Juniper Secure Analytics DSM Configuration Guide Netsight Jsa Configuring

User Manual: Netsight

Open the PDF directly: View PDF PDF.
Page Count: 808 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Published: 2014-11-27
Juniper Secure Analytics
Configuring DSMs
Release 2014.1
2
Copyright Notice
Copyright © 2014 Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and
other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks,
registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.
The following terms are trademarks or registered trademarks of other companies:
JavaTM and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and
used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following
information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it
is not installed in accordance with Juniper Networks’ installation instructions, it may cause interference with radio and television reception. This
equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC
rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no
guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception,
which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following
measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an
experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT, SUBJECT TO THE MODIFICTAIONS SET FORTH
BELOW ON THIS PAGE, ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED
HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR
JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
Juniper Secure Analytics Configuring DSMs
Release 2014.1
Copyright © 2014, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History
November 2014—Juniper Secure Analytics Configuring DSMs
The information in this document is current as of the date listed in the revision history.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use
of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula.html,
as modified by the following text, which shall be treated under the EULA as an Entitlement Document taking precedence over any conflicting provisions
of such EULA as regards such software:
As regards software accompanying the STRM products (the “Program”), such software contains software licensed by Q1Labs and is further
accompanied by third-party software that is described in the applicable documentation or materials provided by Juniper Networks.
CONTENTS
ABOUT THIS GUIDE
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Technical Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1OVERVIEW
2INSTALLING DSMS
Scheduling Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Viewing Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Manually Installing a DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
33COM 8800 SERIES SWITCH
4AMBIRON TRUSTWAVE IPANGEL
5APACHE HTTP SERVER
Configuring Apache HTTP Server with Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Configuring Apache HTTP Server with Syslog-ng . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
6APC UPS
7AMAZON AWS CLOUDTRAIL
AWS CloudTrail DSM Integration Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Enabling Communication between JSA and AWS CloudTrail . . . . . . . . . . . . . . . . . . 40
Configuring an Amazon AWS CloudTrail Log Source in JSA . . . . . . . . . . . . . . . . . . 40
7APPLE MAC OS X
8APPLICATION SECURITY DBPROTECT
9ARBOR NETWORKS PEAKFLOW
10 ARBOR NETWORKS PRAVAIL
Arbor Networks Pravail DSM Integration Process . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Configuring your Arbor Networks Pravail system for Communication with JSA. . . . .54
Configuring an Arbor Networks Pravail Log Source in Configuring DSMs. . . . . . . . .55
10 ARPEGGIO SIFT-IT
11 ARRAY NETWORKS SSL VPN
12 ARUBA MOBILITY CONTROLLERS
13 AVAYA VPN GATEWAY
Avaya VPN Gateway DSM Integration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Configuring your Avaya VPN Gateway System for Communication with JSA . . . . . .66
Configuring an Avaya VPN Gateway Log Source in JSA. . . . . . . . . . . . . . . . . . . . . .67
13 BALABIT IT SECURITY
Configuring BalaBIt IT Security for Microsoft Windows Events . . . . . . . . . . . . . . . . .69
Configuring BalaBit IT Security for Microsoft ISA or TMG Events . . . . . . . . . . . . . . .73
14 BARRACUDA
Barracuda Spam & Virus Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Barracuda Web Application Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Barracuda Web Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
15 BIT9 PARITY
16 BLUECAT NETWORKS ADONIS
17 BLUE COAT SG
Creating a Custom Event Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Retrieving Blue Coat Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Creating Additional Custom Format Key-Value Pairs. . . . . . . . . . . . . . . . . . . . . . . . .99
18 BRIDGEWATER
19 BROCADE FABRIC OS
20 CA TECHNOLOGIES
CA ACF2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
CA SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
CA Top Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
21 CHECK POINT
Check Point FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Check Point Provider-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
22 CILASOFT QJRN/400
23 CISCO
Cisco ACE Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Cisco Aironet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Cisco ACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Cisco ASA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Cisco CallManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Cisco CatOS for Catalyst Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Cisco CSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Cisco FWSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Cisco IDS/IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Cisco IronPort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Cisco NAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Cisco Nexus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Cisco IOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Cisco Pix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Cisco VPN 3000 Concentrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Cisco Wireless Services Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Cisco Wireless LAN Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Cisco Identity Services Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
24 CITRIX
Citrix NetScaler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Citrix Access Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
25 CRYPTOCARD CRYPTO-SHIELD
26 CYBER-ARK VAULT
27 CYBERGUARD FIREWALL/VPN APPLIANCE
28 DAMBALLA FAILSAFE
29 DIGITAL CHINA NETWORKS (DCN)
30 ENTERASYS
Enterasys Dragon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
Enterasys HiGuard Wireless IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Enterasys HiPath Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Enterasys Stackable and Standalone Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Enterasys XSR Security Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Enterasys Matrix Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Enterasys NetSight Automatic Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . .224
Enterasys Matrix K/N/S Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Enterasys NAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
Enterasys 800-Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
31 EXTREME NETWORKS EXTREMEWARE
32 F5 NETWORKS
F5 Networks BIG-IP AFM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
F5 Networks BIG-IP APM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
F5 Networks BIG-IP ASM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
F5 Networks BIG-IP LTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
F5 Networks FirePass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
33 FAIR WARNING
34 FIDELIS XPS
35 FIREEYE
36 FORESCOUT COUNTERACT
37 FORTINET FORTIGATE
Fortinet FortiGate DSM Integration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257
Configuring a Fortinet FortiGate Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
38 FOUNDRY FASTIRON
39 GENERIC FIREWALL
40 GENERIC AUTHORIZATION SERVER
41 GREAT BAY BEACON
42 HBGARY ACTIVE DEFENSE
43 HONEYCOMB LEXICON FILE INTEGRITY MONITOR (FIM)
44 HP
HP ProCurve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
HP Tandem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Hewlett Packard UNIX (HP-UX). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
45 HUAWEI
Huawei AR Series Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Huawei S Series Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
46 IBM
IBM AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
IBM AS/400 iSeries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
IBM CICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
IBM Lotus Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
IBM Proventia Management SiteProtector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
IBM ISS Proventia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
IBM RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
IBM DB2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
IBM WebSphere Application Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
IBM Informix Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
IBM IMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
IBM Guardium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
IBM Security Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
IBM Tivoli Access Manager for E-business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
IBM z/Secure Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
IBM Tivoli Endpoint Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
IBM zSecure Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
IBM Security Network Protection (XGS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
IBM Security Network IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
47 ISC BIND
48 IMPERVA SECURESPHERE
49 INFOBLOX NIOS
50 IT-CUBE AGILESI
51 ITRON SMART METER
52 JUNIPER NETWORKS
Juniper Networks AVT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389
Juniper DDoS Secure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Juniper DX Application Acceleration Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391
Juniper EX Series Ethernet Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
Juniper IDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
Juniper Networks Secure Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .395
Juniper Infranet Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
Juniper Networks Firewall and VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399
Juniper Networks Network and Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . .399
Juniper Junos OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
Juniper Steel-Belted Radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
Juniper Networks vGW Virtual Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406
Juniper Security Binary Log Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Juniper Junos WebApp Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411
Juniper Networks WLC Series Wireless LAN Controller . . . . . . . . . . . . . . . . . . . . .414
53 KASPERSKY SECURITY CENTER
54 LIEBERMAN RANDOM PASSWORD MANAGER
55 LINUX
Linux DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427
Linux IPtables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428
Linux OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .430
56 MCAFEE
McAfee Intrushield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
McAfee ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .440
McAfee Application / Change Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
McAfee Web Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452
McAfee Web Gateway DSM Integration Process. . . . . . . . . . . . . . . . . . . . . . . . . . .455
57 METAINFO METAIP
58 MICROSOFT
Microsoft Exchange Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Microsoft IAS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Microsoft DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Microsoft IIS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Microsoft ISA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Microsoft Hyper-V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Microsoft SQL Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Microsoft SharePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Microsoft Windows Security Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Microsoft Operations Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Microsoft System Center Operations Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Microsoft Endpoint Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
59 MOTOROLA SYMBOL AP
60 NETAPP DATA ONTAP
61 NAME VALUE PAIR
NVP Log Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
62 NIKSUN
63 NOKIA FIREWALL
Integrating with a Nokia Firewall Using Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Integrating With a Nokia Firewall Using OPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
64 NOMINUM VANTIO
65 NORTEL NETWORKS
Nortel Multiprotocol Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Nortel Application Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Nortel Contivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Nortel Ethernet Routing Switch 2500/4500/5500. . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Nortel Ethernet Routing Switch 8300/8600 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Nortel Secure Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Nortel Secure Network Access Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Nortel Switched Firewall 5100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Nortel Switched Firewall 6000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Nortel Threat Protection System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Nortel VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531
66 NOVELL EDIRECTORY
67 OBSERVEIT
68 OPENBSD
69 OPEN LDAP
70 OPEN SOURCE SNORT
71 ORACLE
Oracle Audit Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555
Oracle DB Listener . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .559
Oracle Audit Vault. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .563
Oracle OS Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .564
Oracle BEA WebLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .566
Oracle Acme Packet Session Border Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . .571
Oracle Fine Grained Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .574
72 OSSEC
73 PALO ALTO NETWORKS
74 PIREAN ACCESS: ONE
75 POSTFIX MAIL TRANSFER AGENT
76 PROFTPD
77 PROOFPOINT ENTERPRISE PROTECTION AND ENTERPRISE PRIVACY
78 RADWARE DEFENSEPRO
79 RAZ-LEE ISECURITY
80 REDBACK ASE
81 RSA AUTHENTICATION MANAGER
Configuring Syslog for RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Configuring the Log File Protocol for RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
82 SAFENET DATASECURE
83 SAMHAIN LABS
Configuring Syslog to Collect Samhain Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Configuring JDBC to Collect Samhain Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
84 SENTRIGO HEDGEHOG
85 SECURE COMPUTING SIDEWINDER
86 SOLARWINDS ORION
87 SONICWALL
88 SOPHOS
Sophos Enterprise Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Sophos PureMessage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
Sophos Astaro Security Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .641
Sophos Web Security Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .642
89 SOURCEFIRE
Sourcefire Defense Center (DC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643
Sourcefire Intrusion Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .649
90 SPLUNK
Collect Windows Events Forwarded from Splunk Appliances . . . . . . . . . . . . . . . . .651
91 SQUID WEB PROXY
92 STARENT NETWORKS
93 STEALTHBITS STEALTHINTERCEPT
STEALTHbits StealthINTERCEPT DSM Integration Process. . . . . . . . . . . . . . . . . .663
Configuring your STEALTHbits StealthINTERCEPT System for Communication with
JSA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .664
Configuring a STEALTHbits StealthINTERCEPT Log Source in JSA . . . . . . . . . . .665
94 STONESOFT MANAGEMENT CENTER
95 SUN SOLARIS
Sun Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .671
Sun Solaris DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .672
Sun Solaris Sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .674
Sun Solaris Basic Security Mode (BSM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .675
Sun ONE LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .680
96 SYBASE ASE
97 SYMANTEC
Symantec Endpoint Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .687
Symantec SGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .688
Symantec System Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .688
Symantec Data Loss Prevention (DLP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .692
Symantec PGP Universal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .696
98 SYMARK
99 THREATGRID MALWARE THREAT INTELLIGENCE PLATFORM
100 TIPPING POINT
Tipping Point Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Tipping Point X505/X506 Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712
101 TOP LAYER IPS
102 TREND MICRO
Trend Micro InterScan VirusWall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Trend Micro Control Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716
Trend Micro Office Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
Trend Micro Deep Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
103 TRIPWIRE
104 TROPOS CONTROL
105 TRUSTEER APEX LOCAL EVENT AGGREGATOR
106 UNIVERSAL DSM
107 UNIVERSAL LEEF
Configuring a Universal LEEF Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733
Forwarding Events to JSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737
Creating a Universal LEEF Event Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 737
108 VENUSTECH VENUSENSE
109 VERDASYS DIGITAL GUARDIAN
110 VERICEPT CONTENT 360 DSM
111 VMWARE
VMware ESX and ESXi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751
VMware vCenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 756
VMware vCloud Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
VMware vShield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760
112 VORMETRIC DATA SECURITY
Vormetric Data Security DSM Integration Process. . . . . . . . . . . . . . . . . . . . . . . . . .763
Configuring your Vormetric Data Security Systems for Communication with JSA . .764
Configuring a Vormetric Data Security Log Source in JSA. . . . . . . . . . . . . . . . . . . .766
113 WEBSENSE V-SERIES
Websense TRITON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .767
Websense V-Series Data Security Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .769
Websense V-Series Content Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .771
114 ZSCALER NANOLOG STREAMING SERVICE
115 SUPPORTED DSMS
INDEX
Configuring DSMs
ABOUT THIS GUIDE
The Juniper Secure Analytics Configuring DSMs guide provides you with
information for configuring Device Support Modules (DSMs).
