP as the Service Type you must type the file name of the remote file. Start Time Type the time of day you want the processing to begin. For example, type 00:00 to schedule the Log File protocol to collect event files at midnight. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24 hour clock, in the following format: HH:MM. Recurrence Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D). For example, type 2H if you want the remote directory to be scanned every 2 hours from the start time. The default is 1H. Run On Save Select this check box if you want the log file protocol to run immediately after you click Save. After the Run On Save completes, the log file protocol follows your configured start time and recurrence schedule. Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File parameter. EPS Throttle Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 to 5000. Processor If the files located on the remote host are stored in a zip, gzip, tar, or tar+gzip archive format, select the processor that allows the archives to be expanded and contents processed. Configuring DSMs Retrieving Blue Coat Events 97 Table 20-1 Blue Coat SG log file protocol parameters (continued) Parameter Description Ignore Previously Processed File(s) Select this check box to track and ignore files that have already been processed by the log file protocol. JSA examines the log files in the remote directory to determine if a file has been previously processed by the log file protocol. If a previously processed file is detected, the log file protocol does not download the file for processing. All files that have not been previously processed are downloaded. This option only applies to FTP and SFTP Service Types. Change Local Directory? Select this check box to define a local directory on your JSA system for storing downloaded files during processing. We recommend that you leave this check box clear. When this check box is selected, the Local Directory field is displayed, which allows you to configure the local directory to use for storing files. Event Generator From the Event Generator list box, select LineByLine. The Event Generator applies additional processing to the retrieved event files. Each line of the file is a single event. For example, if a file has 10 lines of text, 10 separate events are created. Step 10 Click Save. Step 11 On the Admin tab, click Deploy Changes. The log file protocol configuration for Blue Coat SG is complete. Syslog Configuration To allow syslog event collection, you must configure your Blue Coat appliance to forward syslog events. CAUTION CAUTION: If your Blue Coat SG appliance is reporting events using syslog (rather than a file transfer protocol) and the destination syslog server becomes unavailable, it is possible that other syslog destinations can stop receiving data until all syslog destinations are again available. This creates the potential for some syslog data to not be sent at all. If you are sending to multiple syslog destinations, a disruption in availability in one syslog destination might interrupt the stream of events to other syslog destinations from your Blue Coat SG appliance. Procedure Step 1 Select Configuration > Access Logging > Logs > Upload Client. Step 2 From the Log list box, select the log containing your custom format. Step 3 From the Client type drop-down list bow, select Custom Client. Step 4 Click Settings. Configuring DSMs 98 BLUE COAT SG Step 5 From the Settings For list box, select Primary Custom Server. Step 6 Configure the following values: a Host - Type the IP address for your JSA. b Port - Type 514 as the syslog port for JSA. Step 7 Click OK. Step 8 Select the Upload Schedule tab. Step 9 From the Upload the access log, select continuously. Step 10 Click Apply. You are now ready to configure a log source for Blue Coat SG events. Configure a log source To integrate Barracuda Web Application Firewall with JSA, you must manually create a log source to receive Blue Coat SG events. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Blue Coat SG Appliance. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 20-2 Syslog Protocol Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Blue Coat SG appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Events forwarded to JSA by Blue Coat SG are displayed on the Log Activity tab. Configuring DSMs Creating Additional Custom Format Key-Value Pairs Creating Additional Custom Format Key-Value Pairs 99 The custom format allows you to forward specific Blue Coat data or events to JSA using the Extended Log File Format (ELFF). The custom format is a series of pipe delimited fields starting with Bluecoat| and containing $(Blue Coat ELFF Parameter). Custom format fields for JSA must be separated by the pipe character. For example: Bluecoat|src=$(c-ip)|srcport=$(c-port)|dst=$(cs-uri-address)|ds tport=$(cs-uri-port)|username=$(cs-username)|devicetime=$(gmtti me)|s-action=$(s-action)|sc-status=$(sc-status)|cs-method=$(csmethod) Table 20-3 JSA Custom Format Examples Blue Coat ELFF Parameter JSA Custom Format Example sc-bytes $(sc-bytes) rs(Content-type) $(rs(Content-Type)) For more information on the available Blue Coat ELFF parameters, see your Blue Coat appliance documentation. Configuring DSMs 18 BRIDGEWATER The Bridgewater Systems DSM for Juniper Secure Analytics (JSA) accepts events using syslog. Supported Event Types Configuring Syslog for Your Bridgewater Systems Device JSA records all relevant events forwarded from Bridgewater AAA Service Controller devices using syslog. You must configure your Bridgewater Systems appliance to send syslog events to JSA. Procedure Step 1 Log in to your Bridgewater Systems device command-line interface (CLI). Step 2 To log operational messages to the RADIUS and Diameter servers, open the following file: /etc/syslog.conf Step 3 To log all operational messages, uncomment the following line: local1.info /WideSpan/logs/oplog Step 4 To log error messages only, change the local1.info /WideSpan/logs/oplog line to the following: local1.err /WideSpan/logs/oplog NOTE Note: RADIUS and Diameter system messages are stored in the /var/adm/messages file. Step 5 Add the following line: local1.*@ Where is the IP address your JSA console. Step 6 The RADIUS and Diameter server system messages are stored in the /var/adm/messages file. Add the following line for the system messages: .*@ Where: is the facility used for logging to the /var/adm/messages file. Configuring DSMs 102 BRIDGEWATER is the IP address of your JSA console. Step 7 Save and exit the file. Step 8 Send a hang-up signal to the syslog daemon to make sure all changes are enforced: kill -HUP `cat /var/run/syslog.pid` The configuration is complete. The log source is added to JSA as Bridgewater Systems appliance events are automatically discovered. Events forwarded to JSA by your Bridgewater Systems appliance are displayed on the Log Activity tab. Configuring a Log Source JSA automatically discovers and creates a log source for syslog events from a Bridgewater Systems appliance. The following configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Bridgewater Systems AAA Service Controller. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 21-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Bridgewater Systems appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring DSMs 19 BROCADE FABRIC OS Juniper Secure Analytics (JSA) can collect and categorize syslog system and audit events from Brocade switches and appliances that use Fabric OS V7.x. To collect syslog events, you must configure your switch to forward syslog events. Each switch or appliance must be configured to forward events. Events that you forward from Brocade switches are automatically discovered. A log source is configured for each switch or appliance that forwards events to JSA. Brocade switches or appliance that run Fabric OS V7.x. Configuring Syslog for Brocade Fabric OS Appliances To collect events, you must configure syslog on your Brocade appliance to forward events to JSA. Procedure To configure syslog for Brocade Fabric OS appliances: Step 1 Log in to your appliance as an admin user. Step 2 To configure an address to forward syslog events, type the following command: syslogdipadd Where is the IP address of the JSA console, Event Processor, Event Collector, or all-in-one system. Step 3 To verify the address, type the following command: syslogdipshow Result As events are generated by the Brocade switch, they are forwarded to the syslog destination you specified. The log source is automatically discovered after enough events are forwarded by the Brocade appliance. It typically takes a minimum of 25 events to automatically discover a log source. What to do next Administrators can log in to the JSA console and verify that the log source is created on the console and that the Log Activity tab displays events from the Brocade appliance. Configuring DSMs 20 CA TECHNOLOGIES This section provides information on the following DSMs: CA ACF2 Integrate CA ACF2 with JSA Using IBM Security zSecure • CA ACF2 • CA SiteMinder • CA Top Secret Juniper Secure Analytics (JSA) includes two options for integrating CA Access Control Facility (ACF2) events: • Integrate CA ACF2 with JSA Using IBM Security zSecure • Integrate CA ACF2 with JSA Using Audit Scripts The CA ACF2 DSM allows you to integrate LEEF events from an ACF2 image on an IBM z/OS mainframe using IBM Security zSecure. Using a zSecure process, events from the System Management Facilities (SMF) are recorded to an event file in the Log Enhanced Event format (LEEF). JSA retrieves the LEEF event log files using the log file protocol and processes the events. You can schedule JSA to retrieve events on a polling interval, which allows JSA to retrieve the events on the schedule you have defined. To integrate CA ACF2 events: 1 Confirm your installation meets any prerequisite installation requirements. 2 Configure your CA ACF2 z/OS image to write events in LEEF format. For more information, see the IBM Security zSecure Suite: CARLa-Driven Components Installation and Deployment Guide. 3 Create a log source in JSA for CA ACF2 to retrieve your LEEF formatted event logs. 4 Optional. Create a custom event property for CA ACF2 in JSA. For more information, see the Custom Event Properties for IBM z/OS technical note. Before You begin Before you can configure the data collection process, you must complete the basic zSecure installation process. Configuring DSMs 106 CA TECHNOLOGIES The following installation prerequisites are required: • You must ensure parmlib member IFAPRDxx is not disabled for IBM Security zSecure Audit on your z/OS image. • The SCKRLOAD library must be APF-authorized. • You must configure a process to periodically refresh your CKFREEZE and UNLOAD data sets. • You must configure an SFTP, FTP, or SCP server on your z/OS image for JSA to download your LEEF event files. • You must allow SFTP, FTP, or SCP traffic on firewalls located between JSA and your z/OS image. After installing the software, you must also perform the post-installation activities to create and modify the configuration. For instructions on installing and configuring zSecure, see the IBM Security zSecure Suite: CARLa-Driven Components Installation and Deployment Guide. Create a log source for ACF2 in JSA You can use the Log File protocol to retrieve archived log files containing events from a remote host. Log files are transferred, one at a time, to JSA for processing. The log file protocol can manage plain text event logs, compressed files, or archives. Archives must contain plain-text files that can be processed one line at a time. Multi-line event logs are not supported by the log file protocol. IBM z/OS with zSecure writes log files to a specified directory as gzip archives. JSA extracts the archive and processes the events, which are written as one event per line in the file. To retrieve these events, you must create a log source using the Log File protocol. JSA requires credentials to log in to the system hosting your LEEF formatted event files and a polling interval. To configure a log source in JSA for CA ACF2: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for the log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select CA ACF2. Step 9 From the Protocol Configuration list box, select Log File. Configuring DSMs CA ACF2 107 Step 10 Configure the following values: Table 23-1 CA ACF2 Log File Parameters Parameter Description Log Source Identifier Type an IP address, host name, or name to identify the event source. IP addresses or host names are recommended as they allow JSA to identify a log file to a unique event source. For example, if your network contains multiple devices, such as multiple z/OS images or a file repository containing all of your event logs, you should specify the IP address or host name of the device that uniquely identifies the log source. This allows events to be identified at the device level in your network, instead of identifying the event for the file repository. Service Type From the list box, select the protocol you want to use when retrieving log files from a remote server. The default is SFTP. • SFTP - SSH File Transfer Protocol • FTP - File Transfer Protocol • SCP - Secure Copy Note: The underlying protocol used to retrieve log files for the SCP and SFTP service type requires that the server specified in the Remote IP or Hostname field has the SFTP subsystem enabled. Remote IP or Hostname Type the IP address or host name of the device storing your event log files. Remote Port Type the TCP port on the remote host that is running the selected Service Type. The valid range is 1 to 65535. The options include: • FTP - TCP Port 21 • SFTP - TCP Port 22 • SCP - TCP Port 22 Note: If the host for your event files is using a non-standard port number for FTP, SFTP, or SCP, you must adjust the port value accordingly. Remote User Type the user name necessary to log in to the host containing your event files. The username can be up to 255 characters in length. Remote Password Type the password necessary to log in to the host. Confirm Password Confirm the password necessary to log in to the host. SSH Key File If you select SCP or SFTP as the Service Type, this parameter allows you to define an SSH private key file. When you provide an SSH Key File, the Remote Password field is ignored. Configuring DSMs 108 CA TECHNOLOGIES Table 23-1 CA ACF2 Log File Parameters (continued) Parameter Description Remote Directory Type the directory location on the remote host from which the files are retrieved, relative to the user account you are using to log in. Note: For FTP only. If your log files reside in the remote user’s home directory, you can leave the remote directory blank. This is to support operating systems where a change in the working directory (CWD) command is restricted. Recursive Select this check box if you want the file pattern to search sub folders in the remote directory. By default, the check box is clear. The Recursive option is ignored if you configure SCP as the Service Type. FTP File Pattern If you select SFTP or FTP as the Service Type, this option allows you to configure the regular expression (regex) required to filter the list of files specified in the Remote Directory. All matching files are included in the processing. IBM z/OS mainframe using IBM Security zSecure Audit writes event files using the pattern ACF2. .gz The FTP file pattern you specify must match the name you assigned to your event files. For example, to collect files starting with ACF2 and ending with .gz, type the following: ACF2.*\.gz Use of this parameter requires knowledge of regular expressions (regex). For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/ FTP Transfer Mode This option only displays if you select FTP as the Service Type. From the list box, select Binary. The binary transfer mode is required for event files stored in a binary or compressed format, such as zip, gzip, tar, or tar+gzip archive files. SCP Remote File If you select SCP as the Service Type you must type the file name of the remote file. Start Time Type the time of day you want the processing to begin. For example, type 00:00 to schedule the Log File protocol to collect event files at midnight. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24 hour clock, in the following format: HH:MM. Configuring DSMs CA ACF2 109 Table 23-1 CA ACF2 Log File Parameters (continued) Parameter Description Recurrence Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D). For example, type 2H if you want the remote directory to be scanned every 2 hours from the start time. The default is 1H. Run On Save Select this check box if you want the log file protocol to run immediately after you click Save. After the Run On Save completes, the log file protocol follows your configured start time and recurrence schedule. Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File parameter. EPS Throttle Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 to 5000. Processor From the list box, select gzip. Processors allow event file archives to be expanded and contents processed for events. Files are only processed after they are downloaded to JSA. JSA can process files in zip, gzip, tar, or tar+gzip archive format. Ignore Previously Processed File(s) Select this check box to track and ignore files that have already been processed by the log file protocol. JSA examines the log files in the remote directory to determine if a file has been previously processed by the log file protocol. If a previously processed file is detected, the log file protocol does not download the file for processing. All files that have not been previously processed are downloaded. This option only applies to FTP and SFTP Service Types. Change Local Directory? Select this check box to define a local directory on your JSA for storing downloaded files during processing. We recommend that you leave this check box clear. When this check box is selected, the Local Directory field is displayed, which allows you to configure the local directory to use for storing files. Event Generator From the Event Generator list box, select LineByLine. The Event Generator applies additional processing to the retrieved event files. Each line of the file is a single event. For example, if a file has 10 lines of text, 10 separate events are created. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The CA ACF2 configuration is complete. If your configuration requires custom event properties, see the Custom Event Properties for IBM z/OS technical note. Configuring DSMs 110 CA TECHNOLOGIES Integrate CA ACF2 with JSA Using Audit Scripts The CA Access Control Facility (ACF2) DSM allows you to use an IBM mainframe to collect events and audit transactions with the log file protocol. Configuration overview QexACF2.load.trs is a TERSED file containing a PDS loadlib with the QEXACF2 program. A tersed file is similar to a zip file and requires you to use the TRSMAIN program to uncompress the contents. The TRSMAIN program is available from www.juniper.net/customers/support/. To upload a TRS file from a workstation, you must pre-allocate a file with the following DCB attributes: DSORG=PS, RECFM=FB, LRECL= 1024, BLKSIZE=6144. The file transfer type must be BINARY APPEND. If the transfer type is TEXT or TEXT APPEND, then the file cannot properly uncompress. After you upload the file to the mainframe into the preallocated dataset the tersed file can be UNPACKED using the TRSMAIN utility using the sample JCL also included in the tar package. A return code of 0008 from the TRSMAIN utility indicates the dataset is not recognized as a valid TERSED file. This error might be the result of the file not being uploaded to a file with the correct DCB attributes or due to the fact that the transfer was not performed using the BINARY APPEND transfer mechanism. After you have successfully UNPACKED the loadlib file, you can run the QEXACF2 program with the sample JCL file. The sample JCL file is contained in the tar collection. To run the QEXACF2 program, you must modify the JCL to your local naming conventions and JOB card requirements. You might also need to use the STEPLIB DD if the program is not placed in a LINKLISTED library. To integrate CA ACF2 events into JSA: 1 The IBM mainframe records all security events as Service Management Framework (SMF) records in a live repository. 2 The CA ACF2 data is extracted from the live repository using the SMF dump utility. The SMF file contains all of the events and fields from the previous day in raw SMF format. 3 The QexACF2.load.trs program pulls data from the SMF formatted file. The QexACF2.load.trs program only pulls the relevant events and fields for JSA and writes that information in a condensed format for compatibility. The information is saved in a location accessible by JSA. 4 JSA uses the log file protocol source to retrieve the output file information on a scheduled basis. JSA then imports and processes this file. Configure CA ACF2 to integrate with JSA JSA uses scripts to write audit events to from CA ACF2 installations., which are retrieved by JSA using the Log File protocol. Configuring DSMs CA ACF2 111 Procedure Step 1 From the Juniper Networks support website (http://www.juniper.net/customers/support/), download the following compressed file: qexacf2_bundled.tar.gz Step 2 On a Linux-based operating system, extract the file: tar -zxvf qexacf2_bundled.tar.gz The following files are contained in the archive: QexACF2.JCL.txt - Job Control Language file QexACF2.load.trs - Compressed program library (requires IBM TRSMAIN) trsmain sample JCL.txt - Job Control Language for TRSMAIN to decompress the .trs file Step 3 Load the files onto the IBM mainframe using the following methods: NOTE a Upload the sample QexACF2_trsmain_JCL.txt and QexACF2.JCL.txt files using the TEXT protocol. b Upload the QexACF2.load.trs file using a BINARY mode transfer and append to a pre-allocated data set. The QexACF2.load.trs file is a tersed file containing the executable (the mainframe program QexACF2). When you upload the .trs file from a workstation, pre-allocate a file on the mainframe with the following DCB attributes: DSORG=PS, RECFM=FB, LRECL=1024, BLKSIZE=6144. The file transfer type must be binary mode and not text. Note: QexACF2 is a small C mainframe program that reads the output of the TSSUTIL (EARLOUT data) line by line. QexACF2 adds a header to each record containing event information, for example, record descriptor, the date, and time. The program places each field into the output record, suppresses trailing blank characters, and delimits each field with the pipe character. This output file is formatted for JSA and the blank suppression reduces network traffic to JSA. This program does not consume CPU or I/O disk resources. Step 4 Customize the trsmain sample_JCL.txt file according to your installation-specific parameters. For example, jobcard, data set naming conventions, output destinations, retention periods, and space requirements. The trsmain sample_JCL.txt file uses the IBM utility TRSMAIN to extract the program stored in the QexACF2.load.trs file. An example of the QexACF2_trsmain_JCL.txt file includes: //TRSMAIN JOB (yourvalidjobcard),Q1 labs, // MSGCLASS=V //DEL EXEC PGM=IEFBR14 //D1 DD DISP=(MOD,DELETE),DSN= .QEXACF2.LOAD.TRS // UNIT=SYSDA, Configuring DSMs 112 CA TECHNOLOGIES // SPACE=(CYL,(10,10)) //TRSMAIN EXEC PGM=TRSMAIN,PARM='UNPACK' //SYSPRINT DD SYSOUT=*,DCB=(LRECL=133,BLKSIZE=12901,RECFM=FBA) //INFILE DD DISP=SHR,DSN= .QEXACF2.LOAD.TRS //OUTFILE DD DISP=(NEW,CATLG,DELETE), // DSN= .LOAD, // SPACE=(CYL,(10,10,5),RLSE),UNIT=SYSDA // The .trs input file is an IBM TERSE formatted library and is extracted by running the JCL, which calls the TRSMAIN. This tersed file, when extracted, creates a PDS linklib with the QexACF2 program as a member. Step 5 You can STEPLIB to this library or choose to move the program to one of the LINKLIBs that are in LINKLST. The program does not require authorization. Step 6 After uploading, copy the program to an existing link listed library or add a STEPLIB DD statement with the correct dataset name of the library that will contain the program. Step 7 The QexACF2_jcl.txt file is a text file containing a sample JCL. You must configure the job card to meet your configuration. The QexACF2_jcl.txt sample file includes: //QEXACF2 JOB (T,JXPO,JKSD0093),DEV,NOTIFY=Q1JACK, // MSGCLASS=P, // REGION=0M //* //*QEXACF2 JCL VERSION 1.0 OCTOBER, 2010 //* //************************************************************ //* Change below dataset names to sites specific datasets names* //************************************************************ //SET1 SET SMFIN='MVS1.SMF.RECORDS(0)', // QEXOUT='Q1JACK.QEXACF2.OUTPUT', // SMFOUT='Q1JACK.ACF2.DATA' //************************************************************ //* Delete old datasets * //************************************************************ //DEL EXEC PGM=IEFBR14 //DD1 DD DISP=(MOD,DELETE),DSN=&SMFOUT, // UNIT=SYSDA, // SPACE=(CYL,(10,10)), // DCB=(RECFM=FB,LRECL=80) //DD2 DD DISP=(MOD,DELETE),DSN=&QEXOUT, // UNIT=SYSDA, // SPACE=(CYL,(10,10)), // DCB=(RECFM=FB,LRECL=80) //************************************************************* //* Allocate new dataset * //************************************************************* //ALLOC EXEC PGM=IEFBR14 Configuring DSMs CA ACF2 113 //DD1 DD DISP=(NEW,CATLG),DSN=&QEXOUT, // SPACE=(CYL,(100,100)), // DCB=(RECFM=VB,LRECL=1028,BLKSIZE=6144) //************************************************************* //* Execute ACFRPTPP (Report Preprocessor GRO) to extract ACF2* //* SMF records * //************************************************************* //PRESCAN EXEC PGM=ACFRPTPP //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //RECMAN1 DD DISP=SHR,DSN=&SMFIN //SMFFLT DD DSN=&SMFOUT,SPACE=(CYL,(100,100)),DISP=(,CATLG), // DCB=(RECFM=FB,LRECL=8192,BLKSIZE=40960), // UNIT=SYSALLDA //************************************************************ //* execute QEXACF2 * //************************************************************ //EXTRACT EXEC PGM=QEXACF2,DYNAMNBR=10, // TIME=1440 //STEPLIB DD DISP=SHR,DSN=Q1JACK.C.LOAD //SYSTSIN DD DUMMY //SYSTSPRT DD SYSOUT=* //SYSPRINT DD SYSOUT=* //CFG DD DUMMY //ACFIN DD DISP=SHR,DSN=&SMFOUT //ACFOUT DD DISP=SHR,DSN=&QEXOUT //************************************************************ //FTP EXEC PGM=FTP,REGION=3800K //INPUT DD * PUT ' ' EARL_ / QUIT //OUTPUT DD SYSOUT=* //SYSPRINT DD SYSOUT=* //* Step 8 After the output file is created, you must choose one of the following options: a Schedule a job to a transfer the output file to an interim FTP server. Each time the job completes, the output file is forwarded to an interim FTP server. You must configure the following parameters in the sample JCL to successfully forward the output to an interim FTP server: For example: //FTP EXEC PGM=FTP,REGION=3800K //INPUT DD * Configuring DSMs 114 CA TECHNOLOGIES PUT ' ' EARL_ / QUIT //OUTPUT DD SYSOUT=* //SYSPRINT DD SYSOUT=* Where: is the IP address or host name of the interim FTP server to receive the output file. is the user name required to access the interim FTP server. is the password required to access the interim FTP server. is the destination of the mainframe or interim FTP server receiving the output. For example: PUT 'Q1JACK.QEXACF2.OUTPUT.C320' /192.168.1.101/ACF2/QEXACF2. OUTPUT.C320 is the name of the output file saved to the interim FTP server. You are now ready to create a log source in JSA. For more information, see Create a log source. b Schedule JSA to retrieve the output file from CA ACF2. If the zOS platform is configured to serve files through FTP, SFTP, or allow SCP, then no interim FTP server is required and JSA can pull the output file directly from the mainframe. The following