DSMs allow Juniper Secure Analytics (JSA) to integrate events from security
appliances, software, and devices in your network that forward events to JSA or
Log Analytics. All references to JSA or JSA is intended to refer both the JSA and
Log Analytics product.
Audience This guide is intended for the system administrator responsible for setting up event
collection for JSA in your network.
This guide assumes that you have administrative access and a knowledge of your
corporate network and networking technologies.
Documentation
Conventions
Table 2-1 lists conventions that are used throughout this guide.
Technical
Documentation
You can access technical documentation, technical notes, and release notes
directly from the Juniper Customer Support website at
https://www.juniper.net/support/. Once you access the Juniper Customer Support
Table 2-1 Icons
Icon Type Description
Information note Information that describes important features or
instructions.
Caution Information that alerts you to potential loss of
data or potential damage to an application,
system, device, or network.
Warning Information that alerts you to potential personal
injury.
Configuring DSMs
16 ABOUT THIS GUIDE
website, locate the product and software release for which you require
documentation.
Your comments are important to us. Please send your e-mail comments about this
guide or any of the Juniper Networks documentation to:
techpubs-comments@juniper.net.
Include the following information with your comments:
Document title
Page number
Requesting
Technical Support
Technical product support is available through the Juniper Networks Technical
Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC
support contract, or are covered under warranty, and need post-sales technical
support, you can access our tools and resources online or open a case with JTAC.
JTAC policies—For a complete understanding of our JTAC procedures and
policies, review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
JTAC Hours of Operation —The JTAC centers have resources available 24
hours a day, 7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you
with the following features:
Find CSC offerings: http://www.juniper.net/customers/support/
Find product documentation: http://www.juniper.net/techpubs/
Find solutions and answer questions using our Knowledge Base:
http://kb.juniper.net/
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
Open a case online in the CSC Case Management tool:
http://www.juniper.net/cm/
Configuring DSMs
Requesting Technical Support 17
To verify service entitlement by product serial number, use our Serial Number
Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and
Mexico).
For international or direct-dial options in countries without toll-free numbers, visit
us at http://www.juniper.net/support/requesting-support.html.
Configuring DSMs
18 ABOUT THIS GUIDE
Configuring DSMs
1OVERVIEW
The DSM Configuration guide is intended to assist with device configurations for
systems, software, or appliances that provide events to Juniper Secure Analytics
(JSA).
Device Support Modules (DSMs) parse event information for JSA products to log
and correlate events received from external sources such as security equipment
(for example, firewalls), and network equipment (for example, switches and
routers).
Events forwarded from your log sources are displayed in the Log Activity tab. All
events are correlated and security and policy offenses are created based on
correlation rules. These offenses are displayed on the Offenses tab. For more
information, see the Juniper Secure Analytics Users Guide.
NOTE
Note: Information found in this documentation about configuring Device Support
Modules (DSMs) is based on the latest RPM files located on the Juniper Customer
Support website at http://www.juniper.net/customer/support/.
To configure JSA to receive events from devices, you must:
1 Configure the device to send events to JSA.
2 Configure log sources for JSA to receive events from specific devices. For more
information, see the Log Sources Users Guide.
Configuring DSMs
2INSTALLING DSMS
You can download and install weekly automatic software updates for DSMs,
protocols, and scanner modules.
After Device Support Modules (DSMs) are installed the Juniper Secure Analytics
(JSA) console provides any rpm file updates to managed hosts after the
configuration changes are deployed. If you are using high availability (HA), DSMs,
protocols, and scanners are installed during replication between the primary and
secondary host. During this installation process, the secondary displays the status
Upgrading. For more information, see Managing High Availability in the Juniper
Secure Analytics Administration Guide.
CAUTION
CAUTION: Uninstalling a Device Support Module (DSM) is not supported in JSA. If
you need technical assistance, contact Juniper Customer Support. For more
information, see Requesting Technical Support.
Scheduling
Automatic Updates
You can schedule when automatic updates are downloaded and installed on your
JSA console.
JSA performs automatic updates on a recurring schedule according to the settings
on the Update Configuration page; however, if you want to schedule an update or a
set of updates to run at a specific time, you can schedule an update using the
Schedule the Updates window. Scheduling your own automatic updates is useful
when you want to schedule a large update to run during off-peak hours, thus
reducing any performance impacts on your system.
If no updates are displayed in the Updates window, either your system has not
been in operation long enough to retrieve the weekly updates or no updates have
been issued. If this occurs, you can manually check for new updates
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration.
Configuring DSMs
22 INSTALLING DSMS
Step 3 Click the Auto Update icon.
Step 4 Optional. If you want to schedule specific updates, select the updates you want to
schedule.
Step 5 From the Schedule list box, select the type of update you want to schedule.
Options include:
All Updates
Selected Updates
DSM, Scanner, Protocol Updates
Minor Updates
NOTE
Note: Protocol updates installed automatically require you to restart Tomcat. For
more information on manually restarting Tomcat, see the Log Sources Users
Guide.
Step 6 Using the calendar, select the start date and time of when you want to start your
scheduled updates.
Step 7 Click OK.
The selected updates are now scheduled.
Viewing Updates You can view or install any pending software updates for JSA through the Admin
tab.
Procedure
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click System Configuration.
Step 3 Click the Auto Update icon.
The Updates window is displayed. The window automatically displays the Check
for Updates page, providing the following information:
Table 2-1 Check for Updates Window Parameters
Parameter Description
Updates were
installed
Specifies the date and time the last update was installed.
Next Update install
is scheduled
Specifies the date and time the next update is scheduled to be
installed. If there is no date and time indicated, the update is not
scheduled to run.
Name Specifies the name of the update.
Type Specifies the type of update. Types include:
DSM, Scanner, Protocol Updates
Minor Updates
Configuring DSMs
Viewing Updates 23
The Check for Updates page toolbar provides the following functions:
Step 4 To view details on an update, select the update.
The description and any error messages are displayed in the right pane of the
window.
Status Specifies the status of the update. Status types include:
New - The update is not yet scheduled to be installed.
Scheduled - The update is scheduled to be installed.
Installing - The update is currently installing.
Failed - The updated failed to install.
Date to Install Specifies the date on which this update is scheduled to be
installed.
Table 2-2 Auto Updates Toolbar
Function Description
Hide Select one or more updates, and then click Hide to remove the
selected updates from the Check for Updates page. You can
view and restore the hidden updates on the Restore Hidden
Updates page. For more information, see the Juniper Secure
Analytics Administrator Guide.
Install From this list box, you can manually install updates. When you
manually install updates, the installation process starts within a
minute.
Schedule From this list box, you can configure a specific date and time to
manually install selected updates on your console. This is useful
when you want to schedule the update installation during
off-peak hours.
Unschedule From this list box, you can remove preconfigured schedules for
manually installing updates on your console.
Search By Name In this text box, you can type a keyword and then press Enter to
locate a specific update by name.
Next Refresh This counter displays the amount of time until the next automatic
refresh. The list of updates on the Check for Updates page
automatically refreshes every 60 seconds. The timer is
automatically paused when you select one or more updates.
Pause Click this icon to pause the automatic refresh process. To
resume automatic refresh, click the Play icon.
Refresh Click this icon to manually refresh the list of updates.
Table 2-1 Check for Updates Window Parameters (continued)
Parameter Description
Configuring DSMs
24 INSTALLING DSMS
Manually Installing
a DSM
You can use the Juniper Customer Support website to download and manually
install the latest RPM files for JSA.
http://www.juniper.net/customer/support/
Most users do not need to download updated DSMs as auto updates installs the
latest rpm files on a weekly basis. If your system is restricted from the Internet, you
might need to install rpm updates manually. The DSMs provided on the Juniper
Customer Support website, or through auto updates contain improved event
parsing for network security products and enhancements for event categorization
in the JSA Identifier Map (QID map).
CAUTION
CAUTION: Uninstalling a Device Support Module (DSM) is not supported in JSA. If
you need technical assistance, contact Juniper Customer Support. For more
information, see Requesting Technical Support.
Installing a Single
DSM
The Juniper Customer Support website contain individual DSMs that you can
download and install using the command-line.
Procedure
Step 1 Download the DSM file to your system hosting JSA.
Step 2 Using SSH, log in to JSA as the root user.
Username: root
Password: <password>
Step 3 Navigate to the directory that includes the downloaded file.
Step 4 Type the following command:
rpm -Uvh <filename>
Where <filename> is the name of the downloaded file. For example:
rpm -Uvh DSM-CheckPointFirewall-7.0-209433.noarch.rpm
Step 5 Log in to JSA.
https://<IP Address>
Where <IP Address> is the IP address of the JSA console or Event Collector.
Step 6 On the Admin tab, click Deploy Changes.
The installation is complete.
Configuring DSMs
Manually Installing a DSM 25
Installing a DSM
Bundle
The Juniper Customer Support website contains a DSM bundle which is updated
daily with the latest DSM versions that you can install.
Procedure
Step 1 Download the DSM bundle to your system hosting JSA.
Step 2 Using SSH, log in to JSA as the root user.
Username: root
Password: <password>
Step 3 Navigate to the directory that includes the downloaded file.
Step 4 Type the following command to extract the DSM bundle:
tar -zxvf JSA_bundled-DSM-<version>.tar.gz
Where <version> is your release of JSA.
Step 5 Type the following command:
for FILE in *Common*.rpm DSM-*.rpm; do rpm -Uvh "$FILE"; done
The installation of the DSM bundle can take several minutes to complete.
Step 6 Log in to JSA.
https://<IP Address>
Where <IP Address> is the IP address of JSA.
Step 7 On the Admin tab, click Deploy Changes.
The installation is complete.
Configuring DSMs
33COM 8800 SERIES SWITCH
The 3COM 8800 Series Switch DSM for Juniper Secure Analytics (JSA) accepts
events using syslog.
Supported Event
Types
JSA records all relevant status and network condition events forwarded from your
3Com 8800 Series Switch using syslog.
Configure Your
3COM 8800 Series
Switch
You can configure your 3COM 8800 Series Switch to forward syslog events to
JSA.
Procedure
Step 1 Log in to the 3Com 8800 Series Switch user interface.
Step 2 Enable the information center.
info-center enable
Step 3 Configure the host with the IP address of your JSA system as the loghost, the
severity level threshold value as informational, and the output language to English.
info-center loghost <ip_address> facility <severity> language
english
Where:
<ip_address> is the IP address of your JSA.
<severity> is the facility severity.
Step 4 Configure the ARP and IP information modules to log.
info-center source arp channel loghost log level informational
info-center source ip channel loghost log level informational
The configuration is complete. The log source is added to JSA as 3COM 8800
Series Switch events are automatically discovered. Events forwarded to JSA by
3COM 880 Series Switches are displayed on the Log Activity tab.
Configuring DSMs
28 3COM 8800 SERIES SWITCH
Configure a Log
Source
JSA automatically discovers and creates a log source for syslog events from
3COM 8800 Series Switches. These configuration steps are optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select 3Com 8800 Series Switch.
Step 9 Using the Protocol Configuration list box, select Syslog.
The syslog protocol configuration is displayed.
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The configuration is complete.
Table 3-1 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your 3COM 8800 Series Switch.
Configuring DSMs
4AMBIRON TRUSTWAVE ipANGEL
The Ambiron TrustWave ipAngel DSM for Juniper Secure Analytics (JSA) accepts
events using syslog.
Supported Event
Types
JSA records all Snort-based events from the ipAngel console.
Before You Begin Before you configure JSA to integrate with ipAngel, you must forward your cache
and access logs to your JSA. The events in your cache and access logs that are
forwarded from Ambiron TrustWave ipAngel are not automatically discovered. For
information on forwarding device logs to JSA, see your vendor documentation.
Configure a Log
Source
To integrate Ambiron TrustWave ipAngel events with JSA, you must manually
configure a log source.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Ambiron TrustWave ipAngel
Intrusion Prevention System (IPS).
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:
Table 4-1 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your Ambiron TrustWave ipAngel
appliance.
Configuring DSMs
30 AMBIRON TRUSTWAVE IPANGEL
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The log source is added to JSA. Events forwarded to JSA by Ambiron TrustWave
ipAngel are displayed on the Log Activity tab.
Configuring DSMs
5APACHE HTTP SERVER
The Apache HTTP Server DSM for Juniper Secure Analytics (JSA) accepts
Apache events using syslog or syslog-ng.
JSA records all relevant HTTP status events. The procedure in this section applies
to Apache DSMs operating on UNIX/Linux platforms only.
CAUTION
CAUTION: Do not run both syslog and syslog-ng at the same time.
Select one of the following configuration methods:
Configuring Apache HTTP Server with Syslog
Configuring Apache HTTP Server with Syslog-ng
Configuring
Apache HTTP
Server with Syslog
You can configure your Apache HTTP Server to forward events with the syslog
protocol.
Procedure
Step 1 Log in to the server hosting Apache, as the root user.
Step 2 Edit the Apache configuration file httpd.conf.
Step 3 Add the following information in the Apache configuration file to specify the custom
log format:
LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" <log format name>
Where <log format name> is a variable name you provide to define the log
format.
Step 4 Add the following information in the Apache configuration file to specify a custom
path for the syslog events:
CustomLog “|/usr/bin/logger -t httpd -p
<facility>.<priority>” <log format name>
Where:
<facility> is a syslog facility, for example, local0.
Configuring DSMs
32 APACHE HTTP SERVER
<priority> is a syslog priority, for example, info or notice.
<log format name> is a variable name you provide to define the custom log
format. The log format name must match the log format defined in Step 4.
For example,
CustomLog “|/usr/bin/logger -t httpd -p local1.info”
MyApacheLogs
Step 5 Type the following command to disabled hostname lookup:
HostnameLookups off
Step 6 Save the Apache configuration file.
Step 7 Edit the syslog configuration file.
/etc/syslog.conf
Step 8 Add the following information to your syslog configuration file:
<facility>.<priority> <TAB><TAB>@<host>
Where:
<facility> is the syslog facility, for example, local0. This value must match the
value you typed in Step 4.
<priority> is the syslog priority, for example, info or notice. This value must
match the value you typed in Step 4.
<TAB> indicates you must press the Tab key.
<host> is the IP address of the JSA console or Event Collector.
Step 9 Save the syslog configuration file.
Step 10 Type the following command to restart the syslog service:
/etc/init.d/syslog restart
Step 11 Restart Apache to complete the syslog configuration.
The configuration is complete. The log source is added to JSA as syslog events
from Apache HTTP Servers are automatically discovered. Events forwarded to
JSA by Apache HTTP Servers are displayed on the Log Activity tab of JSA.
Configuring a Log
Source in JSA
You can configure a log source manually for Apache HTTP Server events in JSA.
JSA automatically discovers and creates a log source for syslog events from
Apache HTTP Server. However, you can manually create a log source for JSA to
receive syslog events. These configuration steps are optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Configuring DSMs
Configuring Apache HTTP Server with Syslog-ng 33
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Apache HTTP Server.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The configuration is complete. For more information on Apache, see
http://www.apache.org/.
Configuring
Apache HTTP
Server with
Syslog-ng
You can configure your Apache HTTP Server to forward events with the syslog-ng
protocol.
Procedure
Step 1 Log in to the server hosting Apache, as the root user.
Step 2 Edit the Apache configuration file.
/etc/httpd/conf/httpd.conf
Step 3 Add the following information to the Apache configuration file to specify the
LogLevel:
LogLevel info
The LogLevel might already be configured to the info level depending on your
Apache installation.
Step 4 Add the following to the Apache configuration file to specify the custom log format:
LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" <log format name>
Where <log format name> is a variable name you provide to define the custom
log format.
Step 5 Add the following information to the Apache configuration file to specify a custom
path for the syslog events:
CustomLog "|/usr/bin/logger -t 'httpd' -u
/var/log/httpd/apache_log.socket" <log format name>
The log format name must match the log format defined in Step 4.
Table 5-1 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your Apache installations.
Configuring DSMs
34 APACHE HTTP SERVER
Step 6 Save the Apache configuration file.
Step 7 Edit the syslog-ng configuration file.
/etc/syslog-ng/syslog-ng.conf
Step 8 Add the following information to specify the destination in the syslog-ng
configuration file:
source s_apache {
unix-stream("/var/log/httpd/apache_log.socket"
max-connections(512)
keep-alive(yes));
};
destination auth_destination { <udp|tcp>("<IP address>"
port(514)); };
log{
source(s_apache);
destination(auth_destination);
};
Where:
<IP address> is the IP address of the JSA console or Event Collector.
<udp|tcp> is the protocol you select to forward the syslog event.
Step 9 Save the syslog-ng configuration file.
Step 10 Type the following command to restart syslog-ng:
service syslog-ng restart
Step 11 You are now ready to configure the log source in JSA.
The configuration is complete. The log source is added to JSA as syslog events
from Apache HTTP Servers are automatically discovered. Events forwarded to
JSA by Apache HTTP Servers are displayed on the Log Activity tab of JSA.
Configuring a Log
Source
You can configure a log source manually for Apache HTTP Server events in JSA.
JSA automatically discovers and creates a log source for syslog-ng events from
Apache HTTP Server. However, you can manually create a log source for JSA to
receive syslog events. These configuration steps are optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Configuring DSMs
Configuring Apache HTTP Server with Syslog-ng 35
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Apache HTTP Server.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The configuration is complete. For more information on Apache, see
http://www.apache.org/.
Table 5-2 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your Apache installations.
Configuring DSMs
6APC UPS
The APC UPS DSM for Juniper Secure Analytics (JSA) accepts syslog events
from the APC Smart-UPS family of products.
NOTE
Note: Events from the RC-Series Smart-UPS are not supported.
Supported Event
Types
JSA supports the following APC Smart-UPS syslog events:
UPS events
Battery events
Bypass events
Communication events
Input power events
Low battery condition events
SmartBoost events
SmartTrim events
Before You Begin To integrate Smart-UPS events with JSA, you must manually create a log source
to receive syslog events.
Before you can receive events in JSA, you must configure a log source, then
configure your APC UPS to forward syslog events. Syslog events forwarded from
APC Smart-UPS series devices are not automatically discovered. JSA can receive
syslog events on port 514 for both TCP and UDP.
Configuring a Log
Source in JSA
JSA does not automatically discover or create log sources for syslog events from
APC Smart-UPS series appliances.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Configuring DSMs
38 APC UPS
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select APC UPS.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The log source is added to JSA. You are now ready to configure your APC
Smart-UPS to forward syslog events to JSA.
Configuring Your
APC UPD to Forward
Syslog Events
You can configure syslog event forwarding on your APC UPS.
Procedure
Step 1 Log in to the APC Smart-UPS web interface.
Step 2 In the navigation menu, select Network > Syslog.
Step 3 From the Syslog list box, select Enable.
Step 4 From the Facility list box, select a facility level for your syslog messages.
Step 5 In the Syslog Server field, type the IP address of your JSA console or Event
Collector.
Step 6 From the Severity list box, select Informational.
Step 7 Click Apply.
The syslog configuration is complete. Events forwarded to JSA by your APC UPS
are displayed on the Log Activity tab.
Table 6-1 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your APC Smart-UPS series
appliance.
Configuring DSMs
7AMAZON AWS CLOUDTRAIL
The Juniper Secure Analytics (JSA) DSM for Amazon AWS CloudTrail can collect
audit events from your Amazon AWS CloudTrail S3 bucket.
Table 7-1 provides the specifications of the Amazon AWS CloudTrail DSM.
Table 7-1 Amazon AWS CloudTrail DSM Specifications
Specification Value
Manufacturer Amazon
DSM Amazon AWS CloudTrail
Supported
versions
1.0
Protocol Log File
JSA recorded
events
All relevant events
Automatically
discovered
No
Includes identity No
More information http://docs.aws.amazon.com/awscloudtrail/latest/use
rguide/whatisawscloudtrail.html
Configuring DSMs
40 AMAZON AWS CLOUDTRAIL
AWS CloudTrail
DSM Integration
Process
To integrate Amazon AWS CloudTrail with JSA, use the following procedure:
1 Obtain and install a certificate to enable communication between your Amazon
AWS CloudTrail S3 bucket and JSA.
2 Install the most recent version of the Log File Protocol RPM on your JSA consolev.
You can install a protocol by using the procedure to manually install a DSM.
3 Install the Amazon AWS CloudTrail DSM on your JSA console.
4 Configure the Amazon AWS CloudTrail log source in JSA.
Related tasks
Manually Installing a DSM
Enabling Communication between JSA and AWS CloudTrail
Configuring an Amazon AWS CloudTrail Log Source in JSA
Enabling
Communication
between JSA and
AWS CloudTrail
A certificate is required for the HTTP connection between JSA and Amazon AWS
CloudTrail.
Procedure
To enable communication between JSA and AWS CloudTrail:
Step 1 Access your Amazon AWS CloudTrail S3 bucket.
Step 2 Export the certificate as a DER-encoded binary certificate to your desktop system.
The file extension must be .DER.
Step 3 Copy the certificate to the /opt/qradar/conf/trusted_certificates
directory on the JSA host on which you plan to configure the log source.
Configuring an
Amazon AWS
CloudTrail Log
Source in JSA
To collect Amazon AWS CloudTrail events, you must configure a log source in
JSA. When you configure the log source, use the location and keys that are
required to access your Amazon AWS CloudTrail S3 bucket.
Before you begin
Ensure that the following components are installed and deployed on your JSA
host:
PROTOCOL-LogFileProtocol-build_number.noarch.rpm
DSM-AmazonAWSCloudTrail-build_number.noarch.rpm
Also ensure that audit logging is enabled on your Amazon AWS CloudTrail S3
bucket. For more information, see your vendor documentation.
Configuring DSMs
Configuring an Amazon AWS CloudTrail Log Source in JSA 41
About this task
Table 7-2 provides more information about some of the extended parameters.
Procedure
To configure Amazon AWS CloudTrail log source in JSA:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 In the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 From the Log Source Type list, select Amazon AWS CloudTrail.
Step 7 From the Protocol Configuration list, select Log File.
Step 8 From the Service Type field, select AWS.
Step 9 Configure the remaining parameters.
Step 10 Click Save.
Step 11 On the Admin tab, click Deploy Changes.
Table 7-2 Amazon AWS CloudTrail Log source Parameters
Parameter Description
Bucket Name The name of the AWS CloudTrail S3 bucket where
the log files are stored.
AWS Access Key The public access key required to access the AWS
CloudTrail S3 bucket.
AWS Secret Key The private access key required to access the AWS
CloudTrail S3 bucket.
Remote Directory The root directory location on the AWS CloudTrail S3
bucket from which the files are retrieved, for
example, \user_account_name
FTP File Pattern .*?\.json\.gz
Processor GZIP
Event Generator Amazon AWS JSON
Applies additional processing to the retrieved event
files.
Recurrence Defines how often the Log File Protocol connects to
the Amazon cloud API, checks for new files, and
retrieves them if they exist. Every access to an AWS
S3 bucket incurs a cost to the account that owns the
bucket. Therefore, a smaller recurrence value
increases the cost.
Configuring DSMs
7APPLE MAC OS X
The Apple Mac OS X DSM for Juniper Secure Analytics (JSA) accepts events
using syslog.