text must be commented out using //* or deleted from the QexACF2_jcl.txt file: //FTP EXEC PGM=FTP,REGION=3800K //INPUT DD * PUT ' ' EARL_ / QUIT //OUTPUT DD SYSOUT=* //SYSPRINT DD SYSOUT=* You are now ready to configure the a log source in JSA. Create a log source A log file protocol source allows JSA to retrieve archived log files from a remote host. The CA ACF2 DSM supports the bulk loading of log files using the log file protocol source. When configuring your CA ACF2 DSM to use the log file protocol, make sure the hostname or IP address configured in the CA ACF2 is the same as configured in the Remote Host parameter in the Log File protocol configuration. Configuring DSMs CA ACF2 115 To configure a log source in JSA for CA ACF2: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for the log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select CA ACF2. Step 9 From the Protocol Configuration list box, select Log File. Step 10 Configure the following values: Table 23-2 CA ACF2 Log File Parameters Parameter Description Log Source Identifier Type an IP address, host name, or name to identify the event source. IP addresses or host names are recommended as they allow JSA to identify a log file to a unique event source. For example, if your network contains multiple devices, such as multiple z/OS images or a file repository containing all of your event logs, you should specify the IP address or host name of the device that uniquely identifies the log source. This allows events to be identified at the device level in your network, instead of identifying the event for the file repository. Service Type From the list box, select the protocol you want to use when retrieving log files from a remote server. The default is SFTP. • SFTP - SSH File Transfer Protocol • FTP - File Transfer Protocol • SCP - Secure Copy Note: The underlying protocol used to retrieve log files for the SCP and SFTP service type requires that the server specified in the Remote IP or Hostname field has the SFTP subsystem enabled. Remote IP or Hostname Type the IP address or host name of the device storing your event log files. Configuring DSMs 116 CA TECHNOLOGIES Table 23-2 CA ACF2 Log File Parameters (continued) Parameter Description Remote Port Type the TCP port on the remote host that is running the selected Service Type. The valid range is 1 to 65535. The options include: • FTP - TCP Port 21 • SFTP - TCP Port 22 • SCP - TCP Port 22 Note: If the host for your event files is using a non-standard port number for FTP, SFTP, or SCP, you must adjust the port value accordingly. Remote User Type the user name necessary to log in to the host containing your event files. The username can be up to 255 characters in length. Remote Password Type the password necessary to log in to the host. Confirm Password Confirm the password necessary to log in to the host. SSH Key File If you select SCP or SFTP as the Service Type, this parameter allows you to define an SSH private key file. When you provide an SSH Key File, the Remote Password field is ignored. Remote Directory Type the directory location on the remote host from which the files are retrieved, relative to the user account you are using to log in. Note: For FTP only. If your log files reside in the remote user’s home directory, you can leave the remote directory blank. This is to support operating systems where a change in the working directory (CWD) command is restricted. Recursive Select this check box if you want the file pattern to search sub folders in the remote directory. By default, the check box is clear. The Recursive option is ignored if you configure SCP as the Service Type. Configuring DSMs CA ACF2 117 Table 23-2 CA ACF2 Log File Parameters (continued) Parameter Description FTP File Pattern If you select SFTP or FTP as the Service Type, this option allows you to configure the regular expression (regex) required to filter the list of files specified in the Remote Directory. All matching files are included in the processing. IBM z/OS mainframe using IBM Security zSecure Audit writes event files using the pattern zOS. .gz The FTP file pattern you specify must match the name you assigned to your event files. For example, to collect files starting with zOS and ending with .gz, type the following: ACF2.*\.gz Use of this parameter requires knowledge of regular expressions (regex). For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/ FTP Transfer Mode This option only displays if you select FTP as the Service Type. From the list box, select Binary. The binary transfer mode is required for event files stored in a binary or compressed format, such as zip, gzip, tar, or tar+gzip archive files. SCP Remote File If you select SCP as the Service Type you must type the file name of the remote file. Start Time Type the time of day you want the processing to begin. For example, type 00:00 to schedule the Log File protocol to collect event files at midnight. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24 hour clock, in the following format: HH:MM. Recurrence Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D). For example, type 2H if you want the remote directory to be scanned every 2 hours from the start time. The default is 1H. Run On Save Select this check box if you want the log file protocol to run immediately after you click Save. After the Run On Save completes, the log file protocol follows your configured start time and recurrence schedule. Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File parameter. EPS Throttle Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 to 5000. Configuring DSMs 118 CA TECHNOLOGIES Table 23-2 CA ACF2 Log File Parameters (continued) Parameter Description Processor From the list box, select gzip. Processors allow event file archives to be expanded and contents processed for events. Files are only processed after they are downloaded to JSA. JSA can process files in zip, gzip, tar, or tar+gzip archive format. Ignore Previously Processed File(s) Select this check box to track and ignore files that have already been processed by the log file protocol. JSA examines the log files in the remote directory to determine if a file has been previously processed by the log file protocol. If a previously processed file is detected, the log file protocol does not download the file for processing. All files that have not been previously processed are downloaded. This option only applies to FTP and SFTP Service Types. Change Local Directory? Select this check box to define a local directory on your JSA for storing downloaded files during processing. We recommend that you leave this check box clear. When this check box is selected, the Local Directory field is displayed, which allows you to configure the local directory to use for storing files. Event Generator From the Event Generator list box, select LineByLine. The Event Generator applies additional processing to the retrieved event files. Each line of the file is a single event. For example, if a file has 10 lines of text, 10 separate events are created. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The CA ACF2 configuration is complete. If your configuration requires custom event properties, see the Custom Event Properties for IBM z/OS technical note. CA SiteMinder The CA SiteMinder DSM collects and categorizes authorization events from CA SiteMinder appliances using syslog-ng. Supported Event Types The CA SiteMinder DSM accepts access and authorization events logged in smaccess.log and forwards the events to JSA using syslog-ng. Configure a Log Source CA SiteMinder with JSA does not automatically discover authorization events forwarded using syslog-ng from CA SiteMinder appliances. To manually create a CA SiteMinder log source: Step 1 Click the Admin tab. Configuring DSMs CA SiteMinder 119 Step 2 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 3 Click the Log Sources icon. The Log Sources window is displayed. Step 4 In the Log Source Name field, type a name for your CA SiteMinder log source. Step 5 In the Log Source Description field, type a description for the log source. Step 6 From the Log Source Type list box, select CA SiteMinder. Step 7 From the Protocol Configuration list box, select Syslog. The syslog protocol parameters are displayed. NOTE Note: The Log File protocol is displayed in the Protocol Configuration list box, however, polling for log files is not a recommended configuration method. Step 8 Configure the following values: Table 23-3 Adding a Syslog Log Source Parameter Description Log Source Identifier Type the IP address or hostname for your CA SiteMinder appliance. Enabled Select this check box to enable the log source. By default, this check box is selected. Credibility From the list box, select the credibility of the log source. The range is 0 to 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source device. Credibility increases if multiple sources report the same event. The default is 5. Target Event Collector From the list box, select the Event Collector to use as the target for the log source. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Automatically discovered log sources use the default value configured in the Coalescing Events list box in the System Settings window, which is accessible on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source you can override the default value by configuring this check box for each log source. For more information on Settings, see the Juniper Secure Analytics Administration Guide. Configuring DSMs 120 CA TECHNOLOGIES Table 23-3 Adding a Syslog Log Source (continued) Parameter Description Store Event Payload Select this check box to enable or disable JSA from storing the event payload. Automatically discovered log sources use the default value from the Store Event Payload list box in the System Settings window, which is accessible on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source you can override the default value by configuring this check box for each log source. For more information on Settings, see the Juniper Secure Analytics Administration Guide. Step 9 Click Save. The Admin tab toolbar detects log source changes and displays a messages to indicate when you need to deploy a change. Step 10 On the Admin tab, click Deploy Changes. You are now ready to configure syslog-ng on your CA SiteMinder appliance to forward events to JSA. Configure Syslog-ng for CA SiteMinder You must configure your CA SiteMinder appliance to forward syslog-ng events to your JSA console or Event Collector. JSA can collect syslog-ng events from TCP or UDP syslog sources on port 514. To configure syslog-ng for CA SiteMinder: Step 1 Using SSH, log in to your CA SiteMinder appliance as a root user. Step 2 Edit the syslog-ng configuration file. /etc/syslog-ng.conf Step 3 Add the following information to specify the access log as the event file for syslog-ng: source s_siteminder_access { file("/opt/apps/siteminder/sm66/siteminder/log/smaccess.log"); }; Step 4 Add the following information to specify the destination and message template: destination d_remote_q1_siteminder { udp(" " port(514) template ("$PROGRAM $MSG\n")); }; Where is the IP address of the JSA console or Event Collector. Configuring DSMs CA Top Secret 121 Step 5 Add the following log entry information: log { source(s_siteminder_access); destination(d_remote_q1_siteminder); }; Step 6 Save the syslog-ng.conf file. Step 7 Type the following command to restart syslog-ng: service syslog-ng restart After the syslog-ng service restarts, the CA SiteMinder configuration is complete. Events forwarded to JSA by CA SiteMinder are display on the Log Activity tab. CA Top Secret Integrate CA Top Secret with JSA using IBM Security zSecure JSA includes two options for integrating CA Top Secret events: • Integrate CA Top Secret with JSA using IBM Security zSecure • Integrate CA Top Secret with JSA Using Audit Scripts The CA Top Secret DSM allows you to integrate LEEF events from a Top Secret image on an IBM z/OS mainframe using IBM Security zSecure. Using a zSecure process, events from the System Management Facilities (SMF) are recorded to an event file in the Log Enhanced Event format (LEEF). JSA retrieves the LEEF event log files using the log file protocol and processes the events. You can schedule JSA to retrieve events on a polling interval, which allows JSA to retrieve the events on the schedule you have defined. To integrate CA Top Secret events: 1 Confirm your installation meets any prerequisite installation requirements. 2 Configure your CA Top Secret z/OS image to write events in LEEF format. For more information, see the IBM Security zSecure Suite: CARLa-Driven Components Installation and Deployment Guide. 3 Create a log source in JSA for CA Top Secret to retrieve your LEEF formatted event logs. 4 Optional. Create a custom event property for CA Top Secret in JSA. For more information, see the Custom Event Properties for IBM z/OS technical note. Before you begin Before you can configure the data collection process, you must complete the basic zSecure installation process. The following prerequisites are required: • You must ensure parmlib member IFAPRDxx is not disabled for IBM Security zSecure Audit on your z/OS image. • The SCKRLOAD library must be APF-authorized. Configuring DSMs 122 CA TECHNOLOGIES • You must configure a process to periodically refresh your CKFREEZE and UNLOAD data sets. • You must configure an SFTP, FTP, or SCP server on your z/OS image for JSA to download your LEEF event files. • You must allow SFTP, FTP, or SCP traffic on firewalls located between JSA and your z/OS image. After installing the software, you must also perform the post-installation activities to create and modify the configuration. For instructions on installing and configuring zSecure, see the IBM Security zSecure Suite: CARLa-Driven Components Installation and Deployment Guide. Create a log source The Log File protocol allows JSA to retrieve archived log files from a remote host. Log files are transferred, one at a time, to JSA for processing. The log file protocol can manage plain text event logs, compressed files, or archives. Archives must contain plain-text files that can be processed one line at a time. Multi-line event logs are not supported by the log file protocol. IBM z/OS with zSecure writes log files to a specified directory as gzip archives. JSA extracts the archive and processes the events, which are written as one event per line in the file. To retrieve these events, you must create a log source using the Log File protocol. JSA requires credentials to log in to the system hosting your LEEF formatted event files and a polling interval. To configure a log source in JSA for CA Top Secret: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for the log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select CA Top Secret. Step 9 From the Protocol Configuration list box, select Log File. Configuring DSMs CA Top Secret 123 Step 10 Configure the following values: Table 23-4 CA Top Secret Log File Parameters Parameter Description Log Source Identifier Type an IP address, host name, or name to identify the event source. IP addresses or host names are recommended as they allow JSA to identify a log file to a unique event source. For example, if your network contains multiple devices, such as multiple z/OS images or a file repository containing all of your event logs, you should specify the IP address or host name of the device that uniquely identifies the log source. This allows events to be identified at the device level in your network, instead of identifying the event for the file repository. Service Type From the list box, select the protocol you want to use when retrieving log files from a remote server. The default is SFTP. • SFTP - SSH File Transfer Protocol • FTP - File Transfer Protocol • SCP - Secure Copy Note: The underlying protocol used to retrieve log files for the SCP and SFTP service type requires that the server specified in the Remote IP or Hostname field has the SFTP subsystem enabled. Remote IP or Hostname Type the IP address or host name of the device storing your event log files. Remote Port Type the TCP port on the remote host that is running the selected Service Type. The valid range is 1 to 65535. The options include: • FTP - TCP Port 21 • SFTP - TCP Port 22 • SCP - TCP Port 22 Note: If the host for your event files is using a non-standard port number for FTP, SFTP, or SCP, you must adjust the port value accordingly. Remote User Type the user name necessary to log in to the host containing your event files. The username can be up to 255 characters in length. Remote Password Type the password necessary to log in to the host. Confirm Password Confirm the password necessary to log in to the host. SSH Key File If you select SCP or SFTP as the Service Type, this parameter allows you to define an SSH private key file. When you provide an SSH Key File, the Remote Password field is ignored. Configuring DSMs 124 CA TECHNOLOGIES Table 23-4 CA Top Secret Log File Parameters (continued) Parameter Description Remote Directory Type the directory location on the remote host from which the files are retrieved, relative to the user account you are using to log in. Note: For FTP only. If your log files reside in the remote user’s home directory, you can leave the remote directory blank. This is to support operating systems where a change in the working directory (CWD) command is restricted. Recursive Select this check box if you want the file pattern to search sub folders in the remote directory. By default, the check box is clear. The Recursive option is ignored if you configure SCP as the Service Type. FTP File Pattern If you select SFTP or FTP as the Service Type, this option allows you to configure the regular expression (regex) required to filter the list of files specified in the Remote Directory. All matching files are included in the processing. IBM z/OS mainframe using IBM Security zSecure Audit writes event files using the pattern TSS. .gz The FTP file pattern you specify must match the name you assigned to your event files. For example, to collect files starting with TSS and ending with .gz, type the following: TSS.*\.gz Use of this parameter requires knowledge of regular expressions (regex). For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/ FTP Transfer Mode This option only displays if you select FTP as the Service Type. From the list box, select Binary. The binary transfer mode is required for event files stored in a binary or compressed format, such as zip, gzip, tar, or tar+gzip archive files. SCP Remote File If you select SCP as the Service Type you must type the file name of the remote file. Start Time Type the time of day you want the processing to begin. For example, type 00:00 to schedule the Log File protocol to collect event files at midnight. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24 hour clock, in the following format: HH:MM. Configuring DSMs CA Top Secret 125 Table 23-4 CA Top Secret Log File Parameters (continued) Parameter Description Recurrence Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D). For example, type 2H if you want the remote directory to be scanned every 2 hours from the start time. The default is 1H. Run On Save Select this check box if you want the log file protocol to run immediately after you click Save. After the Run On Save completes, the log file protocol follows your configured start time and recurrence schedule. Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File parameter. EPS Throttle Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 to 5000. Processor From the list box, select gzip. Processors allow event file archives to be expanded and contents processed for events. Files are only processed after they are downloaded to JSA. JSA can process files in zip, gzip, tar, or tar+gzip archive format. Ignore Previously Processed File(s) Select this check box to track and ignore files that have already been processed by the log file protocol. JSA examines the log files in the remote directory to determine if a file has been previously processed by the log file protocol. If a previously processed file is detected, the log file protocol does not download the file for processing. All files that have not been previously processed are downloaded. This option only applies to FTP and SFTP Service Types. Change Local Directory? Select this check box to define a local directory on your JSA for storing downloaded files during processing. We recommend that you leave this check box clear. When this check box is selected, the Local Directory field is displayed, which allows you to configure the local directory to use for storing files. Event Generator From the Event Generator list box, select LineByLine. The Event Generator applies additional processing to the retrieved event files. Each line of the file is a single event. For example, if a file has 10 lines of text, 10 separate events are created. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The CA Top Secret configuration is complete. If your configuration requires custom event properties, see the Custom Event Properties for IBM z/OS technical note. Configuring DSMs 126 CA TECHNOLOGIES Integrate CA Top Secret with JSA Using Audit Scripts The CA Top Secret DSM allows you to integrate with an IBM zOS mainframe to collect events and audit transactions. JSA records all relevant and available information from the event. To integrate CA Top Secret events into JSA: 1 The IBM mainframe records all security events as Service Management Framework (SMF) records in a live repository. 2 At midnight, the CA Top Secret data is extracted from the live repository using the SMF dump utility. The SMF file contains all of the events and fields from the previous day in raw SMF format. 3 The qextopsloadlib program pulls data from the SMF formatted file. The qextopsloadlib program only pulls the relevant events and fields for JSA and writes that information in a condensed format for compatibility. The information is saved in a location accessible by JSA. 4 JSA uses the log file protocol source to retrieve the output file information on a scheduled basis. JSA then imports and processes this file. Configure CA Top Secret to integrate with JSA To integrate CA Top Secret with JSA: Step 1 From the Juniper Networks support website (http://www.juniper.net/customers/support/), download the following compressed file: qextops_bundled.tar.gz Step 2 On a Linux-based operating system, extract the file: tar -zxvf qextops_bundled.tar.gz The following files are contained in the archive: qextops_jcl.txt qextopsloadlib.trs qextops_trsmain_JCL.txt Step 3 Load the files onto the IBM mainframe using any terminal emulator file transfer method. a Upload the sample qextops_trsmain_JCL.txt and qextops_jcl.txt files using the TEXT protocol. b Upload the qextopsloadlib.trs file using a BINARY mode transfer. The qextopsloadlib.trs file is a tersed file containing the executable (the mainframe program qextops). When you upload the .trs file from a workstation, pre-allocate a file on the mainframe with the following DCB attributes: DSORG=PS, RECFM=FB, LRECL=1024, BLKSIZE=6144. The file transfer type must be binary mode and not text. Configuring DSMs CA Top Secret NOTE 127 Note: Qextops is a small C mainframe program that reads the output of the TSSUTIL (EARLOUT data) line by line. Qextops adds a header to each record containing event information, for example, record descriptor, the date, and time. The program places each field into the output record, suppresses trailing blank characters, and delimits each field with the pipe character. This output file is formatted for JSA and the blank suppression reduces network traffic to JSA. This program does not consume CPU or I/O disk resources. Step 4 Customize the qextops_trsmain_JCL.txt file according to your installation-specific requirements. The qextops_trsmain_JCL.txt file uses the IBM utility TRSMAIN to extract the program stored in the qextopsloadlib.trs file. An example of the qextops_trsmain_JCL.txt file includes: //TRSMAIN JOB (yourvalidjobcard),Q1 labs, // MSGCLASS=V //DEL EXEC PGM=IEFBR14 //D1 DD DISP=(MOD,DELETE),DSN= .QEXTOPS.TRS // UNIT=SYSDA, // SPACE=(CYL,(10,10)) //TRSMAIN EXEC PGM=TRSMAIN,PARM='UNPACK' //SYSPRINT DD SYSOUT=*,DCB=(LRECL=133,BLKSIZE=12901,RECFM=FBA) //INFILE DD DISP=SHR,DSN= .QEXTOPS.TRS //OUTFILE DD DISP=(NEW,CATLG,DELETE), // DSN= .LOAD, // SPACE=(CYL,(10,10,5),RLSE),UNIT=SYSDA // You must update the file with your installation specific information for parameters, for example, jobcard, data set naming conventions, output destinations, retention periods, and space requirements. The .trs input file is an IBM TERSE formatted library and is extracted by running the JCL, which calls the TRSMAIN. This tersed file, when extracted, creates a PDS linklib with the qextops program as a member. Step 5 You can STEPLIB to this library or choose to move the program to one of the LINKLIBs that are in the LINKLST. The program does not require authorization. Step 6 After uploading, copy the program to an existing link listed library or add a STEPLIB DD statement with the correct dataset name of the library that will contain the program. Step 7 The qextops_jcl.txt file is a text file containing a sample JCL. You must configure the job card to meet your configuration. The qextops_jcl.txt sample file includes: //QEXTOPS JOB (T,JXPO,JKSD0093),DEV,NOTIFY=Q1JACK, // MSGCLASS=P, // REGION=0M //* Configuring DSMs 128 CA TECHNOLOGIES //*QEXTOPS JCL version 1.0 September, 2010 //* //************************************************************* //* Change below dataset names to sites specific datasets names* //************************************************************ //SET1 SET TSSOUT='Q1JACK.EARLOUT.ALL', // EARLOUT='Q1JACK.QEXTOPS.PROGRAM.OUTPUT' //************************************************************ //* Delete old datasets * //************************************************************ //DEL EXEC PGM=IEFBR14 //DD1 DD DISP=(MOD,DELETE),DSN=&TSSOUT, // UNIT=SYSDA, // SPACE=(CYL,(10,10)), // DCB=(RECFM=FB,LRECL=80) //DD2 DD DISP=(MOD,DELETE),DSN=&EARLOUT, // UNIT=SYSDA, // SPACE=(CYL,(10,10)), // DCB=(RECFM=FB,LRECL=80) //************************************************************ //* Allocate new dataset * //************************************************************ //ALLOC EXEC PGM=IEFBR14 //DD1 DD DISP=(NEW,CATLG),DSN=&EARLOUT, // SPACE=(CYL,(100,100)), // DCB=(RECFM=VB,LRECL=1028,BLKSIZE=6144) //************************************************************ //* Execute Top Secret TSSUTIL utility to extract smf records* //************************************************************ //REPORT EXEC PGM=TSSUTIL //SMFIN DD DISP=SHR,DSN=&SMFIN1 //SMFIN1 DD DISP=SHR,DSN=&SMFIN2 //UTILOUT DD DSN=&UTILOUT, // DISP=(,CATLG),UNIT=SYSDA,SPACE=(CYL,(50,10),RLSE), // DCB=(RECFM=FB,LRECL=133,BLKSIZE=0) //EARLOUT DD DSN=&TSSOUT, // DISP=(NEW,CATLG),UNIT=SYSDA, // SPACE=(CYL,(200,100),RLSE), // DCB=(RECFM=VB,LRECL=456,BLKSIZE=27816) //UTILIN DD * NOLEGEND REPORT EVENT(ALL) END /* //************************************************************ //EXTRACT EXEC PGM=QEXTOPS,DYNAMNBR=10, // TIME=1440 //STEPLIB DD DISP=SHR,DSN=Q1JACK.C.LOAD //SYSTSIN DD DUMMY //SYSTSPRT DD SYSOUT=* //SYSPRINT DD SYSOUT=* Configuring DSMs CA Top Secret 129 //CFG DD DUMMY //EARLIN DD DISP=SHR,DSN=&TSSOUT //EARLOUT DD DISP=SHR,DSN=&EARLOUT //************************************************************ //FTP EXEC PGM=FTP,REGION=3800K //INPUT DD * PUT ' ' EARL_ / QUIT //OUTPUT DD SYSOUT=* //SYSPRINT DD SYSOUT=* Step 8 After the output file is created, you must choose one of the following options: a Schedule a job to a transfer the output file to an interim FTP server. Each time the job