Supported Event
Types
JSA records all relevant firewall, web server access, web server error, privilege
escalation, and informational events.
Before You Begin To integrate Mac OS X events with JSA, you must manually create a log source to
receive syslog events.
To complete this integration, you must configure a log source, then configure your
Mac OS X to forward syslog events. Syslog events forwarded from Mac OS X
devices are not automatically discovered. It is recommended that you create a log
source, then forward events to JSA. Syslog events from Mac OS X can be
forwarded to JSA on TCP port 514 or UDP port 514.
Configuring a Log
Source
JSA does not automatically discover or create log sources for syslog events from
Apple Mac OS X.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Mac OS X.
Step 9 Using the Protocol Configuration list box, select Syslog.
Configuring DSMs
44 APPLE MAC OS X
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The log source is added to JSA. You are now ready to configure your Apple Mac
OS X device to forward syslog events to JSA.
Configuring Syslog
on Your Apple Mac
OS X
You can configure syslog on systems running Mac OS X operating systems.
Procedure
Step 1 Using SSH, log in to your Mac OS X device as a root user.
Step 2 Open the /etc/syslog.conf file.
Step 3 Add the following line to the top of the file. Make sure all other lines remain intact:
*.* @<IP address>
Where <IP address> is the IP address of the JSA.
Step 4 Save and exit the file.
Step 5 Send a hang-up signal to the syslog daemon to make sure all changes are
enforced:
sudo killall - HUP syslogd
The syslog configuration is complete. Events forwarded to JSA by your Apple Mac
OS X are displayed on the Log Activity tab. For more information on configuring
Mac OS X, see your Mac OS X vendor documentation.
Table 8-1 Mac OS X Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your Apple Mac OS X device.
Configuring DSMs
8APPLICATION SECURITY
DBPROTECT
You can integrate Application Security DbProtect with Juniper Secure Analytics
(JSA).
Supported Event
Types
The Application Security DbProtect DSM for JSA accepts syslog events from
DbProtect devices installed with the Log Enhanced Event Format (LEEF) Service.
Before You Begin To forward syslog events from Application Security DbProtect to JSA requires the
LEEF Relay module.
The LEEF Relay module for DbProtect translates the default events messages to
Log Enhanced Event Format (LEEF) messages for JSA, enabling JSA to record all
relevant DbProtect events. Before you can receive events in JSA, you must install
and configure the LEEF Service for your DbProtect device to forward syslog
events. The DbProtect LEEF Relay requires that you install the .NET 4.0
Framework, which is bundled with the LEEF Relay installation.
Installing the
DbProtect LEEF
Relay Module
The DbProtect LEEF Relay module for DbProtect must be installed on the same
server as the DbProtect console. This allows the DbProtect LEEF Relay to work
alongside an existing installation using the standard hardware and software
prerequisites for a DbProtect console.
NOTE
Note: Windows 2003 hosts require the Windows Imaging Components
(wic_x86.exe). The Windows Imaging Components are located on the Windows
Server Installation CD and must be installed before you continue. For more
information, see your Windows 2003 Operating System documentation.
Procedure
Step 1 Download the DbProtect LEEF Relay module for DbProtect from the Application
Security, Inc. customer portal.
http://www.appsecinc.com
Step 2 Save the setup file to the same host as your DbProtect console.
Step 3 Double click setup.exe to start the DbProtect LEEF Relay installation.
The Microsoft .NET Framework 4 Client Profile is displayed.
Configuring DSMs
46 APPLICATION SECURITY DBPROTECT
Step 4 Click Accept, if you agree with the Microsoft .NET Framework 4 End User License
Agreement.
The Microsoft .NET Framework 4 is installed on your DbProtect console. After the
installation is complete, the DbProtect LEEF Relay module installation Wizard is
displayed.
Step 5 Click Next.
The Installation Folder window is displayed.
Step 6 To select the default installation path, click Next.
If you change the default installation directory, make note of the file location as it is
required later. The Confirm Installation window is displayed.
Step 7 Click Next.
The DbProtect LEEF Relay module is installed.
Step 8 Click Close.
You are now ready to configure the DbProtect LEEF Relay module.
Configuring the
DbProtect LEEF
Relay
After the installation of the DbProtect LEEF Relay is complete, you can configure
the service to forward events to JSA.
NOTE
Note: The DbProtect LEEF Relay must be stopped before you edit any
configuration values.
Procedure
Step 1 Navigate to the DbProtect LEEF Relay installation directory.
C:\Program Files (x86)\AppSecInc\AppSecLEEFConverter
Step 2 Edit the DbProtect LEEF Relay configuration file:
AppSecLEEFConverter.exe.config
Step 3 Configure the following values:
Table 9-1 DbProtect LEEF Relay Configuration Parameters
Parameter Description
SyslogListenerPort Optional. Type the listen port number the DbProtect LEEF
Relay uses to listen for syslog messages from the
DbProtect console. By default, the DbProtect LEEF Relay
listens on port 514.
SyslogDestinationHost Type the IP address of your JSA console or Event
Collector.
SyslogDestinationPort Type 514 as the destination port for LEEF formatted syslog
messages forwarded to JSA.
Configuring DSMs
47
Step 4 Save the configuration changes to the file.
Step 5 On your desktop of the DbProtect console, select Start > Run.
The Run window is displayed.
Step 6 Type the following:
services.msc
Step 7 Click OK.
The Services window is displayed.
Step 8 In the details pane, verify the DbProtect LEEF Relay is started and set to automatic
startup.
Step 9 To change a service property, right-click on the service name, and then click
Properties.
Step 10 Using the Startup type list box, select Automatic.
Step 11 If the DbProtect LEEF Relay is not started, click Start.
You are now ready to configure alerts for your DbProtect console.
Configure DbProtect
alerts
You can configure sensors on your DbProtect console to generate alerts.
Procedure
Step 1 Log in to your DbProtect console.
Step 2 Click the Activity Monitoring tab.
Step 3 Click the Sensors tab.
Step 4 Select a sensor and click Reconfigure.
Any database instances that are configured for your database are displayed.
Step 5 Select any database instances and click Reconfigure.
Step 6 Click Next until the Sensor Manager Policy window is displayed.
Step 7 Select the Syslog check box and click Next.
Step 8 The Syslog Configuration window is displayed.
Step 9 In the Send Alerts to the following Syslog console field, type the IP address of
your DbProtect console.
Step 10 In the Port field, type the port number you configured in the SyslogListenerPort
field of the DbProtect LEEF Relay.
LogFileName Optional. Type a file name for the DbProtect LEEF Relay to
write debug and log messages. The LocalSystem user
account that runs the DbProtect LEEF Relay service must
have write privileges to the file path you specify.
Table 9-1 DbProtect LEEF Relay Configuration Parameters (continued)
Parameter Description
Configuring DSMs
48 APPLICATION SECURITY DBPROTECT
By default, 514 is the default Syslog listen port for the DbProtect LEEF Relay. For
more information, see Configuring the DbProtect LEEF Relay, Step 3.
Step 11 Click Add.
Step 12 Click Next until you reach the Deploy to Sensor window.
Step 13 Click Deploy to Sensor.
The configuration is complete. Events forwarded to JSA by your DbProtect console
are added as a log source and automatically displayed on the Log Activity tab.
Configuring a Log
Source
JSA automatically discovers and creates a log source for syslog events from
Application Security DbProtect. These configuration steps are optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Application Security DbProtect.
Step 9 Using the Protocol Configuration list box, select Syslog.
The syslog protocol configuration is displayed.
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The log source is added to JSA.
Table 9-2 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your Application Security DbProtect
device.
Configuring DSMs
9ARBOR NETWORKS PEAKFLOW
Juniper Secure Analytics (JSA) can collect and categorize syslog events from
Arbor Networks Peakflow SP appliances that are in your network.
Configuration
Overview
Arbor Networks Peakflow SP appliances store the syslog events locally.
To collect local syslog events, you must configure your Peakflow SP appliance to
forward the syslog events to a remote host. JSA automatically discovers and
creates log sources for syslog events that are forwarded from Arbor Networks
Peakflow SP appliances. JSA supports syslog events that are forwarded from
Peakflow V5.8.
To configure Arbor Networks Peakflow SP, complete the following tasks:
1 On your Peakflow SP appliance, create a notification group for JSA.
2 On your Peakflow SP appliance, configure the global notification settings.
3 On your Peakflow SP appliance, configure your alert notification rules.
4 On your JSA system, verify that the forwarded events are automatically
discovered.
Supported Event
Types for Arbor
Networks Peakflow
SP
The Arbor Networks Peakflow DSM for JSA collects events from several
categories.
Each event category contains low-level events that describe the action that is
taken within the event category. For example, authentication events can have
low-level categories of login successful or login failure.
The following list defines the event categories that are collected by JSA from
Peakflow SP appliances:
Denial of Service (DoS) events
Authentication events
Exploit events
Suspicious activity events
System events
Configuring DSMs
50 ARBOR NETWORKS PEAKFLOW
Configuring Remote
Syslog in Peakflow
SP
To collect events, you must configure a new notification group or edit existing
groups to add JSA as a remote syslog destination.
Procedure
To configure Remote Syslog in Peakflow SP:
Step 1 Log in to the configuration interface for your Peakflow SP appliance as an
administrator.
Step 2 In the navigation menu, select Administration > Notification > Groups.
Step 3 Click Add Notification Group.
Step 4 In the Destinations field, type the IP address of your JSA system.
Step 5 In the Port field, type 514 as the port for your syslog destination.
Step 6 From the Facility list, select a syslog facility.
Step 7 From the Severity list, select info.
The informational severity collects all event messages at the informational event
level and higher severity.
Step 8 Click Save.
Step 9 Click Configuration Commit.
Configuring Global
Notifications Settings
for Alerts in Peakflow
SP
Global notifications in Peakflow SP provide system notifications that are not
associated with rules. This procedure defines how to add JSA as the default
notification group and enable system notifications.
Procedure
Step 1 Log in to the configuration interface for your Peakflow SP appliance as an
administrator.
Step 2 In the navigation menu, select Administration > Notification > Global Settings.
Step 3 In the Default Notification Group field, select the notification group that you
created for JSA syslog events.
Step 4 Click Save.
Step 5 Click Configuration Commit to apply the configuration changes.
Step 6 Log in to the Peakflow SP command-line interface as an administrator.
Step 7 Type the following command to list the current alert configuration:
services sp alerts system_errors show
Step 8 Optional. Type the following command to list the fields names that can be
configured:
services sp alerts system_errors ?
Step 9 Type the following command to enable a notification for a system alert:
services sp alerts system_errors <name> notifications enable
Where <name> is the field name of the notification.
Configuring DSMs
51
Step 10 Type the following command to commit the configuration changes:
config write
Configuring Alert
Notification Rules in
Peakflow SP
To generate events, you must edit or add rules to use the notification group that
JSA as a remote syslog destination.
Procedure
Step 1 Log in to the configuration interface for your Peakflow SP appliance as an
administrator.
Step 2 In the navigation menu, select Administration > Notification > Rules.
Step 3 Select one of the following options:
Click a current rule to edit the rule.
Click Add Rule to create a new notification rule.
Step 4 Configure the following values:
Step 5 Repeat these steps to configure any other rules you want to forward to JSA.
Step 6 Click Save.
Step 7 Click Configuration Commit to apply the configuration changes.
JSA automatically discovers and creates a log source for Peakflow SP appliances.
Events that are forwarded to JSA are displayed on the Log Activity tab.
Configuring a
Peakflow SP Log
Source
JSA automatically discovers and creates a log source for syslog events forwarded
from Arbor Peakflow. These configuration steps are optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 In the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Table 10-3 Notification Rule Parameters
Parameter Description
Name Type the IP address or host name as an identifier for events
from your Peakflow SP installation.
The log source identifier must be unique value.
Resource Type a CIDR address or select a managed object from the
list of Peakflow resources.
Importance Select the importance of the rule.
Notification Group Select the notification group that you assigned to forward
syslog events to JSA.