completes, the output file is forwarded to an intermin FTP server. You must configure the following parameters in the sample JCL to successfully forward the output to an interim FTP server: For example: //FTP EXEC PGM=FTP,REGION=3800K //INPUT DD * PUT ' ' EARL_ / QUIT //OUTPUT DD SYSOUT=* //SYSPRINT DD SYSOUT=* Where: is the IP address or host name of the interim FTP server to receive the output file. is the user name required to access the interim FTP server. is the password required to access the interim FTP server. is the destination of the mainframe or interim FTP server receiving the output. For example: PUT 'Q1JACK.QEXTOPS.OUTPUT.C320' /192.168.1.101/CA/QEXTOPS.OU TPUT.C320 is the name of the output file saved to the interim FTP server. You are now ready to configure the Log File protocol. See Create a log source. b Schedule JSA to retrieve the output file from CA Top Secret. If the zOS platform is configured to serve files through FTP, SFTP, or allow SCP, then no interim FTP server is required and JSA can pull the output file directly Configuring DSMs 130 CA TECHNOLOGIES from the mainframe. The following text must be commented out using //* or deleted from the qextops_jcl.txt file: //FTP EXEC PGM=FTP,REGION=3800K //INPUT DD * PUT ' ' EARL_ / QUIT //OUTPUT DD SYSOUT=* //SYSPRINT DD SYSOUT=* You are now ready to configure the Log File protocol. See Create a log source. Create a log source A log file protocol source allows JSA to retrieve archived log files from a remote host. The CA Top Secret DSM supports the bulk loading of log files using the log file protocol source. When configuring your CA Top Secret DSM to use the log file protocol, make sure the hostname or IP address configured in the CA Top Secret is the same as configured in the Remote Host parameter in the Log File Protocol configuration. To configure a log source in JSA for CA Top Secret: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for the log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select CA Top Secret. Step 9 From the Protocol Configuration list box, select Log File. Configuring DSMs CA Top Secret 131 Step 10 Configure the following values: Table 23-5 CA Top Secret Log File Parameters Parameter Description Log Source Identifier Type an IP address, host name, or name to identify the event source. IP addresses or host names are recommended as they allow JSA to identify a log file to a unique event source. For example, if your network contains multiple devices, such as multiple z/OS images or a file repository containing all of your event logs, you should specify the IP address or host name of the device that uniquely identifies the log source. This allows events to be identified at the device level in your network, instead of identifying the event for the file repository. Service Type From the list box, select the protocol you want to use when retrieving log files from a remote server. The default is SFTP. • SFTP - SSH File Transfer Protocol • FTP - File Transfer Protocol • SCP - Secure Copy Note: The underlying protocol used to retrieve log files for the SCP and SFTP service type requires that the server specified in the Remote IP or Hostname field has the SFTP subsystem enabled. Remote IP or Hostname Type the IP address or host name of the device storing your event log files. Remote Port Type the TCP port on the remote host that is running the selected Service Type. The valid range is 1 to 65535. The options include: • FTP - TCP Port 21 • SFTP - TCP Port 22 • SCP - TCP Port 22 Note: If the host for your event files is using a non-standard port number for FTP, SFTP, or SCP, you must adjust the port value accordingly. Remote User Type the user name necessary to log in to the host containing your event files. The username can be up to 255 characters in length. Remote Password Type the password necessary to log in to the host. Confirm Password Confirm the password necessary to log in to the host. SSH Key File If you select SCP or SFTP as the Service Type, this parameter allows you to define an SSH private key file. When you provide an SSH Key File, the Remote Password field is ignored. Configuring DSMs 132 CA TECHNOLOGIES Table 23-5 CA Top Secret Log File Parameters (continued) Parameter Description Remote Directory Type the directory location on the remote host from which the files are retrieved, relative to the user account you are using to log in. Note: For FTP only. If your log files reside in the remote user’s home directory, you can leave the remote directory blank. This is to support operating systems where a change in the working directory (CWD) command is restricted. Recursive Select this check box if you want the file pattern to search sub folders in the remote directory. By default, the check box is clear. The Recursive option is ignored if you configure SCP as the Service Type. FTP File Pattern If you select SFTP or FTP as the Service Type, this option allows you to configure the regular expression (regex) required to filter the list of files specified in the Remote Directory. All matching files are included in the processing. The FTP file pattern you specify must match the name you assigned to your event files. Use of this parameter requires knowledge of regular expressions (regex). For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/ FTP Transfer Mode This option only displays if you select FTP as the Service Type. From the list box, select Binary. The binary transfer mode is required for event files stored in a binary or compressed format, such as zip, gzip, tar, or tar+gzip archive files. SCP Remote File If you select SCP as the Service Type you must type the file name of the remote file. Start Time Type the time of day you want the processing to begin. For example, type 00:00 to schedule the Log File protocol to collect event files at midnight. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24 hour clock, in the following format: HH:MM. Recurrence Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D). For example, type 2H if you want the remote directory to be scanned every 2 hours from the start time. The default is 1H. Configuring DSMs CA Top Secret 133 Table 23-5 CA Top Secret Log File Parameters (continued) Parameter Description Run On Save Select this check box if you want the log file protocol to run immediately after you click Save. After the Run On Save completes, the log file protocol follows your configured start time and recurrence schedule. Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File parameter. EPS Throttle Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 to 5000. Processor From the list box, select gzip. Processors allow event file archives to be expanded and contents processed for events. Files are only processed after they are downloaded to JSA. JSA can process files in zip, gzip, tar, or tar+gzip archive format. Ignore Previously Processed File(s) Select this check box to track and ignore files that have already been processed by the log file protocol. JSA examines the log files in the remote directory to determine if a file has been previously processed by the log file protocol. If a previously processed file is detected, the log file protocol does not download the file for processing. All files that have not been previously processed are downloaded. This option only applies to FTP and SFTP Service Types. Change Local Directory? Select this check box to define a local directory on your JSA for storing downloaded files during processing. We recommend that you leave this check box clear. When this check box is selected, the Local Directory field is displayed, which allows you to configure the local directory to use for storing files. Event Generator From the Event Generator list box, select LineByLine. The Event Generator applies additional processing to the retrieved event files. Each line of the file is a single event. For example, if a file has 10 lines of text, 10 separate events are created. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The CA Top Secret configuration is complete. If your configuration requires custom event properties, see the Custom Event Properties for IBM z/OS technical note. Configuring DSMs 134 CA TECHNOLOGIES Configuring DSMs 21 CHECK POINT This section provides information on the following DSMs for JSA: Check Point FireWall-1 • Check Point FireWall-1 • Check Point Provider-1 You can configure Juniper Secure Analytics (JSA) to integrate with a Check Point FireWall-1 device using one of the following methods: NOTE Integrating Check Point FireWall-1 Using Syslog • Integrating Check Point FireWall-1 Using Syslog • Integrating Check Point FireWall-1 Using OPSEC Note: Depending on your Operating System, the procedures for the Check Point FireWall-1 device might vary. The following procedures are based on the Check Point SecurePlatform Operating system. This section describes how to ensure that the JSA Check Point FireWall-1 DSMs accepts FireWall-1 events using syslog. Configuring Syslog for Check Point FireWall-1 Before you configure JSA to integrate with a Check Point FireWall-1 device: NOTE Note: If Check Point SmartCenter is installed on Microsoft Windows, you must integrate Check Point with JSA using OPSEC. For more information, see Integrating Check Point FireWall-1 Using OPSEC. Step 1 Type the following command to access the Check Point console as an expert user: expert A password prompt is displayed. Step 2 Type your expert console password. Press the Enter key. Step 3 Open the following file: /etc/rc.d/rc3.d/S99local Configuring DSMs 136 CHECK POINT Step 4 Add the following lines: $FWDIR/bin/fw log -ftn | /usr/bin/logger -p . > /dev/null 2>&1 & Where: is a Syslog facility, for example, local3. is a Syslog priority, for example, info. For example: $FWDIR/bin/fw log -ftn | /usr/bin/logger -p local3.info > /dev/null 2>&1 & Step 5 Save and close the file. Step 6 Open the syslog.conf file. Step 7 Add the following line: . @ Where: is the syslog facility, for example, local3. This value must match the value you typed in Step 4. is the syslog priority, for example, info or notice. This value must match the value you typed in Step 4. indicates you must press the Tab key. indicates the JSA console or managed host. Step 8 Save and close the file. Step 9 Depending on your operating system, type the following command to restart syslog: In Linux: service syslog restart In Solaris: /etc/init.d/syslog start Step 10 Type the following command: nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p . > /dev/null 2>&1 & Where: is a Syslog facility, for example, local3. This value must match the value you typed in Step 4. is a Syslog priority, for example, info. This value must match the value you typed in Step 4. The configuration is complete. The log source is added to JSA as Check Point Firewall-1 syslog events are automatically discovered. Events forwarded to JSA are displayed on the Log Activity tab. Configuring DSMs Check Point FireWall-1 137 Configuring a log source JSA automatically discovers and creates a log source for syslog events from Check Point FireWall-1. The following configuration steps are optional. To manually configure a log source: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Check Point FireWall-1. Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 24-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Check Point FireWall-1 appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Integrating Check Point FireWall-1 Using OPSEC This section describes how to ensure that JSA accepts Check Point FireWall-1 events using Open Platform for Security (OPSEC/LEA). To integrate Check Point OPSEC/LEA with JSA, you must create two Secure Internal Communication (SIC) files and enter the information in to JSA as a Check Point Firewall-1 log source. Configuring DSMs 138 CHECK POINT To integrate Check Point Firewall-1 with JSA, you must complete the following procedures in sequence: 1 Add JSA as a host for Check Point FireWall-1. 2 Add an OPSEC application to Check Point Firewall-1. 3 Locate the Log Source Secure Internal Communications DN. 4 In JSA, configure the OPSEC LEA protocol. 5 Verify the OPSEC/LEA communications configuration. Adding a Check Point FireWall-1 Host To add JSA as a host in Check Point FireWall-1 SmartCenter: Step 1 Log in to the Check Point SmartDashboard user interface. Step 2 Select Manage > Network Objects > New > Node > Host. Step 3 Type parameters for your Check Point Firewall-1 host: Name: JSA IP Address: Comment: Step 4 Click OK. Step 5 Select Close. You are now ready to create an OPSEC Application Object for Check Point Firewall-1. Creating an OPSEC Application Object To create the OPSEC Application Object: Step 1 Open the Check Point SmartDashboard user interface. Step 2 Select Manage > Servers and OPSEC applications > New > OPSEC Application Properties. Step 3 Assign a name to the OPSEC Application Object. For example: JSA-OPSEC The OPSEC Application Object name must be different than the host name you typed when creating the node in Step 3. a From the Host list box, select JSA. b From the Vendor list box, select User Defined. c In Client Entities, select the LEA check box. d To generate a Secure Internal Communication (SIC) DN, click Communication. e Enter an activation key. Configuring DSMs Check Point FireWall-1 NOTE 139 Note: The activation key is a password used to generate the SIC DN. When you configure your Check Point log source in JSA, the activation key is typed into the Pull Certificate Password parameter. f Click Initialize. The window updates the Trust state from Uninitialized to Initilialized but trust not established. g Click Close. The OPSEC Application Properties window is displayed. h NOTE Write down or copy the displayed SIC DN to a text file. Note: The displayed SIC value is required for the OPSEC Application Object SIC Attribute parameter when you configure the Check Point log source in JSA. The OPSEC Application Object SIC resembles the following example: CN=JSA-OPSEC,O=cpmodule..tdfaaz. You are now ready to locate the log source SIC for Check Point Firewall-1. Locating the log source SIC To locate the Log Source SIC from the Check Point SmartDashboard: Step 1 Select Manage > Network Objects. Step 2 Select your Check Point Log Host object. NOTE Note: You must know if the Check Point Log Host is a separate object in your configuration from the Check Point Management Server. In most cases, the Check Point Log Host is the same object as the Check Point Management Server. Step 3 Click Edit. The Check Point Host General Properties window is displayed. Step 4 Copy the Secure Internal Communication (SIC). NOTE Note: Depending on your Check Point version, the Communication button might not be available to display the SIC attribute. You can locate the SIC attribute from the Check Point Management Server command-line interface. You must use the cpca_client lscert command from the command-line interface of the Management Server to display all certificates. The Log Source SIC Attribute resembles the following example: cn=cp_mgmt,o=cpmodule…tdfaaz. For more information, see your Check Point Command Line Interface Guide. You must now install the Security Policy from the Check Point SmartDashboard user interface. Configuring DSMs 140 CHECK POINT Step 5 Select Policy > Install > OK. You are now ready to configure the OPSEC LEA protocol. Configuring an OPSEC/LEA log source in JSA To configure the log source in JSA: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 From the Log Source Type list box, select Check Point FireWall-1. Step 7 Using the Protocol Configuration list box, select OPSEC/LEA. The OPSEC/LEA protocol parameters appear. Step 8 Configure the following values: a Log Source Name - Type a name for the log source. b Log Source Identifier - Type the IP address for the log source. This value must match the value you typed in the Server IP parameter. c Server IP - Type the IP address of the Check Point host or Check Point Management Server IP. d Server Port - Type the port used for OPSEC/LEA. The default is 18184. You must ensure the existing firewall policy permits the LEA/OPSEC connection from your JSA. e OPSEC Application Object SIC Attribute - Type the SIC DN of the OPSEC Application Object displayed in Creating an OPSEC Application Object - Step h. f Log Source SIC Attribute - Type the SIC name for the server generating log sources from Locating the log source SIC - Step 4. SIC attribute names can be up to 255 characters in length and are case sensitive. g Specify Certificate - Ensure the Specify Certificate check box is clear. h Pull Certificate Password - Type the activation key password from Creating an OPSEC Application Object - Step e. i Certificate Authority IP - Type the Check Point Manager Server IP address. j OPSEC Application - Type the name of the application requesting a certificate. For example: If the value is CN=JSA-OPSEC,O=cpmodule...tdfaaz, the OPSEC Application value is JSA-OPSEC. Configuring DSMs Check Point FireWall-1 141 For more information on the OPSEC/LEA parameters, see the Log Sources Users Guide. Step 9 Click Save. Step 10 On the Admin tab, click Deploy Changes. You are now ready to verify your OPSEC/LEA communications for Check Point Firewall-1. Verifing or Editing Your OPSEC Communications Configuration This section describes how to modify your Check Point FireWall-1 configuration to allow OPSEC communications on non-standard ports, configure communications in a clear text, un-authenticated stream, and verify the configuration in JSA. Changing your Check Point Custom Log Manager (CLM) IP address If your Check Point configuration includes a Check Point Custom Log Manager (CLM), you might eventually need to change the IP address for the CLM, which impacts any of the automatically discovered Check Point log sources from that CLM in JSA. This is because when you manually add the log source for the CLM using the OPSEC/LEA protocol, then all Check Point firewalls that forward logs to the CLM are automatically discovered by JSA. These automatically discovered log sources cannot be edited. If the CLM IP address changes, you must edit the original Check Point CLM log source that contains the OPSEC/LEA protocol configuration and update the server IP address and log source identifier. After you update the log source for the new Check Point CLM IP address, then any new events reported from the automatically discovered Check Point log sources are updated. NOTE Note: Do not delete and recreate your Check Point CLM or automatically discovered log sources in JSA. Deleting a log source does not delete event data, but can make finding previously recorded events more difficult to find. To update your Check Point OPSEC log source: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Select the original Check Point CLM log source containing the OPSEC/LEA protocol configuration and click Edit. Step 6 In the Log Source Identifier field, type a new identifying name of your Check Point CLM. Step 7 In the Server IP field, type the new IP address of your Check Point CLM. Step 8 Click Save. The IP address update for your Check Point CLM in JSA is complete. Configuring DSMs 142 CHECK POINT Changing the default port for OPSEC LEA communication To change the default port on which OPSEC LEA communicates (that is, port 18184): Step 1 At the command-line prompt of your Check Point SmartCenter Server, type the following command to stop the firewall services: cpstop Step 2 Depending on your Check Point SmartCenter Server operating system, open the following file: • Linux - $FWDIR\conf\fwopsec.conf • Windows - %FWDIR%\conf\fwopsec.conf The default contents of this file are as follows: # The VPN-1/FireWall-1 default settings are: # # sam_server auth_port 0 # sam_server port 18183 # # lea_server auth_port 18184 # lea_server port 0 # # ela_server auth_port 18187 # ela_server port 0 # # cpmi_server auth_port 18190 # # uaa_server auth_port 19191 # uaa_server port 0 # Step 3 Change the default lea_server auth_port from 18184 to another port number. Step 4 Remove the hash (#) mark from that line. For example: lea_server auth_port 18888 # lea_server port 0 Step 5 Save and close the file. Step 6 Type the following command to start the firewall services: cpstart Configuring OPSEC LEA for un-encrypted communications To configure the OPSEC LEA protocol for un-encrypted communications: Step 1 At the command-line prompt of your Check Point SmartCenter Server, stop the firewall services by typing the following command: cpstop Configuring DSMs Check Point Provider-1 143 Step 2 Depending on your Check Point SmartCenter Server operating system, open the following file: • Linux - $FWDIR\conf\fwopsec.conf • Windows - %FWDIR%\conf\fwopsec.conf Step 3 Change the default lea_server auth_port from 18184 to 0. Step 4 Change the default lea_server port from 0 to 18184. Step 5 Remove the hash (#) marks from both lines. For example: lea_server lea_server auth_port port 0 18184 Step 6 Save and close the file. Step 7 Type the following command to start the firewall services: cpstart Step 8 You are now ready to configure the log source in JSA. To configure JSA to receive events from a Check Point Firewall-1 device: Step 1 From the Log Source Type list box, select Check Point FireWall-1. Step 2 From the Protocol Configuration list box, select OPSEC/LEA. For more information on configuring log sources, see the Log Sources Users Guide. For more information on configuring your Check Point Firewall-1, see your vendor documentation. Check Point Provider-1 You can configure JSA to integrate with a Check Point Provider-1 device. All events from Check Point Provider-1 are parsed using the Check Point FireWall-1 DSM. You can integrate Check Point Provider-1 using one of the following methods: NOTE Integrating Syslog for Check Point Provider-1 • Integrating Syslog for Check Point Provider-1 • Configuring OPSEC for Check Point Provider-1 Note: Depending on your Operating System, the procedures for the Check Point Provider-1 device can vary. The following procedures are based on the Check Point SecurePlatform operating system. This method ensures the Check Point FireWall-1 DSM for JSA accepts Check Point Provider-1 events using syslog. JSA records all relevant Check Point Provider-1 events. Configuring DSMs 144 CHECK POINT Configure syslog on Check Point Provider-1 To configure syslog on your Check Point Provider-1 device: Step 1 Type the following command to access the console as an expert user: expert A password prompt is displayed. Step 2 Type your expert console password. Press Enter. Step 3 Type the following command: csh Step 4 Select the desired customer logs: mdsenv Step 5 Type the following command: # nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p . 2>&1 & Where: is a Syslog facility, for example, local3. is a Syslog priority, for example, info. You are now ready to configure the log source in JSA. The configuration is complete. The log source is added to JSA as Check Point Firewall-1 syslog events are automatically discovered. Events forwarded to JSA are displayed on the Log Activity tab. Configure a log source JSA automatically discovers and creates a log source for syslog events from Check Point Provider-1 as Check Point FireWall-1 events. The following configuration steps are optional. To manually configure a log source for Check Point Provider-1 syslog events: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Configuring DSMs Check Point Provider-1 145 Step 8 From the Log Source Type list box, select Check Point Firewall-1. Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 24-2 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Check Point Provider-1 appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring OPSEC for Check Point Provider-1 This method ensures the JSA Check Point FireWall-1 DSM accepts Check Point Provider-1 events using OPSEC. Reconfigure Check Point Provider-1 SmartCenter This section describes how to reconfigure the Check Point Provider-1 SmartCenter. In the Check Point Provider-1 Management Domain GUI (MDG), create a host object representing the JSA. The leapipe is the connection between the Check Point Provider-1 and JSA. To reconfigure the Check Point Provider-1 SmartCenter (MDG): Step 1 To create a host object, open the Check Point SmartDashboard user interface and select Manage > Network Objects > New > Node > Host. Step 2 Type the Name, IP Address, and optional Comment for your host. Step 3 Click OK. Step 4 Select Close. Step 5 To create the OPSEC connection, select Manage > Servers and OPSEC Applications New > OPSEC Application Properties. Step 6 Type a name and optional comment. The name you type must be different than the name used in Step 2. Step 7 From the Host drop-down menu, select the JSA host object that you just created. Step 8 From Application Properties, select User Defined as the Vendor type. Step 9 From Client Entries, select LEA. Step 10 Configure the Secure Internal Communication (SIC) certificate, click Communication and enter an activation key. Configuring DSMs 146 CHECK POINT Step 11 Select OK and then Close. Step 12 To install the Policy on your firewall, select Policy > Install > OK. Configure an OPSEC log source To configure the log source in JSA: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 From the Log Source Type list box, select Check Point FireWall-1. Step 7 Using the Protocol Configuration list box, select OPSEC/LEA. The OPSEC/LEA protocol parameters appear. Step 8 Configure the following values: a Log Source Name - Type a name for the log source. b Log Source Identifier - Type the IP address for the log source. This value must match the value you typed in the Server IP parameter. c Server IP - Type the IP address of the Check Point Provider-1. d Server Port - Type the port used for OPSEC/LEA. The default is 18184. You must ensure the existing firewall policy permits the LEA/OPSEC connection from your JSA. e OPSEC Application Object SIC Attribute - Type the SIC DN of the OPSEC Application Object. f Log Source SIC Attribute - Type the SIC name for the server generating the log source. SIC attribute names can be up to 255 characters in length and are case sensitive. g Specify Certificate - Ensure the Specify Certificate check box is clear. h Pull Certificate Password - Type the activation key password. i Certificate Authority IP - Type the Check Point Manager Server IP address. j OPSEC Application - Type the name of the application requesting a certificate. For example: If the value is CN=JSA-OPSEC,O=cpmodule...tdfaaz, the OPSEC Application value is JSA-OPSEC. Configuring DSMs Check Point Provider-1 147 Step 9 Click Save. Step 10 On the Admin tab, click Deploy Changes. The configuration is complete. For detailed information on the OPSEC/LEA protocol, see the Log Sources Users Guide. Configuring DSMs 22 CILASOFT QJRN/400 Juniper Secure Analytics (JSA) collects detailed audit events from Cilasoft QJRN/400 software for IBM i (AS/400, iSeries, System i). Configuration Overview To collect syslog events, you must configure your Cilasoft QJRN/400 to forward syslog events to JSA. JSA automatically discovers and creates log sources for syslog events that are forwarded from Cilasoft QJRN/400. JSA supports syslog events from Cilasoft QJRN/400 V5.14.K and above. To configure Cilasoft QJRN/400, complete the following tasks: 1 On your Cilasoft QJRN/400 installation, configure the Cilasoft Security Suite to forward syslog events to JSA. 2 On your JSA system, verify that the forwarded events are automatically discovered. Configuring a Syslog in Cilasoft QJRN/400 To collect events, you must configure queries on your Cilasoft QJRN/400 to forward syslog events to JSA. Procedure Step 1 To start the Cilasoft Security Suite, type the following command: IJRN/QJRN The account that is used to make configuration changes must have ADM privileges or USR privileges with access to specific queries through an Extended Access parameter. Step 2 To configure the output type, select one of the following options: a To edit several selected queries, type 2EV to access the Execution Environment and change the Output Type field and type SEM. b To edit large numbers of queries, type the command CHGQJQRYA and change the Output Type field and type SEM. Configuring DSMs 150 CILASOFT QJRN/400 Step 3 On the Additional Parameters screen, configure the following parameters: Table 25-1 Cilasoft QJRN/400 Output Parameters Parameter Description Format Type *LEEF to configure the syslog output to write events in Log Extended Event Format (LEEF). LEEF is a special event format that is designed to for JSA. Output Type *SYSLOG to forward events with the syslog protocol. IP Address Type the IP address of your JSA system. If an IP address for JSA is defined as a special value in the WRKQJVAL command, you can type *CFG. Events can be forwarded to either the console, an Event Collector, an Event Processor, or your JSA all-in-one appliance. Port Type 514 or *CFG as the port for syslog events. By default, *CFG automatically selects port 514. Tag This field is not used by JSA. Facility This field is not used by JSA. Severity Select a value for the event severity. For more information on severity that is assigned to *QRY destinations, see command WRKQJFVAL in your Cilasoft documentation. For more information on Cilasoft configuration parameters, see the Cilasoft QJRN/400 User’s Guide. Syslog events that are forwarded to JSA are viewable on the Log Activity tab. Configuring a Cilasoft QJRN/400 Log Source JSA automatically discovers and creates a log source for syslog events that are forwarded from Cilasoft QJRN/400. These configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 Click the Log Sources icon. Step 4 Click Add. Step 5 In the Log Source Name field, type a name for your log source. Step 6 From the Log Source Type list box, select Cilasoft QJRN/400. Step 7 From the Protocol Configuration list box, select Syslog. Configuring DSMs 151 Step 8 Configure the following values: Table 25-2 Syslog protocol parameters Parameter Description Log Source Identifier Type the IP address as an identifier for events from your Cilasoft QJRN/400 installation. The log source identifier must be unique value. Enabled Select this check box to enable the log source. By default, the check box is selected. Credibility Select the credibility of the log source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5. Target Event Collector Select the Event Collector to use as the target for the log source. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. By default, automatically discovered log sources inherit the value of the Coalescing Events list box from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source. Incoming Event Payload From the list box, select the incoming payload encoder for parsing and storing the logs. Store Event Payload Select this check box to enable the log source to store event payload information. By default, automatically discovered log sources inherit the value of the Store Event Payload list box from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source. Step 9 Click Save. Step 10 On the Admin tab, click Deploy Changes. Configuring DSMs 23 CISCO This section provides information on the following DSMs: Cisco ACE Firewall • Cisco ACE Firewall • Cisco Aironet • Cisco ACS • Cisco ASA • Cisco CallManager • Cisco CatOS for Catalyst Switches • Cisco CSA • Cisco FWSM • Cisco IDS/IPS • Cisco IronPort • Cisco NAC • Cisco Nexus • Cisco IOS • Cisco Pix • Cisco VPN 3000 Concentrator • Cisco Wireless Services Module • Cisco Wireless LAN Controllers • Cisco Identity Services Engine You can integrate a Cisco ACE firewall with JSA. Juniper Secure Analytics (JSA) can accept events forwarded from Cisco ACE Firewalls using syslog. JSA records all relevant events. Before you configure JSA to integrate with an ACE firewall, you must configure your Cisco ACE Firewall to forward all device logs to JSA. Configuring DSMs 154 CISCO Configure Cisco ACE Firewall To forward Cisco ACE device logs to JSA: Step 1 Log in to your Cisco ACE device. Step 2 From the shell interface, select Main Menu > Advanced Options > Syslog Configuration. Step 3 The Syslog Configuration menu varies depending on whether there are any syslog destination hosts configured yet. If no syslog destinations have been added, create one by selecting the Add First Server option. Click OK. Step 4 Type the hostname or IP address of the destination host and port in the First Syslog Server field. Click OK. The system restarts with new settings. When finished, the Syslog server window displays the host you have configured. Step 5 Click OK. The Syslog Configuration menu is displayed. Notice that options for editing the server configuration, removing the server, or adding a second server are now available. Step 6 If you want to add another server, click Add Second Server. At any time, click the View Syslog options to view existing server configurations. Step 7 To return to the Advanced Menu, click Return. The configuration is complete. The log source is added to JSA as Cisco ACE Firewall events are automatically discovered. Events forwarded to JSA by Cisco ACE Firewall appliances are displayed on the Log Activity tab of JSA. Configure a Log Source JSA automatically discovers and creates a log source for syslog events from Cisco ACE Firewalls. However, you can manually create a log source for JSA to receive syslog events. The following configuration steps are optional. To manually configure a log source for Cisco ACE Firewall: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Configuring DSMs Cisco Aironet 155 Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cisco ACE Firewall. Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 26-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cisco ACE Firewalls. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Cisco Aironet You can integrate a Cisco Aironet devices with JSA. A Cisco Aironet DSM accepts Cisco Emblem Format events using syslog. Before you configure JSA to integrate with a Cisco Aironet device, you must configure your Cisco Aironet appliance to forward syslog events. Configure Cisco Aironet To configure Cisco Aironet to forward events: Step 1 Establish a connection to the Cisco Aironet device using one of the following methods” • Telnet to the wireless access point • Access the console Step 2 Type the following command to access privileged EXEC mode: enable Step 3 Type the following command to access global configuration mode: config terminal Step 4 Type the following command to enable message logging: logging on Step 5 Configure the syslog facility. The default is local7. logging facility Step 6 Type the following command to log messages to your JSA: logging Configuring DSMs 156 CISCO Step 7 Enable timestamp on log messages: service timestamp log datatime Step 8 Return to privileged EXEC mode: end Step 9 View your entries: show running-config Step 10 Save your entries in the configuration file: copy running-config startup-config The configuration is complete. The log source is added to JSA as Cisco Aironet events are automatically discovered. Events forwarded to JSA by Cisco Aironet appliances are displayed on the Log Activity tab of JSA. Configure a Log Source JSA automatically discovers and creates a log source for syslog events from Cisco Aironet. The following configuration steps are optional. To manually configure a log source for Cisco Aironet: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cisco Aironet. Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 26-2 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cisco Aironet appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. Configuring DSMs Cisco ACS 157 The configuration is complete. Cisco ACS The Cisco ACS DSM for JSA accepts syslog ACS events using syslog. JSA records all relevant and available information from the event. You can integrate Cisco ACS with JSA using one of the following methods: NOTE Configure Syslog for Cisco ACS v5.x • Configure your Cisco ACS device to directly send syslog to JSA for Cisco ACS v5.x. See Configure Syslog for Cisco ACS v5.x. • Configure your Cisco ACS device to directly send syslog to JSA for Cisco ACS v4.x. See Configure Syslog for Cisco ACS v4.x. • A server using the JSA Adaptive Log Exporter (Cisco ACS software version 3.x or later). See Configure Cisco ACS for the Adaptive Log Exporter. Note: JSA only supports Cisco ACS versions prior to v3.x using a Universal DSM. The configure syslog forwarding from a Cisco ACS appliance with software version 5.x, you must: Create a Remote Log Target To create a remote log target for your Cisco ACS appliance: Step 1 Log in to your Cisco ACS appliance. Step 2 On the navigation menu, click System Administration > Configuration > Log Configuration > Remote Log Targets. The Remote Log Targets page is displayed. Step 3 Click Create. Step 4 Configure the following parameters: Table 26-1 Remote Target Parameters Parameter Description Name Type a name for the remote syslog target. Description Type a description for the remote syslog target. Type Select Syslog. IP Address Type the IP address of JSA or your Event Collector. Step 5 Click Submit. You are now ready to configure global policies for event logging on your Cisco ACS appliance. Configuring DSMs 158 CISCO Configure global logging categories To configure Cisco ACS to forward log failed attempts to JSA: Step 1 On the navigation menu, click System Administration > Configuration > Log Configuration > Global. The Logging Categories window is displayed. Step 2 Select the Failed Attempts logging category and click Edit. Step 3 Click Remote Syslog Target. Step 4 From the Available targets window, use the arrow key to move the syslog target for JSA to the Selected targets window. Step 5 Click Submit. You are now ready to configure the log source in JSA. Configure a log source JSA automatically discovers and creates a log source for syslog events from Cisco ACS v5.x. However, you can manually create a log source for JSA to receive Cisco ACS events. To manually configure a log source for Cisco ACS: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 From the Log Source Type list box, select Cisco ACS. Step 7 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 8 Configure the following values: Table 26-2 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or hostname for the log source as an identifier for Cisco ACS events. Step 9 Click Save. Configuring DSMs Cisco ACS 159 Step 10 On the Admin tab, click Deploy Changes. The configuration is complete. Configure Syslog for Cisco ACS v4.x To configure syslog forwarding from a Cisco ACS appliance with software version 4.x, you must: Configure syslog forwarding for Cisco ACS v4.x To configure an ACS device to forward syslog events to JSA: Step 1 Log in to your Cisco ACS device. Step 2 On the navigation menu, click System Configuration. The System Configuration page opens. Step 3 Click Logging. The logging configuration is displayed. Step 4 In the Syslog column for Failed Attempts, click Configure. The Enable Logging window is displayed. Step 5 Select the Log to Syslog Failed Attempts report check box. Step 6 Add the following Logged Attributes: • Message-Type • User-Name • Nas-IP-Address • Authen-Failure-Code • Caller-ID • NAS-Port • Author-Data • Group-Name • Filter Information • Logged Remotely Step 7 Configure the following syslog parameters: NOTE • IP - Type the IP address of JSA. • Port - Type the syslog port number of JSA. The default is port 514. • Max message length (Bytes) - Type 1024 as the maximum syslog message length. Note: Cisco ACS provides syslog report information for a maximum of two syslog servers. Step 8 Click Submit. Configuring DSMs 160 CISCO You are now ready to configure the log source in JSA. Configure a log source for Cisco ACS v4.x JSA automatically discovers and creates a log source for syslog events from Cisco ACS v4.x. The following configuration steps are optional. To manually create a log source for Cisco ACS v4.x: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 From the Log Source Type list box, select Cisco ACS. Step 7 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 8 Configure the following values: Table 26-3 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or hostname for the log source as an identifier for Cisco ACS events. Step 9 Click Save. Step 10 On the Admin tab, click Deploy Changes. The configuration is complete. Configure Cisco ACS for the Adaptive Log Exporter If you are using an older version of Cisco ACS, such as v3.x, you can log events from your Cisco ACS appliance to a comma-seperated file. The Cisco ACS device plug-in for the Adaptive Log Exporter can be used to read and forward events from your comma-separated file to JSA. Configure Cisco ACS to log events Your Cisco ACS appliance must be configured to write comma-seperated event files to integrate with the Adaptive Log Exporter. Configuring DSMs Cisco ASA 161 To configure Cisco ACS: Step 1 Log in to your Cisco ACS appliance. Step 2 On the navigation manu, click System Configuration. The System Configuration page opens. Step 3 Click Logging. The logging configuration is displayed. Step 4 In the CSV column for Failed Attempts, click Configure. The Enable Logging window is displayed. Step 5 Select the Log to CSV Failed Attempts report check box. Step 6 Add the following Logged Attributes: • Message-Type • User-Name • Nas-IP-Address • Authen-Failure-Code • Caller-ID • NAS-Port • Author-Data • Group-Name • Filter Information • Logged Remotely Step 7 Configure a time frame for Cisco ACS to generate a new comma-seperated value (CSV) file. Step 8 Click Submit. You are now ready to configure the Adaptive Log Exporter. For more information on installing and using the Adaptive Log Exporter, see the Adaptive Log Exporter Users Guide. Cisco ASA You can integrate a Cisco Adaptive Security Appliance (ASA) with JSA. A Cisco ASA DSM accepts events using syslog or NetFlow using NetFlow Security Event Logging (NSEL). JSA records all relevant events. Before you configure JSA, you must configure your Cisco ASA device to forward syslog or NetFlow NSEL events. Choose one of the following options: • Forward events to JSA using syslog. See Integrate Cisco ASA Using Syslog Configuring DSMs 162 CISCO • Forward events to JSA using NetFlow NSEL. See Integrate Cisco ASA for NetFlow Using NSEL Integrate Cisco ASA Using Syslog This section includes the following topics: • Configure syslog forwarding • Configure a log source Configure syslog forwarding This section describes how to configure Cisco ASA to forward syslog events. Step 1 Log in to the Cisco ASA device. Step 2 Type the following command to access privileged EXEC mode: enable Step 3 Type the following command to access global configuration mode: conf t Step 4 Enable logging: logging enable Step 5 Configure the logging details: logging console warning logging trap warning logging asdm warning Step 6 Type the following command to configure logging to JSA: logging host Where: is the name of the Cisco Adaptive Security Appliance interface. is the IP address of JSA. NOTE Note: Using the command show interfaces displays all available interfaces for your Cisco device. Step 7 Disable the output object name option: no names You must disable the output object name option to ensure that the logs use IP addresses and not object names. Step 8 Exit the configuration: exit Step 9 Save the changes: write mem Configuring DSMs Cisco ASA 163 The configuration is complete. The log source is added to JSA as Cisco ASA syslog events are automatically discovered. Events forwarded to JSA by Cisco ASA are displayed on the Log Activity tab of JSA. Configure a log source JSA automatically discovers and creates a log source for syslog events from Cisco ASA. The following configuration steps are optional. To manually configure a log source for Cisco ASA syslog events: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cisco Adaptive Security Appliance (ASA). Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 26-4 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your OSSEC installations. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Integrate Cisco ASA for NetFlow Using NSEL This section includes the following topics: • Configure NetFlow Using NSEL • Configure a log source Configuring DSMs 164 CISCO Configure NetFlow Using NSEL To configure Cisco ASA to forward NetFlow events using NSEL. Step 1 Log in to the Cisco ASA device command-line interface (CLI). Step 2 Type the following command to access privileged EXEC mode: enable Step 3 Type the following command to access global configuration mode: conf t Step 4 Disable the output object name option: no names Step 5 Type the following command to enable NetFlow export: flow-export destination Where: is the name of the Cisco Adaptive Security Appliance interface for the NetFlow collector. is the IP address or host name of the Cisco ASA device with the NetFlow collector application. is the UDP port number to which NetFlow packets are sent. NOTE Note: JSA typically uses port 2055 for NetFlow event data on Flow Processors. You must configure a different UDP port on your Cisco Adaptive Security Appliance for NetFlow using NSEL. Step 6 Type the following command to configure the NSEL class-map: class-map flow_export_class Step 7 Choose one of the following traffic options: a To configure a NetFlow access list to match specific traffic, type the command: match access-list flow_export_acl b To configure NetFlow to match any traffic, type the command: match any NOTE Note: The Access Control List (ACL) must exist on the Cisco ASA device before defining the traffic match option in Step 7. Step 8 Type the following command to configure the NSEL policy-map: policy-map flow_export_policy Step 9 Type the following command to define a class for the flow-export action: class flow_export_class Configuring DSMs Cisco ASA 165 Step 10 Type the following command to configure the flow-export action: flow-export event-type all destination Where is the IP address of JSA. NOTE Note: If you are using a Cisco ASA version before v8.3 you can skipStep 10 as the device defaults to the flow-export destination. For more information, see your Cisco ASA documentation. Step 11 Type the following command to add the service policy globally: service-policy flow_export_policy global Step 12 Exit the configuration: exit Step 13 Save the changes: write mem You must verify that your collector applications use the Event Time field to correlate events. Configure a log source To integrate Cisco ASA using NetFlow with JSA, you must manually create a log source to receive NetFlow events. JSA does not automatically discover or create log sources for syslog events from Cisco ASA using NetFlow and NSEL. NOTE Note: Your system must be running the latest version of the NSEL protocol to integrate with a Cisco ASA device using NetFlow NSEL. The NSEL protocol is available on Juniper Customer Support, http://www.juniper.net/customers/support/, or through auto updates in JSA. To configure a log source: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Configuring DSMs 166 CISCO Step 8 From the Log Source Type list box, select Cisco Adaptive Security Appliance (ASA). Step 9 Using the Protocol Configuration list box, select Cisco NSEL. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 26-5 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or hostname for the log source. Collector Port Type the UDP port number used by Cisco ASA to forward NSEL events. The valid range of the Collector Port parameter is 1-65535. Note: JSA typically uses port 2055 for NetFlow event data on Flow Processors. You must define a different UDP port on your Cisco Adaptive Security Appliance for NetFlow using NSEL. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Events forwarded to JSA by Cisco ASA are displayed on the Log Activity tab. For more information on configuring NetFlow with your Cisco ASA device, see your vendor documentation. Cisco CallManager The Cisco CallManager DSM for JSA collects application events forwarded from Cisco CallManager devices using syslog. Before receiving events in JSA, you must configure your Cisco Call Manager device to forward events. After you forward syslog events from Cisco CallManager, JSA automatically detects and adds Cisco CallManager as a log source. Configure Syslog Forwarding To configure syslog on your Cisco CallManager: Step 1 Log in to your Cisco CallManager interface. Step 2 Select System > Enterprise Parameters. The Enterprise Parameters Configuration is displayed. Step 3 In the Remote Syslog Server Name field, type the IP address of the JSA console. Step 4 From the Syslog Severity For Remote Syslog messages list box, select Informational The informational severity allows you to collect all events at the information level and above. Step 5 Click Save. Configuring DSMs Cisco CatOS for Catalyst Switches 167 Step 6 Click Apply Config. The syslog configuration is complete. You are now ready to configure a syslog log source for Cisco CallManager. Configure a Log Source JSA automatically discovers and creates a log source for syslog events from Cisco CallManager devices. The following configuration steps are optional. To manually configure a syslog log source for Cisco CallManager: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cisco Call Manager. Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 26-6 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cisco CallManager. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Cisco CatOS for Catalyst Switches The Cisco CatOS for Catalyst Switches DSM for JSA accepts events using syslog. JSA records all relevant device events. Before configuring a Cisco CatOS device in JSA, you must configure your device to forward syslog events. Configuring DSMs 168 CISCO Configure Syslog To configure your Cisco CatOS device to forward syslog events: Step 1 Log in to your Cisco CatOS user interface. Step 2 Type the following command to access privileged EXEC mode: enable Step 3 Configure the system to timestamp messages: set logging timestamp enable Step 4 Type the IP address of JSA: set logging server Step 5 Limit messages that are logged by selecting a severity level: set logging server severity Step 6 Configure the facility level that should be used in the message. The default is local7. set logging server facility Step 7 Enable the switch to send syslog messages to the JSA. set logging server enable You are now ready to configure the log source in JSA. Configure a Log Source JSA automatically discovers and creates a log source for syslog events from Cisco CatOS appliances. The following configuration steps are optional. To manually configure a syslog log source for Cisco CatOS: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cisco CatOS for Catalyst Switches Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Configuring DSMs Cisco CSA 169 Table 26-7 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cisco CatOS for Catalyst Switch appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Cisco CSA You can integrate a Cisco Security Agent (CSA) server with JSA. Supported Event Types Configure Syslog for Cisco CSA The Cisco CSA DSM accepts events using syslog, SNMPv1, and SNMPv2. JSA records all configured Cisco CSA alerts. To configure your Cisco CSA server to forward events: Step 1 Open the Cisco CSA user interface. Step 2 Select Events > Alerts. Step 3 Click New. The Configuration View window is displayed. Step 4 Type in values for the following parameters: a Name - Type a name you wish to assign to your configuration. b Description - Type a description for the configuration. This parameter is optional. Step 5 From the Send Alerts, select the event set from the list box to generate alerts. Step 6 Select the SNMP check box. Step 7 Type a Community name. The Community name entered in the CSA user interface must match the Community field configured on JSA. This option is only available using the SNMPv2 protocol. Step 8 In the Manager IP address parameter, type the IP address of JSA. Step 9 Click Save. You are now ready to configure the log source in JSA. Configure a Log Source JSA automatically discovers and creates a log source for syslog events from Cisco CSA appliances. The following configuration steps are optional. Configuring DSMs 170 CISCO To manually configure a syslog log source for Cisco CSA: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cisco CSA. Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 26-8 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cisco CSA appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Cisco FWSM You can integrate Cisco Firewall Service Module (FWSM) with JSA. Supported Event Types Configure Cisco FWSM to Forward Syslog Events The Cisco FWSM DSM for JSA accepts FWSM events using syslog. JSA records all relevant Cisco FWSM events. To integrate Cisco FWSM with JSA, you must configure your Cisco FWSM appliances to forward syslog events to JSA. To configure Cisco FWSM: Step 1 Using a console connection, telnet, or SSH, log in to the Cisco FWSM. Step 2 Enable logging: logging on Configuring DSMs Cisco FWSM 171 Step 3 Change the logging level: logging trap level (1-7) By default, the logging level is set to 3 (error). Step 4 Designate JSA as a host to receive the messages: logging host [interface] ip_address [tcp[/port] | udp[/port]] [format emblem] For example: logging host dmz1 192.168.1.5 Where 192.168.1.5 is the IP address of your JSA system. You are now ready to configure the log source in JSA. Configure a Log Source JSA automatically discovers and creates a log source for syslog events from Cisco FWSM appliances. The following configuration steps are optional. To manually configure a syslog log source for Cisco FWSM: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cisco Firewall Services Module (FWSM). Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 26-9 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cisco FWSM appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. Configuring DSMs 172 CISCO The configuration is complete. Cisco IDS/IPS The Cisco IDS/IPS DSM for JSA polls Cisco IDS/IPS for events using the Security Device Event Exchange (SDEE) protocol. The SDEE specification defines the message format and the protocol used to communicate the events generated by your Cisco IDS/IPS security device. JSA supports SDEE connections by polling directly to the IDS/IPS device and not the management software, which controls the device. NOTE Note: You must have security access or web authentication on the device before connecting to JSA. After you configure your Cisco IDS/IPS device, you must configure the SDEE protocol in JSA. When configuring the SDEE protocol, you must define the URL required to access the device. For example, https://www.mysdeeserver.com/cgi-bin/sdee-server. You must use an http or https URL, which is specific to your Cisco IDS version: • If you are using RDEP (for Cisco IDS v4.0), the URL should have /cgi-bin/event-server at the end. For example: https://www.my-rdep-server.com/cgi-bin/event-server • If you are using SDEE/CIDEE (for Cisco IDS v5.x and above), the URL should have /cgi-bin/sdee-server at the end. For example: https://www.my-sdee-server/cgi-bin/sdee-server JSA does not automatically discover or create log sources for syslog events from Cisco IDS/IPS devices. To integrate Cisco IDS/IPS device events with JSA, you must manually create a log source for each Cisco IDS/IPS in your network. To configure a Cisco IDS/IPS log source using SDEE polling: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Configuring DSMs Cisco IDS/IPS 173 Step 8 From the Log Source Type list box, select Cisco Intrusion Prevention System (IPS). Step 9 Using the Protocol Configuration list box, select SDEE. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 26-10 SDEE Parameters Parameter Description Log Source Identifier Type an IP address, hostname, or name to identify the SDEE event source. IP addresses or hostnames are recommended as they allow JSA to identify a log file to a unique event source. The log source identifier must be unique for the log source type. URL Type the URL required to access the log source, for example, https://www.mysdeeserver.com/cgi-bin/sdee-server. You must use an http or https URL. The options include: • If you are using SDEE/CIDEE (for Cisco IDS v5.x and above), the URL should have /cgi-bin/sdee-server at the end. For example, https://www.my-sdee-server/cgi-bin/sdee-serv er • If you are using RDEP (for Cisco IDS v4.0), the URL should have /cgi-bin/event-server at the end. For example, https://www.my-rdep-server.com/cgi-bin/event -server Username Type the username. This username must match the SDEE URL username used to access the SDEE URL. The username can be up to 255 characters in length. Password Type the user password. This password must match the SDEE URL password used to access the SDEE URL. The password can be up to 255 characters in length. Events / Query Type the maximum number of events to retrieve per query. The valid range is 0 to 501 and the default is 100. Force Subscription Select this check box if you want to force a new SDEE subscription. By default, the check box is selected. The check box forces the server to drop the least active connection and accept a new SDEE subscription connection for this log source. Clearing the check box continues with any existing SDEE subscription. Severity Filter Low Select this check box if you want to configure the severity level as low. Log sources that support SDEE return only the events that match this severity level. By default, the check box is selected. Configuring DSMs 174 CISCO Table 26-10 SDEE Parameters (continued) Parameter Description Severity Filter Medium Select this check box if you want to configure the severity level as medium. Log sources that supports SDEE returns only the events that match this severity level. By default, the check box is selected. Severity Filter High Select this check box if you want to configure the severity level as high. Log sources that supports SDEE returns only the events that match this severity level. By default, the check box is selected. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Events polled from your Cisco IDS/IPS appliances are displayed on the Log Activity tab of JSA. Cisco IronPort The Cisco IronPort DSM for JSA provides event information for email spam, web content filtering, and corporate email policy enforcement. Before you configure JSA to integrate with your Cisco IronPort device, you must select the log type to configure: IronPort Mail Log Configuration • To configure IronPort mail logs, see IronPort Mail Log Configuration. • To configure IronPort content filtering logs, see IronPort Web Content Filter. The JSA Cisco IronPort DSM accepts events using syslog. To configure your IronPort device to send syslog events to JSA, you must: Step 1 Log in to your Cisco IronPort user interface. Step 2 Select System Administration\Log Subscriptions. Step 3 Click Add Log Subscription. Step 4 Configure the following values: • Log Type - Define a log subscription for both Ironport Text Mail Logs and System Logs. • Log Name - Type a log name. • File Name - Use the default configuration value. • Maximum File Size - Use the default configuration value. • Log Level - Select Information (Default). • Retrieval Method - Select Syslog Push. • Hostname - Type the IP address or server name of your JSA system. • Protocol - Select UDP. Configuring DSMs Cisco IronPort • 175 Facility - Use the default configuration value. This value depends on the configured Log Type. Step 5 Save the subscription. You are now ready to configure the log source in JSA. Configure a log source To integrate Cisco IronPort with JSA, you must manually create a log source to receive Cisco IronPort events. JSA does not automatically discover or create log sources for syslog events from Cisco IronPort appliances. To create a log source for Cisco IronPort events: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cisco IronPort. Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 26-11 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cisco IronPort appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Events forwarded to JSA by Cisco IronPort are displayed on the Log Activity tab. IronPort Web Content Filter The Cisco IronPort DSM for JSA retrieves web content filtering events in W3C format from a remote source using the log file protocol. Your system must be running the latest version of log file protocol to integrate with a Cisco IronPort device. To configure your Cisco IronPort device to push web Configuring DSMs 176 CISCO content filter events, you must configure a log subscription for the web content filter using the W3C format. For more information on configuring a log subscription, see your Cisco IronPort documentation. You are now ready to configure the log source and protocol JSA. Step 1 From the Log Source Type drop-down list box, select Cisco IronPort. Step 2 From the Protocol Configuration list box, select Log File protocol option. Step 3 Select W3C as the Event Generator used to process the web content filter log files. Step 4 The FTP File Pattern parameter must use a regular expression that matches the log files generated by the web content filter logs. For more information on configuring the Log File protocol, see the Juniper Secure Analytics Log Sources User Guide. Cisco NAC The Cisco NAC DSM for JSA accepts events using syslog. Supported Event Types Configuring Cisco NAC to Forward Events JSA records all relevant audit, error, and failure events as well as quarantine and infected system events. Before configuring a Cisco NAC device in JSA, you must configure your device to forward syslog events. To configure the device to forward syslog events: Procedure Step 1 Log in to the Cisco NAC user interface. Step 2 In the Monitoring section, select Event Logs. Step 3 Click the Syslog Settings tab. Step 4 In the Syslog Server Address field, type the IP address of your JSA. Step 5 In the Syslog Server Port field, type the syslog port. The default is 514. Step 6 In the System Health Log Interval field, type the frequency, in minutes, for system statistic log events. Step 7 Click Update. You are now ready to configure the log source in JSA. Configuring a Log Source To integrate Cisco NAC events with JSA, you must manually create a log source to receive Cisco NAC events. JSA does not automatically discover or create log sources for syslog events from Cisco NAC appliances. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Configuring DSMs Cisco Nexus 177 Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cisco NAC Appliance. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 26-12 Syslog Protocol Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cisco NAC appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Events forwarded to JSA by Cisco NAC are displayed on the Log Activity tab. Cisco Nexus The Cisco Nexus DSM for JSA supports alerts from Cisco NX-OS devices. The events are forwarded from Cisco Nexus to JSA using syslog. Before you can integrate events with JSA, you must configure your Cisco Nexus device to forward syslog events. Configure Cisco Nexus to Forward Events To configure syslog on your Cisco Nexus server: Step 1 Type the following command to switch to configuration mode: config t Step 2 Type the following commands: logging server Where: is the IP address of your JSA console. is the severity level of the event messages, which range from 0-7. For example, logging server 100.100.10.1 6 forwards information level (6) syslog messages to 100.100.10.1. Step 3 Type the following to configure the interface for sending syslog events: logging source-interface loopback Configuring DSMs 178 CISCO Step 4 Type the following command to save your current configuration as the start up configuration: copy running-config startup-config The configuration is complete. The log source is added to JSA as Cisco Nexus events are automatically discovered. Events forwarded to JSA by Cisco Nexus are displayed on the Log Activity tab of JSA. Configure a Log Source JSA automatically discovers and creates a log source for syslog events from Cisco Nexus. The following configuration steps are optional. To manually configure a log source for Cisco Nexus: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cisco Nexus. Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 26-13 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cisco Nexus appliances. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. For more information on configuring a Virtual Device Context (VDC) on your Cisco Nexus device, see your vendor documentation. Configuring DSMs Cisco IOS Cisco IOS 179 You can integrate Cisco IOS series devices with JSA. Supported Event Types NOTE Configure Cisco IOS to Forward Events The Cisco IOS DSM for JSA accepts Cisco IOS events using syslog. JSA records all relevant events. The following Cisco Switches and Routers are automatically discovered as Cisco IOS and have their events parsed by the Cisco IOS DSM: • Cisco 12000 Series Routers • Cisco 6500 Series Switches • Cisco 7600 Series Routers • Cisco Carrier Routing System • Cisco Integrated Services Router. Note: Make sure all Access Control Lists (ACLs) are set to LOG. To configure a Cisco IOS-based device to forward events: Step 1 Log in to your Cisco IOS Server, switch, or router. Step 2 Type the following command to log in to the router in privileged-exec. enable Step 3 Type the following command to switch to configuration mode: conf t Step 4 Type the following commands: logging logging source-interface Where: is the IP address hosting JSA and the SIM components. is the name of the interface, for example, dmz, lan, ethernet0, or ethernet1. Step 5 Type the following to configure the priority level: logging trap warning logging console warning Where warning is the priority setting for the logs. Step 6 Configure the syslog facility: logging facility syslog Step 7 Save and exit the file. Configuring DSMs 180 CISCO Step 8 Copy running-config to startup-config: copy running-config startup-config You are now ready to configure the log source in JSA. The configuration is complete. The log source is added to JSA as Cisco IOS events are automatically discovered. Events forwarded to JSA by Cisco IOS-based devices are displayed on the Log Activity tab of JSA. Configure a Log Source JSA automatically discovers and creates a log source for syslog events from Cisco IOS. The following configuration steps are optional. To manually configure a log source for Cisco IOS-based devices: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select one of the following: • Cisco IOS • Cisco 12000 Series Routers • Cisco 6500 Series Switches • Cisco 7600 Series Routers • Cisco Carrier Routing System • Cisco Integrated Services Router Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 26-14 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cisco IOS-based device. Step 11 Click Save. Configuring DSMs Cisco Pix 181 Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Cisco Pix You can integrate Cisco Pix security appliances with JSA. The Cisco Pix DSM for JSA accepts Cisco Pix events using syslog. JSA records all relevant Cisco Pix events. Configure Cisco Pix to Forward Events To Configure Cisco Pix: Step 1 Log in to your Cisco PIX appliance using a console connection, telnet, or SSH. Step 2 Type the following command to access Privileged mode: enable Step 3 Type the following command to access Configuration mode: conf t Step 4 Enable logging and timestamp the logs: logging on logging timestamp Step 5 Set the log level: logging trap warning Step 6 Configure logging to JSA: logging host Where: is the name of the interface, for example, dmz, lan, ethernet0, or ethernet1. is the IP address hosting JSA. The configuration is complete. The log source is added to JSA as Cisco Pix Firewall events are automatically discovered. Events forwarded to JSA by Cisco Pix Firewalls are displayed on the Log Activity tab of JSA. Configure a Log Source JSA automatically discovers and creates a log source for syslog events from Cisco Pix Firewalls. The following configuration steps are optional. To manually configure a log source for Cisco Pix: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Configuring DSMs 182 CISCO Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cisco PIX Firewall. Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 26-15 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cisco Pix Firewall. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Cisco VPN 3000 Concentrator The Cisco VPN 3000 Concentrator DSM for JSA accepts Cisco VPN Concentrator events using syslog. JSA records all relevant events. Before you can integrate with a Cisco VPN concentrator, you must configure your device to forward syslog events to JSA. Configure a Cisco VPN 3000 Concentrator To configure your Cisco VPN 3000 Concentrator: Step 1 Log in to the Cisco VPN 3000 Concentrator command-line interface (CLI). Step 2 Type the following command to add a syslog server to your configuration: set logging server Where is the IP address of JSA or your Event Collector. Step 3 Type the following command to enable system message logging to the configured syslog servers: set logging server enable Step 4 Set the facility and severity level for syslog server messages: set logging server facility server_facility_parameter set logging server severity server_severity_level Configuring DSMs Cisco Wireless Services Module 183 The configuration is complete. The log source is added to JSA as Cisco VPN Concentrator events are automatically discovered. Events forwarded to JSA are displayed on the Log Activity tab of JSA. Configure a Log Source JSA automatically discovers and creates a log source for syslog events from Cisco VPN 3000 Series Concentrators. These configuration steps are optional. To manually configure a log source: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cisco VPN 3000 Series Concentrator. Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 26-16 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cisco VPN 3000 Series Concentrators. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Cisco Wireless Services Module You can integrate a Cisco Wireless Services Module (WiSM) device with JSA. A Cisco WiSM DSM for JSA accepts events using syslog. Before you can integrate JSA with a Cisco WiSM device, you must configure Cisco WiSM to forward syslog events. Configuring DSMs 184 CISCO Configure Cisco WiSM to Forward Events To configure Cisco WiSM to forward syslog events to JSA: Step 1 Log in to the Cisco Wireless LAN Controller user interface. Step 2 Click Management > Logs > Config. The Syslog Configuration window is displayed. Step 3 In the Syslog Server IP Address field type the IP address of the JSA host to which you want to send the syslog messages. Click Add. Step 4 Using the Syslog Level list box, set the severity level for filtering syslog messages to the syslog servers using one of the following options: • Emergencies - Severity level 0 • Alerts - Severity level 1 (Default) • Critical - Severity level 2 • Errors - Severity level 3 • Warnings - Severity level 4 • Notifications - Severity level 5 • Informational - Severity level 6 • Debugging - Severity level 7 If you set a syslog level, only those messages whose severity level is equal or less than that level are sent to the syslog servers. For example, if you set the syslog level to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are sent to the syslog servers. Step 5 From the Syslog Facility list box, set the facility for outgoing syslog messages to the syslog server using one of the following options: • Kernel - Facility level 0 • User Process - Facility level 1 • Mail - Facility level 2 • System Daemons - Facility level 3 • Authorization - Facility level 4 • Syslog - Facility level 5 (default value) • Line Printer - Facility level 6 • USENET - Facility level 7 • Unix-to-Unix Copy - Facility level 8 • Cron - Facility level 9 • FTP Daemon - Facility level 11 • System Use 1 - Facility level 12 • System Use 2 - Facility level 13 Configuring DSMs Cisco Wireless Services Module • System Use 3 - Facility level 14 • System Use 4 - Facility level 15 • Local Use 0 - Facility level 16 • Local Use 1 - Facility level 17 • Local Use 2 - Facility level 18 • Local Use 3 - Facility level 19 • Local Use 4 - Facility level 20 • Local Use 5 - Facility level 21 • Local Use 6 - Facility level 22 • Local Use 7 - Facility level 23 185 Step 6 Click Apply. Step 7 From the Buffered Log Level and the Console Log Level list boxes, select the severity level for log messages to the controller buffer and console using one of the following options: Emergencies - Severity level 0 Alerts - Severity level 1 Critical - Severity level 2 Errors - Severity level 3 (default value) Warnings - Severity level 4 Notifications - Severity level 5 Informational - Severity level 6 Debugging - Severity level 7 If you set a logging level, only those messages whose severity is equal to or less than that level are logged by the controller. For example, if you set the logging level to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are logged. Step 8 Select the File Info check box if you want the message logs to include information about the source file. The default value is enabled. Step 9 Select the Proc Info check box if you want the message logs to include process information. The default value is disabled. Step 10 Select the Trace Info check box if you want the message logs to include traceback information. The default value is disabled. Step 11 Click Apply to commit your changes. Step 12 Click Save Configuration to save your changes. The configuration is complete. The log source is added to JSA as Cisco WiSM events are automatically discovered. Events forwarded by Cisco WiSM are displayed on the Log Activity tab of JSA. Configuring DSMs 186 CISCO Configure a Log Source JSA automatically discovers and creates a log source for syslog events from Cisco WiSM. The following configuration steps are optional. To manually configure a log source for Cisco WiSM: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. The Data Sources panel is displayed. Step 4 Click the Log Sources icon. The Log Sources window is displayed. Step 5 Click Add. The Add a log source window is displayed. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cisco Wireless Services Module (WiSM). Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 26-17 Syslog Protocol Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cisco WiSM appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Cisco Wireless LAN Controllers The Cisco Wireless LAN Controllers DSM for JSA collects events forwarded from Cisco Wireless LAN Controller devices using syslog or SNMPv2. This section includes the following topics: Before You Begin • Configuring Syslog for Cisco Wireless LAN Controller • Configuring SNMPv2 for Cisco Wireless LAN Controller If you collect events from Cisco Wireless LAN Controllers, you should select the best collection method for your configuration. The Cisco Wireless LAN Controller DSM for JSA supports both syslog and SNMPv2 events. However, syslog provides Configuring DSMs Cisco Wireless LAN Controllers 187 all available Cisco Wireless LAN Controller events, where SNMPv2 only sends a limited set of security events to JSA. Configuring Syslog for Cisco Wireless LAN Controller You can configure Cisco Wireless LAN Controller for forward syslog events to JSA. Procedure Step 1 Log in to your Cisco Wireless LAN Controller interface. Step 2 Click the Management tab. Step 3 From the menu, select Logs > Config. Step 4 In the Syslog Server IP Address field, type the IP address of your JSA console. Step 5 Click Add. Step 6 From the Syslog Level list box, select a logging level. The Information level allows you to collect all Cisco Wireless LAN Controller events above the debug level. Step 7 From the Syslog Facility list box, select a facility level. Step 8 Click Apply Step 9 Click Save Configuration. What to do next You are now ready to configure a syslog log source for Cisco Wireless LAN Controller. Configuring a syslog log source in JSA JSA does not automatically discover incoming syslog events from Cisco Wireless LAN Controllers. You must create a log source for each Cisco Wireless LAN Controller providing syslog events to JSA. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cisco Wireless LAN Controllers. Step 9 Using the Protocol Configuration list box, select Syslog. Configuring DSMs 188 CISCO Step 10 Configure the following values: Table 26-18 Syslog Protocol Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cisco Wireless LAN Controller. Enabled Select this check box to enable the log source. By default, the check box is selected. Credibility From the list box, select the credibility of the log source. The range is 0 to 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5. Target Event Collector From the list box, select the Event Collector to use as the target for the log source. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Automatically discovered log sources use the default value configured in the Coalescing Events drop-down in the JSA Settings window on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source you can override the default value by configuring this check box for each log source. For more information on settings, see the Juniper Secure Analytics Administration Guide. Incoming Event Payload From the list box, select the incoming payload encoder for parsing and storing the logs. Store Event Payload Select this check box to enable or disable JSA from storing the event payload. Automatically discovered log sources use the default value from the Store Event Payload drop-down in the JSA Settings window on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source you can override the default value by configuring this check box for each log source. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring SNMPv2 for Cisco Wireless LAN Controller SNMP event collection for Cisco Wireless LAN Controllers allows you to capture the following events for JSA: • SNMP Config Event • bsn Authentication Errors • LWAPP Key Decryption Errors Configuring DSMs Cisco Wireless LAN Controllers 189 Procedure Step 1 Log in to your Cisco Wireless LAN Controller interface. Step 2 Click the Management tab. Step 3 From the menu, select SNMP > Communities. You can use the one of the default communities created or create a new community. Step 4 Click New. Step 5 In the Community Name field, type the name of the community for your device. Step 6 In the IP Address field, type the IP address of JSA. The IP address and IP mask you specify is the address from which your Cisco Wireless LAN Controller accepts SNMP requests. You can treat these values as an access list for SNMP requests. Step 7 In the IP Mask field, type a subnet mask. Step 8 From the Access Mode list box, select Read Only or Read/Write. Step 9 From the Status list box, select Enable. Step 10 Click Save Configuration to save your changes. What to do next You are now ready to create a SNMPv2 trap receiver. Configure a trap receiver for Cisco Wireless LAN Controller Trap receivers configured for Cisco Wireless LAN Controllers define where the device can send SNMP trap messages. Procedure Step 1 Click the Management tab. Step 2 From the menu, select SNMP > Trap Receivers. Step 3 In the Trap Receiver Name field, type a name for your trap receiver. Step 4 In the IP Address field, type the IP address of JSA. The IP address you specify is the address to which your Cisco Wireless LAN Controller sends SNMP messages. If you plan to configure this log source on an Event Collector, you want to specify the Event Collector appliance IP address. Step 5 From the Status list box, select Enable. Step 6 Click Apply to commit your changes. Step 7 Click Save Configuration to save your settings. What to do next You are now ready to create a SNMPv2 log source in JSA. Configuring DSMs 190 CISCO Configure a log source for SNMPv2 for Cisco Wireless LAN Controller JSA does not automatically discover and create log sources for SNMP event data from Cisco Wireless LAN Controllers. You must create a log source for each Cisco Wireless LAN Controller providing SNMPv2 events. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cisco Wireless LAN Controllers. Step 9 Using the Protocol Configuration list box, select SNMPv2. Step 10 Configure the following values: Table 26-19 SNMPv2 protocol parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cisco Wireless LAN Controller. Community Type the SNMP community name required to access the system containing SNMP events. The default is Public. Include OIDs in Event Payload Select the Include OIDs in Event Payload check box. Enabled Select this check box to enable the log source. By default, the check box is selected. Credibility From the list box, select the credibility of the log source. The range is 0 to 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5. This options allows the SNMP event payload to be constructed using name-value pairs instead of the standard event payload format. Including OIDs in the event payload is required for processing SNMPv2 or SNMPv3 events from certain DSMs. Target Event Collector From the list box, select the Event Collector to use as the target for the log source. Configuring DSMs Cisco Identity Services Engine 191 Table 26-19 SNMPv2 protocol parameters (continued) Parameter Description Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Automatically discovered log sources use the default value configured in the Coalescing Events drop-down in the JSA Settings window on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source you can override the default value by configuring this check box for each log source. For more information on settings, see the Juniper Secure Analytics Administration Guide. Store Event Payload Select this check box to enable or disable JSA from storing the event payload. Automatically discovered log sources use the default value from the Store Event Payload drop-down in the JSA Settings window on the Admin tab. However, when you create a new log source or update the configuration for an automatically discovered log source you can override the default value by configuring this check box for each log source. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Events forwarded to by Cisco Wireless LAN Controller are displayed on the Log Activity tab of JSA. Cisco Identity Services Engine Configuration Overview The Cisco Identity Services Engine (ISE) DSM for JSA accepts syslog events from Cisco ISE appliances with log sources configured to use the UDP Multiline protocol. JSA supports syslog events forwarded by Cisco ISE versions 1.1. Before you configure your Cisco ISE appliance, you should consider which logging categories you want to configure on your Cisco ISE to forward to JSA. Each logging category must be configured with a syslog severity and included as a remote target to allow Cisco ISE to forward the event to JSA. The log source you configure in JSA receives the event forwarded from Cisco ISE and uses a regular expression to assemble the multiline syslog event in to an event readable by JSA. Configuring DSMs 192 CISCO To integrate Cisco ISE events with JSA, you must perform the following tasks: 1 Configure a log source in JSA for your Cisco ISE appliance forwarding events to JSA. 2 Create a remote logging target for JSA on your Cisco ISE appliance. 