Configuring DSMs
52 ARBOR NETWORKS PEAKFLOW
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 Optional. In the Log Source Description field, type a description for your log
source.
Step 8 From the Log Source Type list box, select Arbor Networks Peakflow.
Step 9 From the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
Table 10-4 Syslog Protocol Parameters
Parameter Description
Log Source Identifier Type the IP address or host name as an identifier for events
from your Peakflow SP installation.
The log source identifier must be unique value.
Enabled Select this check box to enable the log source. By default,
the check box is selected.
Credibility Select the credibility of the log source. The range is 0 - 10.
The credibility indicates the integrity of an event or offense
as determined by the credibility rating from the source
devices. Credibility increases if multiple sources report the
same event. The default is 5.
Target Event Collector Select the Event Collector to use as the target for the log
source.
Coalescing Events Select this check box to enable the log source to coalesce
(bundle) events.
By default, automatically discovered log sources inherit the
value of the Coalescing Events list box from the System
Settings in JSA. When you create a log source or edit an
existing configuration, you can override the default value by
configuring this option for each log source.
Incoming Event
Payload
From the list box, select the incoming payload encoder for
parsing and storing the logs.
Store Event Payload Select this check box to enable the log source to store event
payload information.
By default, automatically discovered log sources inherit the
value of the Store Event Payload list box from the System
Settings in JSA. When you create a log source or edit an
existing configuration, you can override the default value by
configuring this option for each log source.
Configuring DSMs
10 ARBOR NETWORKS PRAVAIL
The Juniper Secure Analytics (JSA) DSM for Arbor Networks Pravail can collect
event logs from your Arbor Networks Pravail servers.
Table 11-1 provides the specifications of the Arbor Networks Pravail DSM.
Table 11-1 Arbor Networks Pravail DSM Specifications
Specification Value
Manufacturer Arbor Networks
DSM Arbor Networks Pravail
RPM file name DSM-ArborNetworksPravail-build_number.noarch.rpm
Supported
versions
Protocol Syslog
Configuring
DSMs recorded
events
All relevant events
Automatically
discovered
Yes
Includes identity No
More information http://www.stealthbits.com/resources
Configuring DSMs
54 ARBOR NETWORKS PRAVAIL
Arbor Networks
Pravail DSM
Integration Process
To integrate Arbor Networks Pravail DSM with JSA, use the following procedure:
1 If automatic updates are not enabled, download and install the most recent Arbor
Networks Pravail RPM on your JSA console.
2 For each instance of Arbor Networks Pravail, configure your Arbor Networks
Pravail system to enable communication with JSA.
3 If Configuring DSMs automatically discovers the DSM, for each Arbor Networks
Pravail server you want to integrate, create a log source on the JSA console.
Related tasks
Manually Installing a DSM
Configuring your Arbor Networks Pravail system for Communication with
JSA
Configuring an Arbor Networks Pravail Log Source in Configuring DSMs
Configuring your
Arbor Networks
Pravail system for
Communication
with JSA
To collect all audit logs and system events from Arbor Networks Pravail, you must
add a destination that specifies JSA as the syslog server.
Procedure
To configure Arbor Networks Prevail System for communication with JSA:
Step 1 Log in to your Arbor Networks Pravail server.
Step 2 Click Settings & Reports.
Step 3 Click Administration > Notifications.
Step 4 On the Configure Notifications page, click Add Destinations.
Step 5 Select Syslog.
Step 6 Configure the following parameters:
Table 11-2 Parameters to Configure Arbor Networks Pravail System
Step 7 Click Save.
Parameter Description
Host The IP address for the
Configuring DSMs Console
Port 514
Severity Info
Alert Types The alert types that you want to
send to the Configuring DSMs
Console
Configuring DSMs
Configuring an Arbor Networks Pravail Log Source in Configuring DSMs 55
Configuring an
Arbor Networks
Pravail Log Source
in Configuring
DSMs
To collect Arbor Networks Pravail events, configure a log source in JSA.
Procedure
To configure an Arbor Networks Pravail log source in configuring DSMs:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 In the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 From the Log Source Type list, select Arbor Networks Pravail.
Step 7 From the Protocol Configuration list, select Syslog.
Step 8 Configure the remaining parameters.
Step 9 Click Save.
Step 10 On the Admin tab, click Deploy Changes.
Configuring DSMs
10 ARPEGGIO SIFT-IT
The Juniper Secure Analytics (JSA) SIFT-IT DSM accepts syslog events from
Arpeggio SIFT-IT running on IBM iSeries® that are formatted using the Log
Enhanced Event Protocol (LEEF).
Supported Versions JSA supports events from Arpeggio SIFT-IT 3.1 and above installed on IBM iSeries
version 5 revision 3 (V5R3) and above.
Supported Events Arpeggio SIFT-IT supports syslog events from the journal QAUDJRN in LEEF
format.
For example,
Jan 29 01:33:34 RUFUS LEEF:1.0|Arpeggio|SIFT-IT|3.1|PW_U|sev=3
usrName=ADMIN src=100.100.100.114 srcPort=543 jJobNam=QBASE
jJobUsr=ADMIN jJobNum=1664 jrmtIP=100.100.100.114 jrmtPort=543
jSeqNo=4755 jPgm=QWTMCMNL jPgmLib=QSYS jMsgId=PWU0000 jType=U
jUser=ROOT jDev=QPADEV000F jMsgTxt=Invalid user id ROOT. Device
QPADEV000F.
Events SIFT-IT forwards to JSA are determined with a configuration rule set file.
SIFT-IT includes a default configuration rule set file that you can edit to meet your
security or auditing requirements. For more information on configuring rule set
files, see your SIFT-IT User Guide.
Configuring a SIFT-IT
Agent
Arpeggio SIFT-IT is capable of forwarding syslog events in LEEF format with
SIFT-IT agents.
A SIFT-IT agent configuration defines the location of your JSA installation, the
protocol and formatting of the event message, and the configuration rule set.
Procedure
Step 1 Log in to your IBM iSeries.
Step 2 Type the following command and press Enter to add SIFT-IT to your library list:
ADDLIBLE SIFTITLIB0
Step 3 Type the following command and press Enter to access the SIFT-IT main menu:
GO SIFTIT
Configuring DSMs
58 ARPEGGIO SIFT-IT
Step 4 From the main menu, select 1. Work with SIFT-IT Agent Definitions.
Step 5 Type 1 to add an agent definition for JSA and press Enter.
Step 6 Configure the following agent parameters:
a In the SIFT-IT Agent Name field, type a name.
For example, JSA.
b In the Description field, type a description for the agent.
For example, Arpeggio agent for JSA.
c In the Server host name or IP address field, type the location of your JSA
console or Event Collector.
d In the Connection type field, type either *TCP, *UDP, or *SECURE.
The *SECURE option requires the TLS protocol. For more information, see the
Log Sources Users Guide.
e In the Remote port number field, type 514.
By default, JSA supports both TCP and UDP syslog messages on port 514.
f In the Message format options field, type *JSA.
g Optional. Configure any additional parameters for attributes that are not JSA
specific.
The additional operational parameters are described in the SIFT-IT User Guide.
h Press F3 to exit to the Work with SIFT-IT Agents Description menu.
Step 7 Type 9 and press Enter to load a configuration rule set for JSA.
Step 8 In the Configuration file field, type the path to your JSA configuration rule set file.
For example,
/sifitit/JSAconfig.txt
Step 9 Press F3 to exit to the Work with SIFT-IT Agents Description menu.
Step 10 Type 11 to start the JSA agent.
The configuration is complete.
Next steps
Syslog events forwarded by Arpeggio SIFT-IT in LEEF format are automatically
discovered by JSA. In most cases, the log source is automatically created in JSA
after a small number of events are detected. If the event rate is extremely low, then
you might be required to manually create a log source for Arpeggio SIFT-IT in JSA.
Until the log source is automatically discovered and identified, the event type
displays as Unknown on the Log Activity tab of JSA. Automatically discovered log
sources can be viewed on the Admin tab of JSA by clicking the Log Sources icon.
Configuring DSMs
59
Configuring a Log
Source
JSA automatically discovers and creates a log source for system authentication
events forwarded from Arpeggio SIFT-IT. This procedure is optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Arpeggio SIFT-IT.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The configuration is complete.
Additional
Information
After you create your JSA agent definition, you can use your Arpeggio SIFT-IT
software and JSA integration to customize your security and auditing
requirements.
This can include:
Creating custom configurations in Apreggio SIFT-IT with granular filtering on
event attributes.
For example, filtering on job name, user, file or object name, system objects, or
ports. All events forwarded from SIFT-IT and the contents of the event payload
in JSA are easily searchable.
Configuring rules in JSA to generate alerts or offenses for your security team to
identify potential security threats, data loss, or breaches in real-time.
Configuring processes in Apreggio SIFT-IT to trigger real-time remediation of
issues on your IBM iSeries.
Creating offenses for your security team from Arpeggio SIFT-IT events in JSA
with the Offenses tab or configuring email job logs in SIFT-IT for your IBM
iSeries administrators.
Table 12-1 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your Arpeggio SIFT-IT installation.
Configuring DSMs
60 ARPEGGIO SIFT-IT
Creating multiple configuration rule sets for multiple agents that run
simultaneously to handle specific security or audit events.
For example, you can configure one JSA agent with a specific rule sets for
forwarding all IBM iSeries events, then develop multiple configuration rule sets
for specific compliance purposes. This allows you to easily manage
configuration rule sets for compliance regulations, such as FISMA, PCI. HIPPA,
SOX, or ISO 27001. All of the events forwarded by SIFT-IT JSA agents is
contained in a single log source and categorized to be easily searchable.
Configuring DSMs
11 ARRAY NETWORKS SSL VPN
The Array Networks SSL VPN DSM for Juniper Secure Analytics (JSA) collects
events from an ArrayVPN appliance using syslog.
Supported Event
Types
JSA records all relevant SSL VPN events forwarded using syslog on TCP port 514
or UDP port 514.
Configuring a Log
Source
To integrate Array Networks SSL VPN events with JSA, you must manually create
a log source.
JSA does not automatically discover or create log sources for syslog events from
Array Networks SSL VPN.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Array Networks SSL VPN Access
Gateways.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:
Step 11 Click Save.
Table 13-1 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your Array Networks SSL VPN
appliance.
Configuring DSMs
62 ARRAY NETWORKS SSL VPN
Step 12 On the Admin tab, click Deploy Changes.
The log source is added to JSA. Events forwarded to JSA by Array Networks SSL
VPN are displayed on the Log Activity tab.
Next Steps
You are now ready to configure your Array Networks SSL VPN appliance to
forward remote syslog events to JSA. For more information on configuring Array
Networks SSL VPN appliances for remote syslog, please consult your Array
Networks documentation.
Configuring DSMs
12 ARUBA MOBILITY CONTROLLERS
The Aruba Mobility Controllers DSM for Juniper Secure Analytics (JSA) accepts
events using syslog.
Supported Event
Types
JSA records all relevant events forwarded using syslog on TCP port 514 or UDP
port 514.
Configure Your
Aruba Mobility
Controller
You can configure the Aruba Wireless Networks (Mobility Controller) device to
forward syslog events to JSA.
Procedure
Step 1 Log in to the Aruba Mobility Controller user interface.
Step 2 From the top menu, select Configuration.
Step 3 From the Switch menu, select Management.
Step 4 Click the Logging tab.
Step 5 From the Logging Servers menu, select Add.
Step 6 Type the IP address of the JSA server that you want to collect logs.
Step 7 Click Add.
Step 8 Optional. Change the logging level for a module:
a Select the check box next to the name of the logging module.
b Choose the logging level you want to change from the list box that is displayed
at the bottom of the window.
Step 9 Click Done.
Step 10 Click Apply.
The configuration is complete. The log source is added to JSA as Aruba Mobility
Controller events are automatically discovered. Events forwarded to JSA by Aruba
Mobility Controller are displayed on the Log Activity tab of JSA.
Configuring DSMs
64 ARUBA MOBILITY CONTROLLERS
Configuring a Log
Source
JSA automatically discovers and creates a log source for syslog events from Aruba
Mobility Controllers. These configuration steps are optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Aruba Mobility Controller .
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The log source is added to JSA. Events forwarded to JSA by Aruba Mobility
Controller appliances are displayed on the Log Activity tab.
Table 14-1 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your Aruba Mobility Controller.
Configuring DSMs
13 AVAYA VPN GATEWAY
The Juniper Secure Analytics (JSA) DSM for Avaya VPN Gateway can collect
event logs from your Avaya VPN Gateway servers.
Table 15-1 identifies the specifications for the Avaya VPN Gateway DSM.
Table 15-1 Avaya VPN Gateway DSM Specifications
Specification Value
Manufacturer Avaya Inc.
DSM Avaya VPN Gateway
RPM file name DSM-AvayaVPNGateway-7.1-799033.noarch.rpm
DSM-AvayaVPNGateway-7.2-799036.noarch.rpm
Supported
versions
9.0.7.2
Protocol syslog
JSA recorded
events
OS, System Control Process, Traffic Processing, Startup,
Configuration Reload, AAA Subsystem, IPsec Subsystem
Automatically
discovered
Yes
Includes identity Yes
More information http://www.avaya.com
Configuring DSMs
66 AVAYA VPN GATEWAY
Avaya VPN
Gateway DSM
Integration Process
To integrate Avaya VPN Gateway DSM with JSA, use the following procedure:
1 If automatic updates are not enabled, download and install the most recent version
of the following RPMs on your JSA console:
Syslog protocol RPM
DSMCommon RPM
Avaya VPN Gateway RPM
2 For each instance of Avaya VPN Gateway, configure your Avaya VPN Gateway
system to enable communication with JSA.
3 If JSA automatically discovers the log source, for each Avaya VPN Gateway server
you want to integrate, create a log source on the JSA console.
Related tasks
Manually Installing a DSM
Configuring your Avaya VPN Gateway System for Communication with JSA
Configuring an Avaya VPN Gateway Log Source in JSA
Configuring your
Avaya VPN
Gateway System
for Communication
with JSA
To collect all audit logs and system events from Avaya VPN Gateway, you must
specify JSA as the syslog server and configure the message format.
Procedure
To configure your Avaya VPN Gateway system for communication with JSA:
Step 1 Log in to your Avaya VPN Gateway command-line interface (CLI).
Step 2 Type the following command:
/cfg/sys/syslog/add
Step 3 At the prompt, type the IP address of your JSA system.
Step 4 To apply the configuration, type the following command:
apply
Step 5 To verify that the IP address of your JSA system is listed, type the following
command:
/cfg/sys/syslog/list
Configuring DSMs
Configuring an Avaya VPN Gateway Log Source in JSA 67
Configuring an
Avaya VPN
Gateway Log
Source in JSA
To collect Avaya VPN Gateway events, configure a log source in JSA.
Procedure
To configure an Avaya VPN Gateway log source in JSA:
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 In the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 From the Log Source Type list, select Avaya VPN Gateway.
Step 7 From the Protocol Configuration list, select Syslog.
Step 8 Configure the remaining parameters.
Step 9 Click Save.
Step 10 On the Admin tab, click Deploy Changes.
Configuring DSMs
13 BALABIT IT SECURITY
The BalaBit Syslog-ng Agent application can collect and forward syslog events for
the Microsoft Security Event Log DSM and the Microsoft ISA DSM in Juniper
Secure Analytics (JSA).
To configure a BalaBIt IT Security agent, select a configuration:
Configuring BalaBIt IT Security for Microsoft Windows Events
Configuring BalaBit IT Security for Microsoft ISA or TMG Events
Configuring BalaBIt
IT Security for
Microsoft Windows
Events
The Microsoft Windows Security Event Log DSM in JSA can accept Log Extended
Event Format (LEEF) events from BalaBit’s Syslog-ng Agent.
Supported Event
Types
The BalaBit Syslog-ng Agent forwards Windows events to JSA using syslog.
Windows security
Application
System
DNS
DHCP
Custom container event logs
Configuring DSMs
70 BALABIT IT SECURITY
Before You Begin Before you can receive events from BalaBit IT Security Syslog-ng Agents, you
must install and configure the agent to forward events.
Review the following configuration steps before you attempt to configure the
BalaBit Syslog-ng Agent:
1 Install the BalaBit Syslog-ng Agent in your Windows host. For more information,
see your BalaBit Syslog-ng Agent documentation.
2 Configure Syslog-ng Agent Events.
3 Configure JSA as a destination for the Syslog-ng Agent.
4 Restart the Syslog-ng Agent service.
5 Optional. Configure the log source in JSA.
Configuring the
Syslog-ng Agent
Event Source
Before you can forward events to JSA, you must specify what Windows-based
events the Syslog-ng Agent collects.
Procedure
Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows >
Configure syslog-ng Agent for Windows.
The Syslog-ng Agent window is displayed.
Step 2 Expand the syslog-ng Agent Settings pane, and select Eventlog Sources.
Step 3 Double-click on Event Containers.
The Event Containers Properties window is displayed.
Step 4 From the Event Containers pane, select the Enable radio button.
Step 5 Select a check box for each event type you want to collect:
Application - Select this check box if you want the device to monitor the
Windows application event log.
Security - Select this check box if you want the device to monitor the Windows
security event log.
System - Select this check box if you want the device to monitor the Windows
system event log.
NOTE
Note: BalaBit’s Syslog-ng Agent supports additional event types, such as DNS or
DHCP events using custom containers. For more information, see your BalaBit
Syslog-ng Agent documentation.
Step 6 Click Apply, and then click OK.
The event configuration for your BalaBit Syslog-ng Agent is complete. You are now
ready to configure JSA as a destination for Syslog-ng Agent events.
Configuring DSMs
Configuring BalaBIt IT Security for Microsoft Windows Events 71
Configuring a Syslog
Destination
The Syslog-ng Agent allows you to configure multiple destinations for your
Windows-based events.
To configure JSA as a destination, you must specify the IP address for JSA, and
then configure a message template for the LEEF format.
Procedure
Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows >
Configure syslog-ng Agent for Windows.
The Syslog-ng Agent window is displayed.
Step 2 Expand the syslog-ng Agent Settings pane, and click Destinations.
Step 3 Double-click on Add new sever.
The Server Property window is displayed.
Step 4 On the Server tab, click Set Primary Server.
Step 5 Configure the following parameters:
a Server Name - Type the IP address of your JSA console or Event Collector.
b Server Port - Type 514 as the TCP port number for events forwarded to JSA.
Step 6 Click the Messages tab.
Step 7 From the Protocol list box, select Legacy BSD Syslog Protocol.
Step 8 In the Template field, define a custom template message for the protocol by
typing:
<${PRI}>${BSDDATE} ${HOST} LEEF:${MSG}
The information typed in this field is space delimited.
Step 9 From the Event Message Format pane, in the Message Template field, type the
following to define the format for the LEEF events:
1.0|Microsoft|Windows|2k8r2|${EVENT_ID}|devTime=${R_YEAR}-${R_M
ONTH}-${R_DAY}T
${R_HOUR}:${R_MIN}:${R_SEC}GMT${TZOFFSET}
devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz cat=${EVENT_TYPE}
sev=${EVENT_LEVEL} resource=${HOST} usrName=${EVENT_USERNAME}
application=${EVENT_SOURCE} message=${EVENT_MSG}
NOTE
Note: The LEEF format uses tab as a delimiter to separate event attributes from
each other. However, the delimiter does not start until after the last pipe character
for {Event_ID}. The following fields must include a tab before the event name:
devTime, devTimeFormat, cat, sev, resource, usrName, application, and message.
You might need to use a text editor to copy and paste the LEEF message format
into the Message Template field.
Configuring DSMs
72 BALABIT IT SECURITY
Step 10 Click OK.
The destination configuration is complete. You are now ready to restart the
Syslog-ng Agent service.
Restart the Syslog-ng
Agent Service
Before the Syslog-ng Agent can forward LEEF formatted events, you must restart
the Syslog-ng Agent service on the Windows host.
Procedure
Step 1 From the Start menu, select Start > Run.
The Run window is displayed.
Step 2 Type the following:
services.msc
Step 3 Click OK.
The Services window is displayed.
Step 4 In the Name column, right-click on Syslog-ng Agent for Windows, and select
Restart.
After the Syslog-ng Agent for Windows service restarts, the configuration is
complete. Syslog events from the BalaBit Syslog-ng Agent are automatically
discovered by JSA. The Windows events that are automatically discovered are
displayed as Microsoft Windows Security Event Logs on the Log Activity tab.
Configuring a Log
Source
JSA automatically discovers and creates a log source for syslog events from LEEF
formatted messages. These configuration steps are optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your BalaBit Syslog-ng Agent log
source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Microsoft Windows Security Event
Log.
Step 9 Using the Protocol Configuration list box, select Syslog.
Configuring DSMs
Configuring BalaBit IT Security for Microsoft ISA or TMG Events 73
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The configuration is complete.
Configuring BalaBit
IT Security for
Microsoft ISA or
TMG Events
You can integrate the BalaBit Syslog-ng Agent application to forward syslog events
to JSA.
Supported Event
Types
The BalaBit Syslog-ng Agent reads Microsoft ISA or Microsoft TMG event logs and
forwards syslog events using the Log Extended Event Format (LEEF).
The events forwarded by BalaBit IT Security are parsed and categorized by the
Microsoft Internet and Acceleration (ISA) DSM for JSA. The DSM accepts both
Microsoft ISA and Microsoft Threat Management Gateway (TMG) events.
Before You Begin Before you can receive events from BalaBit IT Security Syslog-ng Agents, you
must install and configure the agent to forward events.
NOTE
Note: This integration uses BalaBit’s Syslog-ng Agent for Windows and BalaBit’s
Syslog-ng PE to parse and forward events to JSA for the DSM to interpret.
Review the following configuration steps before you attempt to configure the
BalaBit Syslog-ng Agent:
Table 16-1 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or hostname for the log source as an
identifier for events from the BalaBit Syslog-ng Agent.
Configuring DSMs
74 BALABIT IT SECURITY
To configure the BalaBit Syslog-ng Agent, you must:
1 Install the BalaBit Syslog-ng Agent in your Windows host. For more information,
see your BalaBit Syslog-ng Agent vendor documentation.
2 Configure the BalaBit Syslog-ng Agent.
3 Install a BalaBit Syslog-ng PE for Linux or Unix in relay mode to parse and forward
events to JSA. For more information, see your BalaBit Syslog-ng PE vendor
documentation.
4 Configure syslog for BalaBit Syslog-ng PE.
5 Optional. Configure the log source in JSA.
Configure the BalaBit
Syslog-ng Agent
Before you can forward events to JSA, you must specify the file source for
Microsoft ISA or Microsoft TMG events in the Syslog-ng Agent collects.
If your Microsoft ISA or Microsoft TMG appliance is generating event files for the
Web Proxy Server and the Firewall Service, both files can be added.
Configure the file source
File sources allow you to define the base log directory and files monitored by the
Syslog-ng Agent.
Procedure
Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows >
Configure syslog-ng Agent for Windows.
The Syslog-ng Agent window is displayed.
Step 2 Expand the syslog-ng Agent Settings pane, and select File Sources.
Step 3 Select the Enable radio button.
Step 4 Click Add to add your Microsoft ISA and TMG event files.
Step 5 From the Base Directory field, click Browse and select the folder for your
Microsoft ISA or Microsoft TMG log files.
Step 6 From the File Name Filter field, click Browse and select a log file containing your
Microsoft ISA or Microsoft TMG events.
NOTE
Note: The File Name Filter field supports the wildcard (*) and question mark (?)
characters to follow log files that are replaced after reaching a specific file size or
date.
Step 7 In the Application Name field, type a name to identify the application.
Step 8 From the Log Facility list box, select Use Global Settings.
Step 9 Click OK.
Step 10 To add additional file sources, click Add and repeat this process from Step 4.