3 Configure the logging categories on your Cisco ISE appliance. Supported Event Logging Categories The Cisco ISE DSM for JSA is capable of receiving syslog events from the following event logging categories. Table 26-1 Supported Cisco ISE Event Logging Categories Event logging category AAA audit Failed attempts Passed authentication AAA diagnostics Administrator authentication and authorization Authentication flow diagnostics Identity store diagnostics Policy diagnostics Radius diagnostics Guest Accounting Radius accounting Administrative and operational audit Posture and client provisioning audit Posture and client provisioning diagnostics Profiler System diagnostics Distributed management Internal operations diagnostics System statistics Configuring a Cisco ISE Log Source in JSA To collect syslog events, you must configure a log source for Cisco ISE in JSA to use the UDP Multiline Syslog protocol. You must configure a log source for each individual Cisco ISE appliance that forwards events to JSA. However, all Cisco ISE appliances can forward their events to the same listen port on JSA that you configure. Configuring DSMs Cisco Identity Services Engine 193 Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 In the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for your log source. Step 8 From the Log Source Type list box, select Cisco Identity Services Engine. Step 9 From the Protocol Configuration list box, select UDP Multiline Syslog. Step 10 Configure the following values: Table 26-2 Cisco ISE Log Source Parameters Parameter Description Log Source Identifier Type the IP address, host name, or name to identify the log source or appliance providing UDP Multiline Syslog events to JSA. Listen Port Type 517 as the port number used by JSA to accept incoming UDP Multiline Syslog events. The valid port range is 1 to 65535. To edit a saved configuration to use a new port number: 1 In the Listen Port field, type the new port number for receiving UDP Multiline Syslog events. 2 Click Save. 3 On the Admin tab, select Advanced > Deploy Full Configuration. After the full deploy completes, JSA is capable of receiving events on the updated listen port. Note: When you click Deploy Full Configuration, JSA restarts all services, resulting in a gap in data collection for events and flows until the deployment completes. Message ID Pattern Type the following regular expression (regex) required to filter the event payload messages. CISE_\S+ (\d{10}) Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. What to do next You are now ready to configure your Cisco ISE appliance with a remote logging target. Configuring DSMs 194 CISCO Creating a Remote Logging Target in Cisco ISE To forward syslog events to JSA, you must configure your Cisco ISE appliance with a remote logging target. Procedure Step 1 Log in to your Cisco ISE Administration Interface. Step 2 From the navigation menu, select Administration > System > Logging > Remote Logging Targets. Step 3 Click Add. Step 4 In the Name field, type a name for the remote target system. Step 5 In the Description field, type a description. Step 6 In the IP Address field, type a the IP address of the JSA console or Event Collector. Step 7 In the Port field, type 517 or use the port value you specific in your Cisco ISE log source for JSA. Step 8 From the Facility Code list box, select the syslog facility to use for logging events. Step 9 In the Maximum Length field, type 1024 as the maximum packet length allowed for the UDP syslog message. Step 10 Click Submit. The remote logging target is created for JSA. What to do next You are now ready to configure the logging categories forwarded by Cisco ISE to JSA. Configuring Cisco ISE Logging Categories To define which events are forwarded by your Cisco ISE appliance, you must configure each logging category with a syslog severity and the remote logging target your configured for JSA. For a list of pre-defined event logging categories for Cisco ISE, see Supported Event Logging Categories. Procedure Step 1 From the navigation menu, select Administration > System > Logging > Logging Categories. Step 2 Select a logging category, and click Edit. Step 3 From the Log Severity list box, select a severity for the logging category. Step 4 In the Target field, add your remote logging target for JSA to the Select box. Step 5 Click Save. Step 6 Repeat this process for each logging category you want to forward to JSA. The configuration is complete. Events forwarded by Cisco ISE are displayed on the Log Activity tab in JSA. Configuring DSMs 24 CITRIX This section provides information on the following DSMs: Citrix NetScaler • Citrix NetScaler • Citrix Access Gateway The Citrix NetScaler DSM for Juniper Secure Analytics (JSA) accepts all relevant audit log events using syslog. Configuring Syslog on Citrix NetScaler To integrate Citrix NetScaler events with JSA, you must configure Citrix NetScaler to forward syslog events. Procedure Step 1 Using SSH, log in to your Citrix NetScaler device as a root user. Step 2 Type the following command to add a remote syslog server: add audit syslogAction -serverPort 514 -logLevel Info -dateFormat DDMMYYYY Where: is a descriptive name for the syslog server action. is the IP address or hostname of your JSA console. For example: add audit syslogAction action-JSA 10.10.10.10 -serverPort 514 -logLevel Info -dateFormat DDMMYYYY Step 3 Type the following command to add an audit policy: add audit syslogPolicy Where: is a descriptive name for the syslog policy. is the rule or expression the policy uses. The only supported value is ns_true. is a descriptive name for the syslog server action. Configuring DSMs 196 CITRIX For example: add audit syslogPolicy policy-JSA ns_true action-JSA Step 4 Type the following command to bind the policy globally: bind system global -priority Where: is a descriptive name for the syslog policy. is a numeric value used to rank message priority for multiple policies that are communicating using syslog. For example: bind system global policy-JSA -priority 30 When multiple policies have priority assigned to them as a numeric value the lower priority value is evaluated before the higher value. Step 5 Type the following command to save the Citrix NetScaler configuration. save config Step 6 Type the following command to verify the policy is saved in your configuration: sh system global NOTE Note: For information on configuring syslog using the Citrix NetScaler user interface, see http://support.citrix.com/article/CTX121728 or your vendor documentation. The configuration is complete. The log source is added to JSA as Citrix NetScaler events are automatically discovered. Events forwarded by Citrix NetScaler are displayed on the Log Activity tab of JSA. Configuring a Citrix NetScaler Log Source JSA automatically discovers and creates a log source for syslog events from Citrix NetScaler. This procedure is optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Citrix NetScaler. Step 9 Using the Protocol Configuration list box, select Syslog. Configuring DSMs Citrix Access Gateway 197 Step 10 Configure the following values: Table 27-1 Syslog protocol parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Citrix NetScaler devices. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Citrix Access Gateway The Citrix Access Gateway DSM accepts access, audit, and diagnostic events forwarded from your Citrix Access Gateway appliance using syslog. Configuring Syslog for Citrix Access Gateway This procedure outlines the configure steps required to configure syslog on your Citrix Access Gateway to forward events to the JSA console or an Event Collectors. Procedure Step 1 Log in to your Citrix Access Gateway web interface. Step 2 Click the Access Gateway Cluster tab. Step 3 Select Logging/Settings. Step 4 In the Server field, type the IP address of your JSA console or Event Collector. Step 5 From the Facility list box, select a syslog facility level. Step 6 In the Broadcast interval (mins), type 0 to continuously forward syslog events to JSA. Step 7 Click Submit to save your changes. The configuration is complete. The log source is added to JSA as Citrix Access Gateway events are automatically discovered. Events forwarded to JSA by Citrix Access Gateway are displayed on the Log Activity tab in JSA. Configuring a Citrix Access Gateway Log Source JSA automatically discovers and creates a log source for syslog events from Citrix Access Gateway appliances. This procedure is optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Configuring DSMs 198 CITRIX Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Citrix Access Gateway. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 27-2 Syslog protocol parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Citrix Access Gateway appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring DSMs 25 CRYPTOCARD CRYPTO-SHIELD The Juniper Secure Analytics (JSA) CRYPTOCard CRYPTO-Shield DSM for JSA accepts events using syslog. Before You Begin To integrate CRYPTOCard CRYPTO-Shield events with JSA, you must manually create a log source to receive syslog events. Before you can receive events in JSA, you must configure a log source, then configure your CRYPTOCard CRYPTO-Shield to forward syslog events. Syslog events forwarded from CRYPTOCard CRYPTO-Shield devices are not automatically discovered. JSA can receive syslog events on port 514 for both TCP and UDP. Configuring a Log Source JSA does not automatically discover or create log sources for syslog events from CRYPTOCard CRYPTO-Shield devices. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select CRYPTOCard CRYPTOShield. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 28-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your CRYPTOCard CRYPTO-Shield device. Configuring DSMs 200 CRYPTOCARD CRYPTO-SHIELD Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Configure Syslog for CRYPTOCard CRYPTO-Shield To configure your CRYPTOCard CRYPTO-Shield device to forward syslog events: Step 1 Log in to your CRYPTOCard CRYPTO-Shield device. Step 2 Configure the following System Configuration parameters: NOTE You must have CRYPTOCard Operator access with the assigned default Super-Operator system role to access the System Configuration parameters. • log4j.appender. - Directs the logs to a syslog host where the is the type of log appender, which determines where you want to send logs for storage. The options are: ACC, DBG, or LOG. For this parameter, type the following: org.apache.log4j.net.SyslogAppender • log4j.appender. .SyslogHost - Type the IP address or hostname of the syslog server where: - is the type of log appender, which determines where you want to send logs for storage. The options are: ACC, DBG, or LOG. - is the IP address of the JSA host to which you want to send logs. This value can only be specified when the first parameter is configured. This parameter can only be specified when the log4j.apender. parameter is configured. The configuration is complete. Events forwarded to JSA by CRYPTOCard CRYPTO-Shield are displayed on the Log Activity tab. Configuring DSMs 26 CYBER-ARK VAULT The Cyber-Ark Vault DSM for Juniper Secure Analytics (JSA) accepts events using syslog formatted for Log Enhanced Event Format (LEEF). Supported Event Types JSA records both user activities and safe activities from the Cyber-Ark Vault in the audit log events. Cyber-Ark Vault integrates with JSA to forward audit logs using syslog to create a complete audit picture of privileged account activities. Event Type Format Cyber-Ark Vault must be configured to generate events in Log Enhanced Event Protocol (LEEF) and forward these events using syslog. The LEEF format consists of a pipe ( | ) delimited syslog header and tab separated fields in the event payload. If the syslog events forwarded from your Cyber-Ark Vault is not formatted as described above, you must examine your device configuration or software version to ensure your appliance supports LEEF. Properly formatted LEEF event messages are automatically discovered and added as a log source to JSA. Configure Syslog for Cyber-Ark Vault To configure Cyber-Ark Vault to forward syslog events to JSA: Procedure Step 1 Log in to your Cyber-Ark device. Step 2 Edit the DBParm.ini file. Step 3 Configure the following parameters: • SyslogServerIP - Type the IP address of JSA. • SyslogServerPort - Type the UDP port used to connect to JSA. The default value is 514. • SyslogMessageCodeFilter - Configure which message codes are sent from the Cyber-Ark Vault to JSA. You can define specific message numbers or a range of numbers. By default, all message codes are sent for user activities and safe activities. For example, to define a message code of 1,2,3,30 and 5-10, you must type: 1,2,3,5-10,30. Configuring DSMs 202 CYBER-ARK VAULT • SyslogTranslatorFile - Type the file path to the LEEF.xsl translator file. The translator file is used to parse Cyber-Ark audit records data in the syslog protocol. Step 4 Copy LEEF.xsl to the location specified by the SyslogTranslatorFile parameter in the DBParm.ini file. The configuration is complete. The log source is added to JSA as Cyber-Ark Vault events are automatically discovered. Events forwarded by Cyber-Ark Vault are displayed on the Log Activity tab of JSA. Configuring a Log Source JSA automatically discovers and creates a log source for syslog events from Cyber-Ark Vault. The following configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Cyber-Ark Vault. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 29-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Cyber-Ark Vault appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring DSMs 27 CYBERGUARD FIREWALL/VPN APPLIANCE The CyberGuard Firewall VPN Appliance DSM for Juniper Secure Analytics (JSA) accepts CyberGuard events using syslog. Supported Event Types JSA records all relevant CyberGuard events for CyberGuard KS series appliances forwarded using syslog. Configure Syslog Events To configure a CyberGuard device to forward syslog events: Procedure Step 1 Log in to the CyberGuard user interface. Step 2 Select the Advanced page. Step 3 Under System Log, select Enable Remote Logging. Step 4 Type the IP address of JSA. Step 5 Click Apply. The configuration is complete. The log source is added to JSA as CyberGuard events are automatically discovered. Events forwarded by CyberGuard appliances are displayed on the Log Activity tab of JSA. Configure a Log Source JSA automatically discovers and creates a log source for syslog events from CyberGuard appliances. The following configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select CyberGuard TSP Firewall/VPN. Configuring DSMs 204 CYBERGUARD FIREWALL/VPN APPLIANCE Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 30-1 Syslog parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your CyberGuard appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring DSMs 28 DAMBALLA FAILSAFE The Failsafe DSM for Juniper Secure Analytics (JSA) accepts syslog events using the Log Enhanced Event Protocol (LEEF), enabling JSA to record all relevant Damballa Failsafe events. Event Type Format Damballa Failsafe must be configured to generate events in Log Enhanced Event Protocol (LEEF) and forward these events using syslog. The LEEF format consists of a pipe ( | ) delimited syslog header and tab separated fields in the event payload. If the syslog events forwarded from your Damballa Failsafe is not formatted as described above, you must examine your device configuration or software version to ensure your appliance supports LEEF. Properly formatted LEEF event messages are automatically discovered and added as a log source to JSA. Configuring Syslog for Damballa Failsafe To collect events, you must configure your Damballa Failsafe device to forward syslog events to JSA. Procedure Step 1 Log in to your Damballa Failsafe Management console Step 2 From the navigation menu, select Setup > Integration Settings. Step 3 Click the Q1 QRadar tab. Step 4 Select Enable Publishing to Q1 QRadar. Step 5 Configure the following options: a Q1 Hostname - Type the IP address or Fully Qualified Name (FQN) of your JSA console. b Destination Port - Type 514. By default, JSA uses port 514 as the port for receiving syslog events. c Source Port - Optional. Type the source port your Damballa Failsafe device uses for sending syslog events. Step 6 Click Save. The configuration is complete. The log source is added to JSA as Damballa Failsafe events are automatically discovered. Events forwarded by Damballa Failsafe are displayed on the Log Activity tab of JSA. Configuring DSMs 206 DAMBALLA FAILSAFE Configuring a Log Source JSA automatically discovers and creates a log source for syslog events from Damballa Failsafe devices. The following configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Damballa Failsafe. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 31-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Damballa Failsafe devices. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring DSMs 29 DIGITAL CHINA NETWORKS (DCN) The Digital China Networks (DCN) DCS/DCRS Series DSM for Juniper Secure Analytics (JSA) can accept events from Digital China Networks (DCN) switches using syslog. Supported Event Types Supported Appliances Configuring a Log Source JSA records all relevant IPv4 events forwarded from DCN switches. To integrate your device with JSA, you must configure a log source, then configure your DCS or DCRS switch to forward syslog events. The DSM supports the following DCN DCS/DCRS Series switches: • DCS - 3650 • DCS - 3950 • DCS - 4500 • DCRS - 5750 • DCRS - 5960 • DCRS - 5980 • DCRS - 7500 • DCRS - 9800 JSA does not automatically discover incoming syslog events from DCN DCS/DCRS Series switches. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Configuring DSMs 208 DIGITAL CHINA NETWORKS (DCN) Step 8 From the Log Source Type list box, select DCN DCS/DCRS Series. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following value: Table 32-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address, hostname, or name for the log source as an identifier for your DCN DCS/DCRS Series switch. Each log source you create for your DCN DCS/DCRS Series switch should include a unique identifier, such as an IP address or hostname. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. You are now ready to configure your Digital China Networks DCS or DCRS Series switch to forward events to JSA. Configure a DCN DCS/DCRS Series Switch To collect events, you must configure your DCN DCS/DCRS Series switch in JSA. Procedure Step 1 Log in to your DCN DCS/DCRS Series switch command-line Interface (CLI). Step 2 Type the following command to access the administrative mode: enable Step 3 Type the following command to access the global configuration mode: config The command-line interface displays the configuration mode prompt: Switch(Config)# Step 4 Type the following command to configure a log host for your switch: logging facility severity Where: is the IP address of the JSA console. is the syslog facility, for example, local0. is the severity of the syslog events, for example, informational. If you specify a value of informational, you forward all information level events and above, such as, notifications, warnings, errors, critical, alerts, and emergencies. For example, logging 10.10.10.1 facility local0 severity informational Configuring DSMs 209 Step 5 Type the following command to save your configuration changes: write The configuration is complete. You can verify events forwarded to JSA by viewing events in the Log Activity tab. Configuring DSMs 30 ENTERASYS This section provides information on the following DSMs: Enterasys Dragon • Enterasys Dragon • Enterasys HiGuard Wireless IPS • Enterasys HiPath Wireless Controller • Enterasys Stackable and Standalone Switches • Enterasys XSR Security Router • Enterasys Matrix Router • Enterasys NetSight Automatic Security Manager • Enterasys Matrix K/N/S Series Switch • Enterasys NAC • Enterasys 800-Series Switch The Enterasys Dragon DSM for Juniper Secure Analytics (JSA) accepts Enterasys events using either syslog or SNMPv3 to record all relevant Enterasys Dragon events. To configure your JSA Enterasys Dragon DSM, you must: 1 Choose one of the following: a Create an Alarm Tool policy using an SNMPv3 notification rule. See Create an Alarm Tool Policy for SNMPv3. b Create an Alarm Tool policy using a Syslog notification rule. See Create a Policy for Syslog. 2 Configure the log source within JSA. See Configure a Log Source. 3 Configure Dragon Enterprise Management Server (EMS) to forward syslog messages. See Configure the EMS to Forward Syslog Messages Configuring DSMs 212 ENTERASYS Create an Alarm Tool Policy for SNMPv3 This procedure describes how to configure an Alarm Tool policy using an SNMPv3 notification rule. Use SNMPv3 notification rules if you need to transfer PDATA binary data elements. To configure Enterasys Dragon with an Alarm Tool policy using an SNMPv3 notification rule: Step 1 Log in to the Enterasys Dragon EMS. Step 2 Click the Alarm Tool icon. Step 3 Configure the Alarm Tool Policy: a In the Alarm Tool Policy View > Custom Policies menu tree, right-click and select Add Alarm Tool Policy. The Add Alarm Tool Policy window is displayed. b In the Add Alarm Tool Policy field, type a policy name. For example: JSA c Click OK. d In the menu tree, select the policy name you entered from Stepb. Step 4 To configure the event group: a Click the Events Group tab. b Click New. The Event Group Editor is displayed. c Select the event group or individual events to monitor. d Click Add. A prompt is displayed. e Click Yes. f In the right column of the Event Group Editor, type Dragon-Events. g Click OK. Step 5 Configure the SNMPv3 notification rules: a Click the Notification Rules tab. b Click New. c In the name field, type JSA-Rule. d Click OK. e In the Notification Rules panel, select JSA-Rule. f Click the SNMP V3 tab. g Click New. Configuring DSMs Enterasys Dragon h 213 Update SNMP V3 values, as required: - Server IP Address - Type the JSA IP address. Note: Do not change the OID. - Inform - Select the Inform check box. - Security Name - Type the SNMPv3 username. - Auth Password - Type the appropriate password. - Priv Password - Type the appropriate password. - Message - Type the following on one line: Dragon Event: %DATE%,,%TIME%,,%NAME%,,%SENSOR%,,%PROTO%,,%SIP%,, %DIP%,,%SPORT%,,%DPORT%,, %DIR%,,%DATA%,,<<<%PDATA%>>> NOTE Note: Verify that the security passwords and protocols match data configured in the SNMP configuration. i Click OK. Step 6 Verify that the notification events are logged as separate events: a Click the Global Options tab. b Click the Main tab. c Make sure that Concatenate Events is not selected. Step 7 Configure the SNMP options: a Click the Global Options tab. b Click the SNMP tab c Type the IP address of the EMS server sending SNMP traps. Step 8 Configure the alarm information: a Click the Alarms tab. b Click New. c Type values for the following parameters: - Name - Type JSA-Alarm. - Type - Select Real Time. - Event Group - Select Dragon-Events. - Notification Rule - Select the JSA-Rule check box. d Click OK. e Click Commit. Step 9 Navigate to the Enterprise View. Step 10 Right-click on the Alarm Tool and select Associate Alarm Tool Policy. Configuring DSMs 214 ENTERASYS Step 11 Select the JSA policy. Click OK. Step 12 From the Enterprise menu, right-click and select Deploy. You are now ready to configure the log source SNMP protocol in JSA. Create a Policy for Syslog This procedure describes how to configure an Alarm Tool policy using a syslog notification rule in the Log Event Extended Format (LEEF) message format. LEEF is the preferred message format for sending notifications to Dragon Network Defense when the notification rate is very high or when IPv6 addresses are displayed. If you prefer not to use syslog notifications in LEEF format, refer to your Enterasys Dragon documentation for more information. NOTE Note: Use SNMPv3 notification rules if you need to transfer PDATA, which is a binary data element. Do not use a syslog notification rule. To configure Enterasys Dragon with an Alarm Tool policy using a syslog notification rule: Step 1 Log in to the Enterasys Dragon EMS. Step 2 Click the Alarm Tool icon. Step 3 Configure the Alarm Tool Policy: a In the Alarm Tool Policy View > Custom Policies menu tree, right-click and select Add Alarm Tool Policy. The Add Alarm Tool Policy window is displayed. b In the Add Alarm Tool Policy field, type a policy name. For example: JSA c Click OK. d In the menu tree, select JSA. Step 4 To configure the event group: a Click the Events Group tab. b Click New. The Event Group Editor is displayed. c Select the event group or individual events to monitor. d Click Add. A prompt is displayed. e Click Yes. f In the right column of the Event Group Editor, type Dragon-Events. g Click OK. Configuring DSMs Enterasys Dragon 215 Step 5 Configure the Syslog notification rule: a Click the Notification Rules tab. b Click New. c In the name field, type JSA-RuleSys. d Click OK. e In the Notification Rules panel, select the newly created JSA-RuleSys item. f Click the Syslog tab. g Click New. The Syslog Editor is displayed. h Update the following values: - Facility - Using the Facility list box, select a facility. - Level - Using the Level list box, select notice. - Message - Using the Type list box, select LEEF. LEEF:Version=1.0|Vendor|Product|ProductVersion|eventID|devTime| proto|src|sensor|dst|srcPort|dstPort|direction|eventData| NOTE Note: The LEEF message format delineates between fields using a pipe delimiter between each keyword. i Click OK. Step 6 Verify that the notification events are logged as separate events: a Click the Global Options tab. b Click the Main tab. c Make sure that Concatenate Events is not selected. Step 7 Configure the alarm information: a Click the Alarms tab. b Click New. c Type values for the parameters: - Name - Type JSA-Alarm. - Type - Select Real Time. - Event Group - Select Dragon-Events. - Notification Rule - Select the JSA-RuleSys check box. d Click OK. e Click Commit. Step 8 Navigate to the Enterprise View. Step 9 Right-click on the Alarm Tool and select Associate Alarm Tool Policy. Configuring DSMs 216 ENTERASYS Step 10 Select the newly created JSA policy. Click OK. Step 11 In the Enterprise menu, right-click the policy and select Deploy. You are now ready to configure a syslog log source in JSA. Configure a Log Source You are now ready to configure the log source in JSA: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Enterasys Dragon Network IPS. Step 9 From the Protocol Configuration list box, select either the SNMPv3 or Syslog option. For more information on configuring a specific protocol, see the Log Sources Users Guide. For more information about Enterasys Dragon device, see your Enterasys Dragon documentation. NOTE Configure the EMS to Forward Syslog Messages Note: Using the event mapping tool in the Log Activity tab, you can map a normalized or raw event to a high-level and low-level category (or QID). However, you cannot map combination Dragon messages using the event mapping tool. For more information, see the Juniper Secure Analytics Users Guide. Starting with Dragon Enterprise Management Server (EMS) v7.4.0 appliances, you must use syslog-ng for forwarding events to a Security and Information Manager such as