Microsoft ISA and TMG store Web Proxy Service events and Firewall Service
events in individual files.
Configuring DSMs
Configuring BalaBit IT Security for Microsoft ISA or TMG Events 75
Step 11 Click Apply, and then click OK.
The event configuration is complete. You are now ready to configure a syslog
destinations and formatting for your Microsoft TMG and ISA events.
Configuring a syslog destination
The event logs captured by Microsoft ISA or TMG cannot be parsed by the BalaBit
Syslog-ng Agent for Windows, so you must forward your logs to a BalaBit
Syslog-ng Premium Edition (PE) for Linux or Unix.
To forward your TMG and ISA event logs, you must specify the IP address for your
PE relay and configure a message template for the LEEF format. The BalaBit
Syslog-ng PE acts as an intermediate syslog server to parse the events and
forward the information to JSA.
Procedure
Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows >
Configure syslog-ng Agent for Windows.
The Syslog-ng Agent window is displayed.
Step 2 Expand the syslog-ng Agent Settings pane, and click Destinations.
Step 3 Double-click on Add new sever.
Step 4 On the Server tab, click Set Primary Server.
Step 5 Configure the following parameters:
a Server Name - Type the IP address of your BalaBit Syslog-ng PE relay.
b Server Port - Type 514 as the TCP port number for events forwarded to your
BalaBit Syslog-ng PE relay.
Step 6 Click the Messages tab.
Step 7 From the Protocol list box, select Legacy BSD Syslog Protocol.
Step 8 From the File Message Format pane, in the Message Template field, type the
following format command:
${FILE_MESSAGE}${TZOFFSET}
Step 9 Click Apply, and then click OK.
The destination configuration is complete. You are now ready to filter comment
lines from the event log.
Filtering the log file for comment lines
The event log file for Microsoft ISA or Microsoft TMG can contain comment
markers, these comments must be filtered from the event message.
Procedure
Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows >
Configure syslog-ng Agent for Windows.
The Syslog-ng Agent window is displayed.
Configuring DSMs
76 BALABIT IT SECURITY
Step 2 Expand the syslog-ng Agent Settings pane, and select Destinations.
Step 3 Right-click on your JSA syslog destination and select Event Filters > Properties.
The Global event filters Properties window is displayed.
Step 4 Configure the following values:
From the Global file filters pane, select Enable.
From the Filter Type pane, select Black List Filtering.
Step 5 Click OK.
Step 6 From the filter list menu, double-click Message Contents.
The Message Contents Properties window is displayed.
Step 7 From the Message Contents pane, select the Enable radio button.
Step 8 In the Regular Expression field, type the following regular expression:
^#
Step 9 Click Add.
Step 10 Click Apply, and then click OK.
The event messages containing comments are no longer forwarded.
NOTE
Note: You might be required to restart Syslog-ng Agent for Windows service to
begin syslog forwarding. For more information, see your BalaBit Syslog-ng Agent
documentation.
Configuring a BalaBit
Syslog-ng PE Relay
The BalaBit Syslog-ng Agent for Windows sends Microsoft TMG and ISA event
logs to a Balabit Syslog-ng PE installation, which is configured in relay mode.
The relay mode installation is responsible for receiving the event log from the
BalaBit Syslog-ng Agent for Windows, parsing the event logs in to the LEEF
format, then forwarding the events to JSA using syslog.
To configure your BalaBit Syslog-ng PE Relay, you must:
1 Install BalaBit Syslog-ng PE for Linux or Unix in relay mode. For more information,
see your BalaBit Syslog-ne PE vendor documentation.
2 Configure syslog on your Syslog-ng PE relay.
NOTE
Note: For a sample syslog.conf file you can use to configure Microsoft TMG and
ISA logs using your BalaBit Syslog-ng PE relay, see
http://www.juniper.net/customers/support/.
The BalaBit Syslog-ng PE formats the TMG and ISA events in the LEEF format
based on the configuration of your syslog.conf file. The syslog.conf file is
responsible for parsing the event logs and forwarding the events to JSA.
Configuring DSMs
Configuring BalaBit IT Security for Microsoft ISA or TMG Events 77
Procedure
Step 1 Using SSH, log in to your BalaBit Syslog-ng PE relay command-line interface
(CLI).
Step 2 Edit the following file:
/etc/syslog-ng/etc/syslog.conf
Step 3 From the destinations section, add an IP address and port number for each relay
destination.
For example,
######
# destinations
destination d_messages { file("/var/log/messages"); };
destination d_remote_tmgfw { tcp("JSA_IP" port(JSA_PORT)
log_disk_fifo_size(10000000) template(t_tmgfw)); };
destination d_remote_tmgweb { tcp("JSA_IP" port(JSA_PORT)
log_disk_fifo_size(10000000) template(t_tmgweb)); };
Where:
JSA_IP is the IP address of your JSA console or Event Collector.
JSA_PORT is the port number required for JSA to receive syslog events. By default,
JSA receives syslog events on port 514.
Step 4 Save the syslog configuration changes.
Step 5 Restart Syslog-ng PE to force the configuration file to be read.
The BalaBit Syslog-ng PE configuration is complete. Syslog events forwarded from
the BalaBit Syslog-ng relay are automatically discovered by JSA as Microsoft
Windows Security Event Log on the Log Activity tab. For more information, see
the Juniper Secure Analytics Users Guide.
NOTE
Note: When using multiple syslog destinations, messages are considered
delivered after they successfully arrived at the primary syslog destination.
Configuring a Log
Source
JSA automatically discovers and creates a log source for syslog events from LEEF
formatted messages provided by your BalaBit Syslog-ng relay. The following
configuration steps are optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
The Data Sources panel is displayed.
Step 4 Click the Log Sources icon.
The Log Sources window is displayed.
Configuring DSMs
Configuring BalaBit IT Security for Microsoft ISA or TMG Events 78
Step 5 Click Add.
The Add a log source window is displayed.
Step 6 In the Log Source Name field, type a name for the log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Microsoft ISA.
Step 9 From the Protocol Configuration list box, select Syslog.
The syslog protocol configuration is displayed.
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The BalaBit IT Security configuration for Microsoft ISA and Microsoft TMG events
is complete.
Table 16-2 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or hostname for the log source as an
identifier for Microsoft ISA or Microsoft Threat Management
Gateway events from the BalaBit Syslog-ng Agent.
Configuring DSMs
14 BARRACUDA
This section includes information on configuring the following DSMs:
Barracuda Spam & Virus Firewall
Barracuda Web Application Firewall
Barracuda Web Filter
Barracuda Spam &
Virus Firewall
You can integrate Barracuda Spam & Virus Firewall with Juniper Secure Analytics
(JSA).
Supported Event
Types
The Barracuda Spam & Virus Firewall DSM for JSA accepts both Mail syslog
events and Web syslog events from Barracuda Spam & Virus Firewall appliances.
Mail syslog events contain the event and action taken when the firewall processes
email. Web syslog events record information on user activity and configuration
changes on your Barracuda Spam & Virus Firewall appliance.
Before You Begin Before you can receive events in JSA, you must configure your Barracuda Spam &
Virus Firewall to forward syslog events. Syslog messages are sent to JSA from
Barracuda Spam & Virus Firewall using UDP port 514. You must verify any
firewalls between JSA and your Barracuda Spam & Virus Firewall appliance allow
UDP traffic on port 514.
Configuring Syslog
Event Forwarding
You can configure syslog forwarding for Barracuda Spam & Virus Firewall.
Procedure
Step 1 Log in to the Barracuda Spam & Virus Firewall web interface.
Step 2 Click the Advanced tab.
Step 3 From the Advanced menu, select Advanced Networking.
Step 4 From the Mail Syslog field, type IP address of your JSA console or Event
Collector.
Step 5 Click Add.JSA
Step 6 From the Web Interface Syslog field, type IP address of your JSA console or
Event Collector.
Configuring DSMs
80 BARRACUDA
Step 7 Click Add.
The syslog configuration is complete.
Configuring a Log
Source
JSA automatically discovers and creates a log source for syslog events from
Barracuda Spam & Virus Firewall appliances. The following configuration steps are
optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Barracuda Spam & Virus Firewall.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The log source is added to JSA. Events forwarded to JSA by Barracuda Spam &
Virus Firewall are displayed on the Log Activity tab.
Barracuda Web
Application
Firewall
You can integrate Barracuda Web Application Firewall with JSA.
Supported Event
Types
The Barracuda Web Application Firewall DSM for JSA accepts system, web
firewall log, access log, and audit log events using syslog.
Barracuda Web Application Firewall to forward syslog events to JSA in a custom
name-value pair event format. Syslog events from Barracuda Web Application
Firewall appliances are provided to JSA using UDP port 514.
Table 17-1 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your Barracuda Spam & Virus
Firewall appliance.
Configuring DSMs
Barracuda Web Application Firewall 81
Before You Begin Before you begin you must create a log source for JSA. JSA does not
automatically discover events for Barracuda Web Application Firewall. After you
configure this DSM, we recommend you verify any firewalls between Barracuda
Web Application Firewall appliance and JSA allow UDP traffic on port 514.
Configuring a Log
Source
To integrate Barracuda Web Application Firewall with JSA, you must manually
create a log source to receive Barracuda Web Application Firewall events.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Barracuda Web Application Firewall.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The log source is added to JSA.
Configuring Syslog
Event Forwarding
You configure syslog forwarding for Barracuda Web Application Firewall.
Procedure
Step 1 Log in to the Barracuda Web Application Firewall web interface.
Step 2 Click the Advanced tab.
Step 3 From the Advanced menu, select Export Logs.
Step 4 Click Syslog Settings.
Step 5 Configure a syslog facility value for the following options:
Web Firewall Logs Facility - Select a syslog facility between Local0 and
Local7.
Table 17-2 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your Barracuda Web Application
Firewall appliance.
Configuring DSMs
82 BARRACUDA
Access Logs Facility - Select a syslog facility between Local0 and Local7.
Audit Logs Facility - Select a syslog facility between Local0 and Local7.
System Logs Facility - Select a syslog facility between Local0 and Local7.
Setting a syslog unique facility for each log type allows the Barracuda Web
Application Firewall to divide the logs in to different files.
Step 6 Click Save Changes.
The Export Log window is displayed.
Step 7 In the Name field, type name of the syslog server.
Step 8 In the Syslog field, type IP address of your JSA console or Event Collector.
Step 9 From the Log Time Stamp option, select Yes.
Step 10 From the Log Unit Name option, select Yes.
Step 11 Click Add.
Step 12 From the Web Firewall Logs Format list box, select Custom Format.
Step 13 In the Web Firewall Logs Format field, type the following custom event format:
t=%t|ad=%ad|ci=%ci|cp=%cp|au=%au
Step 14 From the Access Logs Format list box, select Custom Format.
Step 15 In the Access Logs Format field, type the following custom event format:
t=%t|p=%p|s=%s|id=%id|ai=%ai|ap=%ap|ci=%ci|cp=%cp|si=%si|sp=%sp
|cu=%cu
Step 16 From the Access Logs Format list box, select Custom Format.
Step 17 In the Access Logs Format field, type the following custom event format:
t=%t|trt=%trt|an=%an|li=%li|lp=%lp
Step 18 Click Save Changes.
Step 19 From the navigation menu, select Basic > Administration.
Step 20 From the System/Reload/Shutdown pane, click Restart.
The syslog configuration is complete after your Barracuda Web Application
Firewall restarts. Events forwarded to JSA by Barracuda Web Application Firewall
are displayed on the Log Activity tab.
Barracuda Web
Filter
You can integrate Barracuda Web Filter appliance events with JSA.
Supported Event
Types
The Barracuda Web Filter DSM for JSA accepts web traffic and web interface
events in syslog format forwarded by Barracuda Web Filter appliances.
Web traffic events contain the event and action taken when the appliance
processes web traffic. Web interface events contain user login activity and
configuration changes to the Web Filter appliance.
Configuring DSMs
Barracuda Web Filter 83
Before You Begin Before you can receive events in JSA, you must configure your Barracuda Web
Filter to forward syslog events.