JSA. Syslogd has been replaced by syslog-ng in Dragon EMS v7.4.0 and above. To configure EMS to forward syslog messages, you must choose one of the following: • If you are using syslog-ng and Enterasys Dragon EMS v7.4.0 and above, see Configuring syslog-ng Using Enterasys Dragon EMS v7.4.0 and above. • If you are using syslogd and Enterasys Dragon EMS v7.4.0 and below, see Configuring syslogd Using Enterasys Dragon EMS v7.4.0 and below. Configuring DSMs Enterasys Dragon 217 Configuring syslog-ng Using Enterasys Dragon EMS v7.4.0 and above This section describes the steps to configure syslog-ng in non-encrypted mode and syslogd to forward syslog messages to JSA. If you are using encrypted syslog-ng, refer to your Enterasys documentation. CAUTION CAUTION: Do not run both syslog-ng and syslogd at the same time. To configure syslog-ng in non-encrypted mode: Step 1 On your EMS system, open the following file: /opt/syslog-ng/etc/syslog-ng.conf Step 2 Configure a Facility filter for the Syslog notification rule. For example, if you selected facility local1: filter filt_facility_local1 {facility(local1); }; Step 3 Configure a Level filter for the Syslog notification rule. For example, if you selected level notice: filter filt_level_notice {level(notice); }; Step 4 Configure a destination statement for the JSA. For example, if the IP address of the JSA is 10.10.1.1 and you want to use syslog port of 514, type: destination siem { tcp("10.10.1.1" port(514)); }; Step 5 Add a log statement for the notification rule: log { source(s_local); filter (filt_facility_local1); filter (filt_level_notice); destination(siem); }; Step 6 Save the file and restart syslog-ng. cd /etc/rc.d ./rc.syslog-ng stop ./rc.syslog-ng start Step 7 The Enterasys Dragon EMS configuration is complete. Configuring syslogd Using Enterasys Dragon EMS v7.4.0 and below If your Dragon Enterprise Management Server (EMS) is using a version earlier than v7.4.0 on the appliance, you must use syslogd for forwarding events to a Security and Information Manager such as JSA. Configuring DSMs 218 ENTERASYS To configure syslogd, you must: Step 1 On the Dragon EMS system, open the following file: /etc/syslog.conf Step 2 Add a line to forward the facility and level you configured in the syslog notification rule to JSA. For example, to define the local1 facility and notice level: local1.notice @ Where: is the IP address of the JSA system. Step 3 Save the file and restart syslogd. cd /etc/rc.d ./rc.syslog stop ./rc.syslog start The Enterasys Dragon EMS configuration is complete. Enterasys HiGuard Wireless IPS The Enterasys HiGuard Wireless IPS DSM for JSA records all relevant events using syslog Before configuring the Enterasys HiGuard Wireless IPS device in JSA, you must configure your device to forward syslog events. Configure Enterasys HiGuard To configure the device to forward syslog events: Step 1 Log in to the HiGuard Wireless IPS user interface. Step 2 In the left navigation pane, click Syslog, which allows the management server to send events to designated syslog receivers. The Syslog Configuration panel is displayed. Step 3 In the System Integration Status section, enable syslog integration. This allows the management server to send messages to the configured syslog servers. By default, the management server enables syslog. The Current Status field displays the status of the syslog server. The options are: Running or Stopped. An error status is displayed if one of the following occurs: • One of the configured and enabled syslog servers includes a hostname that cannot be resolved. • The management server is stopped. • An internal error has occurred. If this occurs, please contact Enterasys Technical Support. Configuring DSMs Enterasys HiGuard Wireless IPS 219 Step 4 From Manage Syslog Servers, click Add. The Syslog Configuration window is displayed. Step 5 Type values for the following parameters: • NOTE Syslog Server (IP Address/Hostname) - Type the IP address or hostname of the syslog server to which events should be sent. Note: Configured syslog servers use the DNS names and DNS suffixes configured in the Server initialization and Setup Wizard on the HWMH Config Shell. • Port Number - Type the port number of the syslog server to which HWMH sends events. The default is 514. • Message Format - Select Plain Text as the format for sending events. • Enabled? - Select if the events are to be sent to this syslog server. Step 6 Save your configuration. The configuration is complete. The log source is added to JSA as HiGuard events are automatically discovered. Events forwarded to JSA by Enterasys HiGuard are displayed on the Log Activity tab of JSA. Configure a Log Source JSA automatically discovers and creates a log source for syslog events from Enterasys HiGuard. The following configuration steps are optional. To manually configure a log source for Enterasys HiGuard: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Enterasys HiGuard. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 33-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Enterasys HiGuard. Step 11 Click Save. Configuring DSMs 220 ENTERASYS Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Enterasys HiPath Wireless Controller Supported Event Types Configure Your HiPath Wireless Controller The Enterasys HiPath Wireless Controller DSM for JSA records all relevant events using syslog. JSA supports the following Enterasys HiPath Wireless Controller events: • Wireless access point events • Application log events • Service log events • Audit log events To integrate your Enterasys HiPath Wireless Controller events with JSA, you must configure your device to forward syslog events. To forward syslog events to JSA: Step 1 Log in to the HiPath Wireless Assistant. Step 2 Click Wireless Controller Configuration. The HiPath Wireless Controller Configuration window is displayed. Step 3 From the menu, click System Maintenance. Step 4 From the Syslog section, select the Syslog Server IP check box and type the IP address of the device receiving the syslog messages. Step 5 Using the Wireless Controller Log Level list box, select Information. Step 6 Using the Wireless AP Log Level list box, select Major. Step 7 Using the Application Logs list box, select local.0. Step 8 Using the Service Logs list box, select local.3. Step 9 Using the Audit Logs list box, select local.6. Step 10 Click Apply. You are now ready to configure the log source in JSA. Configure a Log Source JSA automatically discovers and creates a log source for syslog events from Enterasys HiPath. The following configuration steps are optional. To manually configure a log source for Enterasys HiPath: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Configuring DSMs Enterasys Stackable and Standalone Switches 221 Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Enterasys HiPath. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 33-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Enterasys HiPath. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. For more information about your Enterasys HiPath Wireless Controller device, see your vendor documentation. Enterasys Stackable and Standalone Switches The Enterasys Stackable and Standalone Switches DSM for JSA accepts events using syslog. JSA records all relevant events. Before configuring an Enterasys Stackable and Standalone Switches device in JSA, you must configure your device to forward syslog events. To configure the device to forward syslog events to JSA: Step 1 Log in to the Enterasys Stackable and Standalone Switch device. Step 2 Type the following command: set logging server [ip-addr ] [facility ] [severity ] [descr ] [port ] [state ] Where: is the server table index number (1 to 8) for this server. is the IP address of the server you wish to send syslog messages. This is an optional field. If you do not define an IP address, an entry in the Syslog server table is created with the specified index number and a message is displayed indicating that no IP address has been assigned. is a syslog facility. Valid values are local0 to local7. This is an optional field. If not specified, the default value configured with the set logging default command is applied. Configuring DSMs 222 ENTERASYS is the server severity level that the server will log messages. The valid range is 1 to 8. If not specified, the default value configured with the set logging default command is applied. This is an optional field. Valid values include: - 1: Emergencies (system is unusable) - 2: Alerts (immediate action required) - 3: Critical conditions - 4: Error conditions - 5: Warning conditions - 6: Notifications (significant conditions) - 7: Informational messages - 8: Debugging messages is a description of the facility/server. This is an optional field. is the default UDP port that the client uses to send messages to the server. If not specified, the default value configured with the set logging default command is applied. This is an optional field. enables or disables this facility/server configuration. This is an optional field. If state is not specified, the server will not be enabled or disabled. Step 3 You are now ready to configure the log source in JSA. To configure JSA to receive events from an Enterasys Stackable and Standalone Switch device: From the Log Source Type list box, select one of the following options: Enterasys Stackable and Standalone Switches, Enterasys A-Series, Enterasys B2-Series, Enterasys B3-Series, Enterasys C2-Series, Enterasys C3-Series, Enterasys D-Series, Enterasys G-Series, or Enterasys I-Series. For more information on configuring log sources, see the Log Source Users Guide. For more information about your Enterasys Stackable and Standalone Switches, see your vendor documentation. Enterasys XSR Security Router The Enterasys XSR Security Router DSM for JSA accepts events using syslog. JSA records all relevant events. Before configuring an Enterasys XSR Security Router in JSA, you must configure your device to forward syslog events. To configure the device to send syslog events to JSA: Step 1 Using Telnet or SSH, log in to the XSR Security Router command-line interface. Configuring DSMs Enterasys Matrix Router 223 Step 2 Type the following command to access config mode: enable config Step 3 Type the following command: logging low Where is the IP address of your JSA. Step 4 Exit from config mode. Step 5 Save the configuration: exit copy running-config startup-config Step 6 You are now ready to configure the log sources in JSA. To configure JSA to receive events from an Enterasys XSR Security Router: From the Log Source Type list box, select Enterasys XSR Security Routers. For more information on configuring log sources, see the Log Sources Users Guide. For more information about your Enterasys XSR Security Router, see your vendor documentation. Enterasys Matrix Router The Enterasys Matrix Router DSM for JSA accepts Enterasys Matrix events using SNMPv1, SNMPv2, SNMPv3, and syslog. You can integrate Enterasys Matrix Router version 3.5 with JSA. JSA records all SNMP events and syslog login, logout, and login failed events. Before you configure JSA to integrate with Enterasys Matrix, you must: Step 1 Log in to the switch/router as a privileged user. Step 2 Type the following command: set logging server description facility ip_addr port severity Where: is the server number 1 to 8. is a description of the server. is a syslog facility, for example, local0. is the IP address of the server you wish to send syslog messages. Configuring DSMs 224 ENTERASYS is the default UDP port that the client uses to send messages to the server. Use port 514 unless otherwise stated. is the server severity level 1 to 9 where 1 indicates an emergency and 8 is debug level. For example: set logging server 5 description ourlogserver facility local0 ip_addr 1.2.3.4 port 514 severity 8 Step 3 You are now ready to configure the log source in JSA. To configure JSA to receive events from an Enterasys Matrix device: From the Log Source Type list box, select Enterasys Matrix E1 Switch. For more information on configuring log sources, see the Log Sources Users Guide. Enterasys NetSight Automatic Security Manager The Enterasys NetSight Automatic Security Manager DSM for JSA accepts events using syslog. JSA records all relevant events. Before configuring an Enterasys NetSight Automatic Security Manager device in JSA, you must configure your device to forward syslog events. To configure the device to send syslog events to JSA: Step 1 Log in to the Automatic Security Manager user interface. Step 2 Click the Automated Security Manager icon to access the Automated Security Manager Configuration window. NOTE Note: You can also access the Automated Security Manager Configuration window from the Tool menu. Step 3 From the left navigation menu, select Rule Definitions. Step 4 Choose one of the following options: a If a rule is currently configured, highlight the rule. Click Edit. b To create a new rule, click Create. Step 5 Select the Notifications check box. Step 6 Click Edit. The Edit Notifications window is displayed. Step 7 Click Create. The Create Notification window is displayed. Configuring DSMs Enterasys Matrix K/N/S Series Switch 225 Step 8 Using the Type list box, select Syslog. Step 9 In the Syslog Server IP/Name field, type the IP address of the device that will receive syslog traffic. Step 10 Click Apply. Step 11 Click Close. Step 12 In the Notification list box, select the notification configured above. Step 13 Click OK. Step 14 You are now ready to configure the log source in JSA. To configure JSA to receive events from an Enterasys NetSight Automatic Security Manager device: From the Log Source Type list box, select Enterasys NetsightASM. For more information on configuring log sources, see the Log Sources Users Guide. For more information about your Enterasys NetSight Automatic Security Manager device, see your vendor documentation. Enterasys Matrix K/N/S Series Switch The Enterasys Matrix Series DSM for JSA accepts events using syslog. JSA records all relevant Matrix K-Series, N-Series, or S-Series standalone device events. Before you configure JSA to integrate with a Matrix K-Series, N-Series, or S-Series, you must: Step 1 Log in to your Enterasys Matrix device command-line interface (CLI). Step 2 Type the following commands: set logging server 1 ip-addr state enable set logging application RtrAcl level 8 set logging application CLI level 8 set logging application SNMP level 8 set logging application Webview level 8 set logging application System level 8 set logging application RtrFe level 8 set logging application Trace level 8 set logging application RtrLSNat level 8 set logging application FlowLimt level 8 set logging application UPN level 8 set logging application AAA level 8 Configuring DSMs 226 ENTERASYS set logging application Router level 8 set logging application AddrNtfy level 8 set logging application OSPF level 8 set logging application VRRP level 8 set logging application RtrArpProc level 8 set logging application LACP level 8 set logging application RtrNat level 8 set logging application RtrTwcb level 8 set logging application HostDoS level 8 set policy syslog extended-format enable For more information on configuring the Matrix Series routers or switches, consult your vendor documentation. Step 3 You are now ready to configure the log sources in JSA. To configure JSA to receive events from an Enterasys Matrix Series device: From the Log Source Type list box, select Enterasys Matrix K/N/S Series Switch. For information on configuring log sources, see the Log Sources Users Guide. Enterasys NAC The Enterasys NAC DSM for JSA accepts events using syslog. JSA records all relevant events. For details on configuring your Enterasys NAC appliances for syslog, consult your vendor documentation. After the Enterasys NAC appliance is forwarding syslog events to JSA, the configuration is complete. The log source is added to JSA as Enterasys NAC events are automatically discovered. Events forwarded by Enterasys NAC appliances are displayed on the Log Activity tab of JSA. Configure a log source JSA automatically discovers and creates a log source for syslog events from Enterasys NAC. The following configuration steps are optional. To manually configure a log source for Enterasys NAC: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Configuring DSMs Enterasys 800-Series Switch 227 Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Enterasys NAC. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 33-2 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Enterasys NAC appliances. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Enterasys 800-Series Switch The Enterasys 800-Series Switch DSM for JSA accepts events using syslog. Configure your Enterasys 800-Series Switch To configure the device to forward syslog events: JSA records all relevant audit, authentication, system, and switch events. Before configuring your Enterasys 800-Series Switch in JSA, you must configure your switch to forward syslog events. Step 1 Log in to your Enterasys 800-Series Switch command-line interface. You must be a system administrator or operator-level user to complete these configuration steps. Step 2 Type the following command to enable syslog: enable syslog Step 3 Type the following command to create a syslog address for forwarding events to JSA: create syslog host 1 severity informational facility local7 udp_port 514 state enable Where is the IP address of your JSA console or Event Collector. Step 4 Optional. Type the following command to forward syslog events using an IP interface address: create syslog source_ipif Where: is the name of your IP interface. is the IP address of your JSA console or Event Collector. Configuring DSMs 228 ENTERASYS The configuration is complete. The log source is added to JSA as Enterasys 800-Series Switch events are automatically discovered. Events forwarded to JSA by Enterasys 800-Series Switches are displayed on the Log Activity tab of JSA. Configure a log source JSA automatically discovers and creates a log source for syslog events from Enterasys 800-Series Switches. The following configuration steps are optional. To manually configure a log source: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Enterasys 800-Series Switch. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 33-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Enterasys 800-Series Switch. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring DSMs 31 EXTREME NETWORKS EXTREMEWARE The Extreme Networks ExtremeWare DSM for Juniper Secure Analytics (JSA) records al relevant Extreme Networks ExtremeWare and Extremeware XOS devices events from using syslog. To integrate JSA with an ExtremeWare device, you must configure a log source in JSA, then configure your Extreme Networks ExtremeWare and Extremeware XOS devices to forward syslog events. JSA does not automatically discover or create log sources for syslog events from ExtremeWare appliances. Configuring a Log Source To integrate with JSA, you must manually create a log source to receive the incoming ExtremeWare events forwarded to JSA. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Extreme Networks ExtremeWare Operating System (OS). Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 34-1 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your ExtremeWare appliance. Step 11 Click Save. Configuring DSMs 230 EXTREME NETWORKS EXTREMEWARE Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Events forwarded to JSA by Extreme Networks ExtremeWare appliances are displayed on the Log Activity tab. For information on configuring syslog forwarding for your Extremeware appliances, see your vendor documentation. Configuring DSMs 32 F5 NETWORKS This section provides information on the following DSMs: F5 Networks BIG-IP AFM Supported Event Types Before You Begin • F5 Networks BIG-IP AFM • F5 Networks BIG-IP APM • F5 Networks BIG-IP ASM • F5 Networks BIG-IP LTM • F5 Networks FirePass The F5 Networks BIG-IP Advanced Firewall Manager (AFM) DSM for Juniper Secure Analytics (JSA) accepts syslog events forwarded from F5 Networks BIG-IP AFM systems in name-value pair format. JSA is capable of collecting the following events from F5 BIG-IP appliances with Advanced Firewall Managers: • Network events • Network Denial of Service (DoS) events • Protocol security events • DNS events • DNS Denial of Service (DoS) events Before you can configure the Advanced Firewall Manager, you must verify that your BIG-IP appliance is licensed and provisions to include Advanced Firewall Manager. Procedure Step 1 Log in to your BIG-IP appliance Management Interface. Step 2 From the navigation menu, select System > License. Step 3 In the License Status column, verify the Advanced Firewall Manager is licensed and enabled. Configuring DSMs 232 F5 NETWORKS Step 4 To enable the Advanced Firewall Manager, select System > Resource Provisioning. Step 5 From the Provisioning column, select the check box and select Nominal from the list box. Step 6 Click Submit to save your changes. Configure a Logging Pool A logging pool allows you to define a pool of servers that receive syslog events. The pool contains the IP address, port, and a node name that you provide. Procedure Step 1 From the navigation menu, select Local Traffic > Pools. Step 2 Click Create. Step 3 In the Name field, type a name for the logging pool. For example, Logging_Pool. Step 4 From the Health Monitor field, in the Available list, select TCP and click <<. This moves the TCP option from the Available list to the Selected list. Step 5 In the Resource pane, from the Node Name list box, select Logging_Node or the name you defined in Step 3. Step 6 In the Address field, type the IP address for the JSA console or Event Collector. Step 7 In the Service Port field, type 514. Step 8 Click Add. Step 9 Click Finish. Creating a High-Speed Log Destination The process to configure logging for BIG-IP AFM requires that you create a high-speed logging destination. Procedure Step 1 From the navigation menu, select System > Logs > Configuration > Log Destinations. Step 2 Click Create. Step 3 In the Name field, type a name for the destination. For example, Logging_HSL_dest. Step 4 In the Description field, type a description. Step 5 From the Type list box, select Remote High-Speed Log. Step 6 From the Pool Name list box, select a logging pool from the list of remote log servers. For example, Logging_Pool. Step 7 From the Protocol list box, select TCP. Step 8 Click Finish. Configuring DSMs F5 Networks BIG-IP AFM Creating a Formatted Log Destination 233 The formatted log destination allows you to specify any special formatting required on the events forwarded to the high-speed logging destination. Procedure Step 1 From the navigation menu, select System > Logs > Configuration > Log Destinations. Step 2 Click Create. Step 3 In the Name field, type a name for the logging format destination. For example, Logging_Format_dest. Step 4 In the Description field, type a description. Step 5 From the Type list box, select Remote Syslog. Step 6 From the Syslog Format list box, select Syslog. Step 7 From the High-Speed Log Destination list box, select your high-speed logging destination. For example, Logging_HSL_dest. Step 8 Click Finished. Creating a Log Publisher Creating a publisher allows the BIG-IP appliance to publish the formatted log message to the local syslog database. Procedure Step 1 From the navigation menu, select System > Logs > Configuration > Log Publishers. Step 2 Click Create. Step 3 In the Name field, type a name for the publisher. For example, Logging_Pub. Step 4 In the Description field, type a description. Step 5 From the Destinations field, in the Available list, select the log destination name you created in Step 3 and click << to add items to the Selected list. This moves your logging format destination from the Available list to the Selected list. To include local logging in your publisher configuration, you can add local-db and local-syslog to the Selected list. Configuring DSMs 234 F5 NETWORKS Creating a Logging Profile Logging profiles allow you to configure the types of events that your Advanced Firewall Manager is producing and associates your events with the logging destination. Procedure Step 1 From the navigation menu, select Security > Event Logs > Logging Profile. Step 2 Click Create. Step 3 In the Name field, type a name for the log profile. For example, Logging_Profile. Step 4 In the Network Firewall field, select the Enabled check box. Step 5 From the Publisher list box, select the log publisher you configured. For example, Logging_Pub. Step 6 In the Log Rule Matches field, select the Accept, Drop, and Reject check boxes. Step 7 In the Log IP Errors field, select the Enabled check box. Step 8 In the Log TCP Errors field, select the Enabled check box. Step 9 In the Log TCP Events field, select the Enabled check box. Step 10 In the Storage Format field, from the list box, select Field-List. Step 11 In the Delimiter field, type , (comma) as the delimiter for events. Step 12 In the Storage Format field, select all of the options in the Available Items list and click <<. This moves the all Field-List options from the Available list to the Selected list. Step 13 In the IP Intelligence pane, from the Publisher list box, select the log publisher you configured. For example, Logging_Pub. Step 14 Click Finished. Associate the Profile to a Virtual Server The log profile you created must be associated with a virtual server in the Security Policy tab. This allows the virtual server to process your network firewall events, along with local traffic. Procedure Step 1 From the navigation menu, select Local Traffic > Virtual Servers. Step 2 Click the name of a virtual server to modify. Step 3 From the Security tab, select Policies. Step 4 From the Log Profile list box, select Enabled. Step 5 From the Profile field, in the Available list, select Logging_Profile or the name you specified in Step 3 and click <<. This moves the Logging_Profile option from the Available list to the Selected list. Configuring DSMs F5 Networks BIG-IP AFM 235 Step 6 Click Update to save your changes. The configuration is complete. The log source is added to JSA as F5 Networks BIG-IP AFM syslog events are automatically discovered. Events forwarded to JSA by F5 Networks BIG-IP AFM are displayed on the Log Activity tab of JSA. Configuring a Log Source JSA automatically discovers and creates a log source for syslog events from F5 Networks BIG-IP AFM. However, you can manually create a log source for JSA to receive syslog events. The following configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select F5 Networks BIG-IP AFM. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 35-2 Syslog Protocol Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your F5 BIG-IP AFM appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring DSMs 236 F5 NETWORKS F5 Networks BIG-IP APM The F5 Networks BIG-IP Access Policy Manager (APM) DSM for JSA collects access and authentication security events from a BIG-IP APM device using syslog. Configure Remote Syslog To configure your BIG-IP LTM device to forward syslog events to a remote syslog source, choose your BIG-IP APM software version: • Configure Remote Syslog for F5 BIG-IP APM 11.x • Configure Remote Syslog for F5 BIG-IP APM 10.x Configure Remote Syslog for F5 BIG-IP APM 11.x To configure syslog for F5 BIG-IP APM 11.x: Step 1 Log in to the command-line of your F5 BIG-IP device. Step 2 Type the following command to add a single remote syslog server: tmsh syslog remote server { {host }} Where: is the name of the F5 BIG-IP APM syslog source. is the IP address of the JSA console. For example, bigpipe syslog remote server {BIGIP_APM {host 10.100.100.101}} Step 3 Type the following to save the configuration changes: tmsh save sys config partitions all The configuration is complete. The log source is added to JSA as F5 Networks BIG-IP APM events are automatically discovered. Events forwarded to JSA by F5 Networks BIG-IP APM are displayed on the Log Activity tab in JSA. Configure Remote Syslog for F5 BIG-IP APM 10.x To configure syslog for F5 BIG-IP APM 10.x: Step 1 Log in to the command-line of your F5 BIG-IP device. Step 2 Type the following command to add a single remote syslog server: bigpipe syslog remote server { {host }} Where: is the name of the F5 BIG-IP APM syslog source. is the IP address of JSA console. For example, bigpipe syslog remote server {BIGIP_APM {host 10.100.100.101}} Step 3 Type the following to save the configuration changes: bigpipe save Configuring DSMs F5 Networks BIG-IP ASM 237 The configuration is complete. The log source is added to JSA as F5 Networks BIG-IP APM events are automatically discovered. Events forwarded to JSA by F5 Networks BIG-IP APM are displayed on the Log Activity tab. Configuring a Log Source JSA automatically discovers and creates a log source for syslog events from F5 Networks BIG-IP APM appliances. These configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select F5 Networks BIG-IP APM. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 35-1 Syslog Protocol Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your F5 Networks BIG-IP APM appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. F5 Networks BIG-IP ASM The F5 Networks BIG-IP Application Security Manager (ASM) DSM for JSA collects web application security events from BIG-IP ASM appliances using syslog. Configure F5 Networks BIG-IP ASM To forward syslog events from an F5 Networks BIG-IP ASM appliance to JSA, you must configure a logging profile. A logging profile allows you to configure remote storage for syslog events, which can be forwarded directly to JSA. Procedure Step 1 Log in to the F5 Networks BIG-IP ASM appliance user interface. Step 2 On the navigation pane, select Application Security > Options. Configuring DSMs 238 F5 NETWORKS Step 3 Click Logging Profiles. Step 4 Click Create. Step 5 From the Configuration list box, select Advanced. Step 6 Configure the following parameters: a Type a Profile Name. For example, type JSA. b NOTE Note: If you do not want data logged locally as well as remotely, you must clear the Local Storage check box. c Select the Remote Storage check box. d From the Type list box, select Reporting Server. e From the Protocol list box, select TCP. f Configure the Server Addresses fields: g NOTE Optional. Type a Profile Description. - IP address - Type the IP address of the JSA console. - Port - Type a port value of 514. Select the Guarantee Logging check box. Note: Enabling the Guarantee Logging option ensures the system log requests continue for the web application when the logging utility is competing for system resources. Enabling the Guarantee Logging option can slow access to the associated web application. h Select the Report Detected Anomalies check box, to allow the system to log details. i Click Create. The display refreshes with the new logging profile. The log source is added to JSA as F5 Networks BIG-IP ASM events are automatically discovered. Events forwarded by F5 Networks BIG-IP ASM are displayed on the Log Activity tab of JSA. Configuring a Log Source JSA automatically discovers and creates a log source for syslog events from F5 Networks BIG-IP ASM appliances. These configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Configuring DSMs F5 Networks BIG-IP LTM 239 Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select F5 Networks BIG-IP ASM. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 35-2 Syslog Protocol Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your F5 Networks BIG-IP ASM appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. F5 Networks BIG-IP LTM The F5 Networks BIG-IP Local Traffic Manager (LTM) DSM for JSA collects networks security events from a BIG-IP device using syslog. Before receiving events in JSA, you must configure a log source for JSA, then configure your BIG-IP LTM device to forward syslog events. We recommend you create your log source before forward events as JSA does not automatically discover or create log sources for syslog events from F5 BIG-IP LTM appliances. Configuring a Log Source To integrate F5 BIG-IP LTM with JSA, you must manually create a log source to receive syslog events. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select F5 Networks BIG-IP LTM. Step 9 Using the Protocol Configuration list box, select Syslog. Configuring DSMs 240 F5 NETWORKS Step 10 Configure the following values: Table 35-3 Syslog Protocol Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your BIG-IP LTM appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. You are now ready to configure your BIG-IP LTM appliance to forward syslog events to JSA. Configuring Syslog Forwarding in BIG-IP LTM To configure your BIG-IP LTM device to forward syslog events, select your BIG-IP LTM software version: • Configuring Remote Syslog for F5 BIG-IP LTM 11.x • Configuring Remote Syslog for F5 BIG-IP LTM 10.x • Configuring Remote Syslog for F5 BIG-IP LTM 9.4.2 to 9.4.8 Configuring Remote Syslog for F5 BIG-IP LTM 11.x To configure syslog for F5 BIG-IP LTM 11.x: Step 1 Log in to the command-line of your F5 BIG-IP device. Step 2 Type the following command to add a single remote syslog server: tmsh syslog remote server { {host }} Where: is a name you assign to identify the syslog source, for example, BIGIPsyslog or JSA. is the IP address of JSA. For example, tmsh syslog remote server {BIGIPsyslog {host 10.100.100.100}} Step 3 Save the configuration changes: tmsh save sys config partitions all The configuration is complete. Events forwarded from your F5 Networks BIG-IP LTM appliance are displayed on the Log Activity tab in JSA. Configuring Remote Syslog for F5 BIG-IP LTM 10.x To configure syslog for F5 BIG-IP LTM 10.x: Step 1 Log in to the command-line of your F5 BIG-IP device. Step 2 Type the following command to add a single remote syslog server: bigpipe syslog remote server { {host }} Configuring DSMs F5 Networks FirePass 241 Where: is the name of the F5 BIG-IP LTM syslog source. is the IP address of JSA. For example: bigpipe syslog remote server {BIGIPsyslog {host 10.100.100.100}} Step 3 Save the configuration changes: bigpipe save NOTE Note: F5 Networks modified the syslog output format in BIG-IP v10.x to include the use of local/ before the hostname in the syslog header. The syslog header format containing local/ is not supported in JSA, but a workaround is available to correct the syslog header. For more information, see http://www.juniper.net/customers/support/. The configuration is complete. Events forwarded from your F5 Networks BIG-IP LTM appliance are displayed on the Log Activity tab in JSA. Configuring Remote Syslog for F5 BIG-IP LTM 9.4.2 to 9.4.8 To configure syslog for F5 BIG-IP LTM 9.4.2 to 9.4.8: Step 1 Log in to the command-line of your F5 BIG-IP device. Step 2 Type the following command to add a single remote syslog server: bigpipe syslog remote server Where is the IP address of JSA. For example: bigpipe syslog remote server 10.100.100.100 Step 3 Type the following to save the configuration changes: bigpipe save The configuration is complete. Events forwarded from your F5 Networks BIG-IP LTM appliance are displayed on the Log Activity tab in JSA. F5 Networks FirePass The F5 Networks FirePass DSM for JSA collects system events from an F5 FirePass SSL VPN device using syslog. By default, remote logging is disabled and must be enabled in the F5 Networks FirePass device. Before receiving events in JSA, you must configure your F5 Networks FirePass device to forward system events to JSA as a remote syslog server. Configuring DSMs 242 F5 NETWORKS Configuring Syslog Forwarding for F5 FirePass To forward syslog events from an F5 Networks BIG-IP FirePass SSL VPM appliance to JSA, you must enable and configure a remote log server. The remote log server can forward events directly to your JSA console or any Event Collectors in your deployment. Procedure Step 1 Log in to the F5 Networks FirePass Admin console. Step 2 On the navigation pane, select Device Management > Maintenance > Logs. Step 3 From the System Logs menu, select the Enable Remote Log Server check box. Step 4 From the System Logs menu, clear the Enable Extended System Logs check box. Step 5 In the Remote host parameter, type the IP address or hostname of your JSA. Step 6 From the Log Level list box, select Information. The Log Level parameter monitors application level system messages. Step 7 From the Kernel Log Level list box, select Information. The Kernel Log Level parameter monitors Linux kernel system messages. Step 8 Click Apply System Log Changes. The changes are applied and the configuration is complete. The log source is added to JSA as F5 Networks FirePass events are automatically discovered. Events forwarded to JSA by F5 Networks BIG-IP ASM are displayed on the Log Activity tab in JSA. Configuring a Log Source JSA automatically discovers and creates a log source for syslog events from F5 Networks FirePass appliances. These configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select F5 Networks FirePass. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Configuring DSMs F5 Networks FirePass 243 Table 35-4 Syslog Protocol Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your F5 Networks FirePass appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring DSMs F5 Networks FirePass Configuring DSMs 244 33 FAIR WARNING The Fair Warning DSM for Juniper Secure Analytics (JSA) retrieves event files from a remote source using the log file protocol. JSA records event categories from the Fair Warning log files about user activity related to patient privacy and security threats to medical records. Before you can retrieve log files from Fair Warning, you must verify your device is configured to generate an event log. Instructions for generating the event log can be found in your Fair Warning documentation. When configuring the log file protocol, make sure the hostname or IP address configured in the Fair Warning system is the same as configured in the Remote Host parameter in the Log File Protocol configuration. Configuring a Log Source You can configure JSA to download an event log from a Fair Warning device. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Fair Warning. Step 9 Select the Log File option from the Protocol Configuration list box. Step 10 In the FTP File Pattern field, type a regular expression that matches the log files generated by the Fair Warning system. Step 11 In the Remote Directory field, type the path to the directory containing logs from your Fair Warning device. Step 12 From the Event Generator list box, select Fair Warning. Step 13 Click Save. Configuring DSMs 246 FAIR WARNING Step 14 On the Admin tab, click Deploy Changes. The configuration is complete. For more information on full parameters for the Log File protocol, see the Log Sources Users Guide. For more information on configuring Fair Warning, consult your vendor documentation. Configuring DSMs 34 FIDELIS XPS The Fidelis XPS DSM for Juniper Secure Analytics (JSA) accepts events forwarded in Log Enhanced Event Protocol (LEEF) from Fidelis XPS appliances using syslog. Supported Event Types JSA is capable of collecting all relevant alerts triggered by policy and rule violations configured on your Fidelis XPS appliance. Event Type Format Fidelis XPS must be configured to generate events in Log Enhanced Event Protocol (LEEF) and forward these events using syslog. The LEEF format consists of a pipe ( | ) delimited syslog header and tab separated fields in the event payload. If the syslog events forwarded from your Fidelis XPS is not formatted as described above, you must examine your device configuration or software version to ensure your appliance supports LEEF. Properly formatted LEEF event messages are automatically discovered and added as a log source to JSA. Configuring Fidelis XPS You can configure syslog forwarding of alerts from your Fidelis XPS appliance. Procedure Step 1 Log in to CommandPost to manage your Fidelis XPS appliance. Step 2 From the navigation menu, select System > Export. A list of available exports is displayed. If this is the first time you have used the export function, the list is empty. Step 3 Select one of the following options: • Click New to create a new export for your Fidelis XPS appliance. • Click Edit next to an export name to edit an existing export on your Fidelis XPS appliance. The Export Editor is displayed. Step 4 From the Export Method list box, select Syslog LEEF. Step 5 In the Destination field, type the IP address or host name for JSA. For example, 10.10.10.100:::514 This field does not support non-ASCII characters. Configuring DSMs 248 FIDELIS XPS Step 6 From Export Alerts, select one of the following options: • All alerts - Select this option to export all alerts to JSA. This option is resource intensive and it can take time to export all alerts. • Alerts by Criteria - Select this option to export specific alerts to JSA. This option displays a new field that allows you to define your alert criteria. Step 7 From Export Malware Events, select None. Step 8 From Export Frequency, select Every Alert / Malware. Step 9 In the Save As field, type a name for your export. Step 10 Click Save. Step 11 Optional. To verify events are forwarded to JSA, you can click Run Now. Run Now is intended as a test tool to verify that alerts selected by criteria are exported from your Fidelis appliance. This option is not available if you selected to export all events in Step 6. The configuration is complete. The log source is added to JSA as Fidelis XPS syslog events are automatically discovered. Events forwarded to JSA by Fidelis XPS are displayed on the Log Activity tab of JSA. Configuring a Log Source JSA automatically discovers and creates a log source for syslog events from Fidelis XPS. However, you can manually create a log source for JSA to receive syslog events. The following configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Fidelis XPS. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 37-5 Syslog Parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Fidelis XPS appliance. Configuring DSMs 249 Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring DSMs 250 FIDELIS XPS Configuring DSMs 35 FIREEYE The FireEye DSM for Juniper Secure Analytics (JSA) accepts rsyslog events in Log Event Extended Format (LEEF). Supported Event Types Configuring a Log Source This DSM applies to FireEye MPS, eMPS and MA appliances. JSA records all relevant notification alerts sent by FireEye appliances. To integrate FireEye events with JSA, you must manually create a log source as JSA does not automatically discover or create log sources for syslog events from FireEye appliances. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select FireEye. Step 9 Using the Protocol Configuration list box, select Syslog. The syslog protocol configuration is displayed. Step 10 Configure the following values: Table 38-1 Syslog protocol parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your FireEye appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Configuring DSMs 252 FIREEYE Configuring FireEye to Forward Syslog Events You are now ready to configure your FireEye appliance to forward syslog events. Procedure Step 1 Log in to the FireEye appliance using the CLI. Step 2 Type the following command to activate configuration mode: enable configure terminal Step 3 Enable rsyslog notifications: fenotify rsyslog enable Step 4 Add JSA as an rsyslog notification consumer: fenotify rsyslog trap-sink JSA Step 5 Type the IP address for the JSA system receiving rsyslog trap-sink notifications: fenotify rsyslog trap-sink JSA address Where is the IP address of the JSA system. Step 6 Type the following command to define the rsyslog event format: fenotify rsyslog trap-sink JSA prefer message format leef Step 7 Save the configuration changes to the FireEye appliance: write memory The configuration is complete. Events forwarded by FireEye are displayed on the Log Activity tab. Configuring DSMs 36 FORESCOUT COUNTERACT The ForeScout CounterACT DSM for Juniper Secure Analytics (JSA) accepts Log Extended Event Format (LEEF) events from CounterACT using syslog. Supported Event Types Configuring a Log Source JSA records the following ForeScout CounterACT events: • Denial of Service (DoS) • Authentication • Exploit • Suspicious • System To integrate ForeScout CounterACT with JSA, you must manually create a log source to receive policy-based syslog events. JSA does not automatically discover or create log sources for syslog events from ForeScout CounterACT appliances. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select ForeScout CounterACT. Step 9 Using the Protocol Configuration list box, select Syslog. Configuring DSMs 254 FORESCOUT COUNTERACT Step 10 Configure the following values: Table 39-1 Syslog protocol parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your ForeScout CounterACT appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The log source is added to JSA. Configure ForeScout CounterACT Before configuring JSA, you must install a plug-in for your ForeScout CounterACT appliance and configure ForeScout CounterACT to forward syslog events to JSA. Configure the ForeScout CounterACT Plug-in To integrate JSA with ForeScout CounterACT, you must download, install and configure a plug-in for CounterACT. The plug-in extends ForeScout CounterACT and provides the framework for forwarding LEEF events to JSA. Procedure Step 1 From the ForeScout website, download the plug-in for ForeScout CounterACT. Step 2 Log in to your ForeScout CounterACT appliance. Step 3 From the CounterACT console toolbar, select Options > Plugins > Install and select the location of the plug-in file. The plug-in is installed and displayed in the Plugins pane. Step 4 From the Plugins pane, select the JSA plug-in and click Configure. The Add JSA wizard is displayed. Step 5 In the Server Address field, type IP address of JSA. Step 6 From the Port list box, select 514. Step 7 Click Next. Step 8 From the Assigned CounterACT devices pane, choose one of the following options: • Default Server - Select this option to make all devices on this ForeScout CounterACT forward events to JSA. • Assign CounterACT devices - Select this option to assign which individual devices running on ForeScout CounterACT forward events to JSA. The Assign CounterACT devices option is only available if you have one or more ForeScout CounterACT server. Step 9 Click Finish. Configuring DSMs 255 The plug-in configuration is complete. You are now ready to define the events forwarded to JSA by ForeScout CounterACT policies. Configuring ForeScout CounterACT Policies ForeScout CounterACT policies test conditions to trigger management and remediation actions on the appliance. The plug-in provides an additional action for policies to forward the event to the JSA using syslog. To forward events to JSA, you must define a CounterACT policy that includes the JSA update action. The policy condition must be met at least once to initiate an event to JSA. You must configure each policy to send updates to JSA for events you want to record. Procedure Step 1 Select a policy for ForeScout CounterACT. Step 2 From the Actions tree, select Audit > Send Updates to JSA Server. Step 3 From the Contents tab, configure the following values: a Select the Send host property results check box. b Choose one of the type of events to forward for the policy: c - Send All - Select this option to include all properties discovered for the policy to JSA. - Send Specific - Select this option to select and send only specific properties for the policy to JSA. Select the Send policy status check box. Step 4 From the Trigger tab, select the interval ForeScout CounterACT uses for forwarding the event to JSA: • Send when the action starts - Select this check box to send a single event to JSA when the conditions of your policy are met. • Send when information is updated - Select this check box to send a report when there is a change in the host properties specified in the Contents tab. • Send periodically every - Select this check box to send a reoccurring event to JSA on an interval if the policy conditions are met. Step 5 Click OK to save the policy changes. Step 6 Repeat this process to configure any additional policies with an action to send updates to JSA, if required. The configuration is complete. Events forwarded by ForeScout CounterACT are displayed on the Log Activity tab of JSA. Configuring DSMs 37 FORTINET FORTIGATE The Fortinet FortiGate DSM for Juniper Secure Analytics (JSA) records all relevant FortiGate IPS/Firewall events using syslog. Table 40-1 identifies the specifications for the Fortinet FortiGate DSM. Table 40-1 Fortinet FortiGate DSM Specifications Fortinet FortiGate DSM Integration Process Specification Value Manufacturer Fortinet DSM Fortinet FortiGate RPM file name DSM-FortinetFortiGate-7.x-xxxxxx.noarch.rpm Supported version FortiOS v2.5 and later Protocol Syslog JSA recorded events All relevant events Auto discovered Yes Includes identity Yes For more information http://www.fortinet.com To integrate Fortinet FortiGate DSM with JSA, use the following procedures: 1 Download and install the most recent Fortinet FortiGate RPM to your JSA console. If automatic updates are enabled, this procedure is not required. RPMs need to be installed only one time. 2 Optional. Install the Syslog Redirect protocol RPM to collect events through Fortigate FortiAnalyzer. When you use the Syslog Redirect protocol, JSA can identify the specific Fortigate firewall that sent the event. You can use the procedure to manually install a DSM to install a protocol. Configuring DSMs 258 FORTINET FORTIGATE 3 Configure your Fortinet FortiGate system to enable communication with JSA. This procedure must be performed for each instance of Fortinet FortiGate. For more information on configuring a Fortinet FortiGate device, see your vendor documentation. 4 For each Fortinet FortiGate server you want to integrate, create a log source on the JSA console. If JSA automatically discovers the DSM, this step is not required. Related tasks Configuring a Fortinet FortiGate Log Source • Manually Installing a DSM • Configuring a Fortinet FortiGate Log Source JSA automatically discovers and creates a log source for syslog events from Fortinet FortiGate. The following configuration steps are optional. Procedure To configure a Fortinet FortiGate log source: Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list, select Fortinet FortiGate Security Gateway. Step 9 Using the Protocol Configuration list, select one of the following options: • Select Syslog. • To configure JSA to receive FortiAnalyzer events, select Syslog Redirect. Step 10 Configure the following values: Table 40-1 Syslog Parameters Parameter Description Log Source Identifier RegEx devname=([\w-]+) Listen Port 517 Protocol UDP Step 11 Configure the remaining parameters. Step 12 Click Save. On the Admin tab, click Deploy Changes. Configuring DSMs 38 FOUNDRY FASTIRON You can integrate a Foundry FastIron device with Juniper Secure Analytics (JSA) to collect all relevant events using syslog. Configure Syslog for Foundry FastIron To integrate JSA with a Foundry FastIron RX device, you must configure the appliance to forward syslog events. Procedure Step 1 Log in to the Foundry FastIron device command-line interface (CLI). Step 2 Type the following command to enable logging: logging on Local syslog is now enabled with the following defaults: • Messages of all syslog levels (Emergencies - Debugging) are logged. • Up to 50 messages are retained in the local syslog buffer. • No syslog server is specified. Step 3 Type the following command to define an IP address for the syslog server: logging host Where is the IP address of your JSA. You are now ready to configure the log source in JSA. Configuring a Log Source JSA automatically discovers and creates a log source for syslog events from Foundry FastIron. The following configuration steps are optional. Procedure Step 1 Log in to JSA. Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources. Step 4 Click the Log Sources icon. Step 5 Click Add. Step 6 In the Log Source Name field, type a name for your log source. Configuring DSMs 260 FOUNDRY FASTIRON Step 7 In the Log Source Description field, type a description for the log source. Step 8 From the Log Source Type list box, select Foundry FastIron. Step 9 Using the Protocol Configuration list box, select Syslog. Step 10 Configure the following values: Table 41-1 Syslog protocol parameters Parameter Description Log Source Identifier Type the IP address or host name for the log source as an identifier for events from your Foundry FastIron appliance. Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes. The configuration is complete. Configuring DSMs 39 GENERIC FIREWALL The generic firewall server DSM for Juniper Secure Analytics (JSA) accepts events using syslog. JSA records all relevant events. Configuring Event Properties To configure JSA to interpret the incoming generic firewall events: Step 1 Forward all firewall logs to your JSA. For information on forwarding firewall logs from your generic firewall to JSA, see your firewall vendor documentation. Step 2 Open the following file: /opt/qradar/conf/genericFirewall.conf Make sure you copy this file to systems hosting the Event Collector and the JSA console. Step 3 Restart the Tomcat server: service tomcat restart A message is displayed indicating that the Tomcat server has restarted. Step 4 Enable or disable regular expressions in your patterns by setting the regex_enabled property accordingly. By default, regular expressions are disabled. For example: regex_enabled=false When you set the regex_enabled property to false, the system generates regular expressions based on the tags you entered while attempting to retrieve the corresponding data values from the logs. When you set the regex_enabled property to true, you can define custom regex to control patterns. These regex are directly applied to the logs and the first captured group is returned. When defining custom regex patterns, you must adhere to regex rules, as defined by the Java programming language. For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/ To integrate a generic firewall with JSA, make sure you specify the classes directly instead of using the predefined classes. For example, the digit class (/\d/) becomes /[0-9]/. Also, instead of using numeric qualifiers, re-write the expression to use the primitive qualifiers (/?/,/*/ and /+/). Configuring DSMs 262 GENERIC FIREWALL Step 5 Review the file to determine a pattern for accepted packets. For example, if your device generates the following log messages for accepted packets: Aug. 5, 2005 08:30:00 Packet accepted. Source IP: 192.168.1.1 Source Port: 80 Destination IP: 192.168.1.2 Destination Port: 80 Protocol: tcp The pattern for accepted packets is Packet accepted. Step 6 Add the following to the file: accept_pattern= Where is the pattern determined in Step 5. For example: accept pattern=Packet accepted Patterns are case insensitive. Step 7 Review the file to determine a pattern for denied packets. For example, if your device generates the following log messages for denied packets: Aug. 5, 2005 08:30:00 Packet denied. Source IP: 192.168.1.1 Source Port: 21 Destination IP: 192.168.1.2 Destination Port: 21 Protocol: tcp The pattern for denied packets is Packet denied. Step 8 Add the following to the file: deny_pattern= Where