Syslog messages are forward to JSA using UDP port 514. You must verify any
firewalls between JSA and your Barracuda Web Filter appliance allow UDP traffic
on port 514.
Configuring Syslog
Event Forwarding
You can configure syslog forwarding for Barracuda Web Filter.
Procedure
Step 1 Log in to the Barracuda Web Filter web interface.
Step 2 Click the Advanced tab.
Step 3 From the Advanced menu, select Syslog.
Step 4 From the Web Traffic Syslog field, type IP address of your JSA console or Event
Collector.
Step 5 Click Add.
Step 6 From the Web Interface Syslog field, type IP address of your JSA console or
Event Collector.
Step 7 Click Add.
The syslog configuration is complete.
Configuring a Log
Source
JSA automatically discovers and creates a log source for syslog events from
Barracuda Web Filter appliances. The following configuration steps are optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Barracuda Web Filter.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:
Table 17-1 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your Barracuda Web Filter
appliance.
Configuring DSMs
84 BARRACUDA
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The log source is added to JSA. Events forwarded by Barracuda Web Filter are
displayed on the Log Activity tab of JSA.
Configuring DSMs
15 BIT9 PARITY
You can integrate Bit9 Parity events with Juniper Secure Analytics (JSA).
Supported Event
Types
The Bit9 Parity DSM for JSA accepts syslog events using the Log Enhanced Event
Format (LEEF), enabling JSA to record all relevant appliance events.
Configuring Bit9
Parity
To collect events, you must configure your Bit9 Parity device to forward syslog
events in the LEEF format.
Procedure
Step 1 Log in to the Bit9 Parity console with Administrator or PowerUser privileges.
Step 2 From the navigation menu on the left side of the console, select Administration >
System Configuration.
The System Configuration window is displayed.
Step 3 Click Server Status.
The Server Status window is displayed.
Step 4 Click Edit.
Step 5 In the Syslog address field, type the IP address of your JSA.
Step 6 From the Syslog format list box, select LEEF (Q1 Labs).
Step 7 Select the Syslog enabled check box.
Step 8 Click Update.
The configuration is complete. The log source is added to JSA as Bit9 Parity
events are automatically discovered. Events forwarded to JSA by Bit9 Parity are
displayed on the Log Activity tab of JSA.
Configure a Log
Source
JSA automatically discovers and creates a log source for syslog events from Bit9
Parity. These configuration steps are optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Configuring DSMs
86 BIT9 PARITY
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Bit9 Parity.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The configuration is complete.
Table 18-1 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your Bit9 Parity device.
Configuring DSMs
16 BLUECAT NETWORKS ADONIS
The BlueCat Networks Adonis DSM for Juniper Secure Analytics (JSA) accepts
events forwarded in Log Enhanced Event Protocol (LEEF) using syslog from
BlueCat Adonis appliances managed with BlueCat Proteus.
Supported Versions JSA supports BlueCat Networks Adonis appliances using version 6.7.1-P2 and
above.
You might be required to include a patch on your BlueCat Networks Adonis to
integrate DNS and DHCP events with JSA. For more information, see KB-4670
and your BlueCat Networks documentation.
Supported Event
Types
JSA is capable of collecting all relevant events related to DNS and DHCP queries.
This includes the following events:
DNS IPv4 and IPv6 query events
DNS name server query events
DNS mail exchange query events
DNS text record query events
DNS record update events
DHCP discover events
DHCP request events
DHCP release events
Event Type Format The LEEF format consists of a pipe ( | ) delimited syslog header and a space
delimited event payload.
For example,
Aug 10 14:55:30 adonis671-184
LEEF:1.0|BCN|Adonis|6.7.1|DNS_Query|cat=A_record
src=10.10.10.10 url=test.example.com
If the syslog events forwarded from your BlueCat Adonis appliance are not
formatted similarly to the sample above, you must examine your device
configuration. Properly formatted LEEF event messages are automatically
Configuring DSMs
88 BLUECAT NETWORKS ADONIS
discovered by the BlueCat Networks Adonis DSM and added as a log source to
JSA.
Before You Begin BlueCat Adonis must be configured to generate events in Log Enhanced Event
Protocol (LEEF) and redirect the event output by way of syslog to JSA.
BlueCat Networks provides a script on their appliance to assist you with
configuring syslog. To complete the syslog redirection, you must have
administrative or root access to the command-line interface of the BlueCat Adonis
or your BlueCat Proteus appliance. If the syslog configuration script is not present
on your appliance, you can contact your BlueCat Networks representative.
Configuring BlueCat
Adonis
You can configure your BlueCat Adonis appliance to forward DNS and DHCP
events to JSA.
Procedure
Step 1 Using SSH, log in to your BlueCat Adonis appliance command-line interface.
Step 2 Type the following command to start the syslog configuration script:
/usr/local/bluecat/qradar/setup-qradar.sh
Step 3 Type the IP address of your JSA console or Event Collector.
Step 4 Type yes or no to confirm the IP address.
The configuration is complete when a success message is displayed.
The log source is added to JSA as BlueCat Networks Adonis syslog events are
automatically discovered. Events forwarded to JSA are displayed on the Log
Activity tab. If the events are not automatically discovered, you can manually
configure a log source.
Configuring a Log
Source in JSA
JSA automatically discovers and creates a log source for syslog events from
BlueCat Networks Adonis. However, you can manually create a log source for JSA
to receive syslog events. The following configuration steps are optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select BlueCat Networks Adonis.
Step 9 Using the Protocol Configuration list box, select Syslog.
Configuring DSMs
89
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The configuration is complete.
Table 19-2 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your BlueCat Networks Adonis
appliance.
Configuring DSMs
17 BLUE COAT SG
The Blue Coat SG DSM for Juniper Secure Analytics (JSA) allows you to integrate
events from a Blue Coat SG appliance with JSA.
JSA records all relevant and available information from name-value events that are
separated by pipe (|) characters.
JSA can receive events from your Blue Coat SG appliance using syslog or can
retrieve events from the Blue Coat SG appliance using the Log File protocol. The
instructions provided describe how to configure Blue Coat SG using a custom
name-value pair format. However, JSA supports the following formats:
Custom Format
SQUID
NCSA
main
IM
Streaming
smartreporter
bcereportermain_v1
bcreporterssl_v1
p2p
SSL
bcreportercifs_v1
CIFS
MAPI
For more information about your Blue Coat SG Appliance, see your vendor
documentation.
Configuring DSMs
92 BLUE COAT SG
Creating a Custom
Event Format
The Blue Coat SG DSM for JSA accepts custom formatted events from a Blue
Coat SG appliance.
Procedure
Step 1 Using a web browser, log in to the Blue Coat Management console.
Step 2 Select Configuration > Access Logging > Formats.
Step 3 Select New.
Step 4 Type a format name for the custom format.
Step 5 Select Custom format string.
Step 6 Type the following custom format for JSA:
Bluecoat|src=$(c-ip)|srcport=$(c-port)|dst=$(cs-uri-address)|ds
tport=$(cs-uri-port)|username=$(cs-username)|devicetime=$(gmtti
me)|s-action=$(s-action)|sc-status=$(sc-status)|cs-method=$(cs-
method)|time-taken=$(time-taken)|sc-bytes=$(sc-bytes)|cs-bytes=
$(cs-bytes)|cs-uri-scheme=$(cs-uri-scheme)|cs-host=$(cs-host)|c
s-uri-path=$(cs-uri-path)|cs-uri-query=$(cs-uri-query)|cs-uri-e
xtension=$(cs-uri-extension)|cs-auth-group=$(cs-auth-group)|rs(
Content-Type)=$(rs(Content-Type))|cs(User-Agent)=$(cs(User-Agen
t))|cs(Referer)=$(cs(Referer))|sc-filter-result=$(sc-filter-res
ult)|filter-category=$(sc-filter-category)|cs-uri=$(cs-uri)
Step 7 Select Log Last Header from the list box.
Step 8 Click OK.
Step 9 Click Apply.
NOTE
Note: The custom format for JSA supports additional key-value pairs using the
Blue Coat ELFF format. For more information, see Creating Additional Custom
Format Key-Value Pairs.
You are ready to enable access logging on your Blue Coat device.
Creating a Log
Facility
To use the custom log format created for JSA, you must associate the custom log
format for JSA to a facility.
Procedure
Step 1 Select Configuration > Access Logging > Logs.
Step 2 Click New.
Step 3 Configure the following parameters:
Log Name - Type a name for the log facility.
Log Format - Select the custom format you created in Creating a Custom
Event Format,Step 4.
Description - Type a description for the log facility.
Configuring DSMs
Retrieving Blue Coat Events 93
Step 4 Click OK.
Step 5 Click Apply.
You are ready to enable logging on the Blue Coat device. For more information,
see Enabling Access Logging.
Enabling Access
Logging
You must enable access logging on your Blue Coat SG device.
Procedure
Step 1 Select Configuration > Access Logging > General.
Step 2 Select the Enable Access Logging check box.
If the Enable Access Logging check box is not selected, logging is disabled
globally for all of the formats listed.
Step 3 Click Apply.
You are ready to configure the Blue Coat upload client. For more information, see
Retrieving Blue Coat Events.
Retrieving Blue
Coat Events
Events from your Blue Coat SG appliance are forwarded using the Blue Coat
upload client.
JSA can receive forwarded events using FTP or syslog.
If you are using FTP, see Log File Protocol Configuration.
If you are using syslog, see Syslog Configuration.
Log File Protocol
Configuration
To use FTP, you must configure the Blue Coat upload client.
Procedure
Step 1 Select Configuration > Access Logging > Logs > Upload Client.
Step 2 From the Log list box, select the log containing your custom format.
Step 3 From the Client type list box, select FTP Client.
Step 4 Select the text file option.
If you select the gzip file option on your Blue Coat appliance, you must configure a
Processor for your log source with the GZIP option.
Step 5 Click Settings.
Step 6 From the Settings For list box, select Primary FTP Server.
Step 7 Configure the following values:
a Host - Type the IP address of the FTP server receiving the Blue Coat events.
b Port - Type the FTP port number.
c Path - Type a directory path for the log files.
d Username - Type the username required to access the FTP server.
Configuring DSMs
94 BLUE COAT SG
Step 8 Click OK.
Step 9 Select the Upload Schedule tab.
Step 10 From the Upload the access log option, select periodically.
Step 11 Configure the Wait time between connect attempts.
Step 12 Select if you want to upload the log file to the FTP daily or on an interval.
Step 13 Click Apply.
Configuring a Log Source in JSA
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 From the Log Source Type list box, select the Bluecoat SG Appliance option.
Step 8 From the Protocol Configuration list box, select the Log File option.
Step 9 Configure the following values:
Table 20-1 Blue Coat SG log file protocol parameters
Parameter Description
Log Source Identifier Type an IP address, host name, or name to identify the event
source. IP addresses or host names are recommended as
they allow JSA to identify a log file to a unique event source.
Service Type From the list box, select the protocol you want to use when
retrieving log files from a remote server. The default is SFTP.
SFTP - SSH File Transfer Protocol
FTP - File Transfer Protocol
SCP - Secure Copy
Note: The underlying protocol used to retrieve log files for the
SCP and SFTP service type requires that the server specified
in the Remote IP or Hostname field has the SFTP subsystem
enabled.
Remote IP or
Hostname
Type the IP address or host name of the device storing your
event log files.
Configuring DSMs
Retrieving Blue Coat Events 95
Remote Port Type the TCP port on the remote host that is running the
selected Service Type. The valid range is 1 to 65535.
The options include:
FTP - TCP Port 21
SFTP - TCP Port 22
SCP - TCP Port 22
Note: If the host for your event files is using a non-standard
port number for FTP, SFTP, or SCP, you must adjust the port
value accordingly.
Remote User Type the user name necessary to log in to the host containing
your event files.
The username can be up to 255 characters in length.
Remote Password Type the password necessary to log in to the host.
Confirm Password Confirm the password necessary to log in to the host.
SSH Key File If you select SCP or SFTP as the Service Type, this
parameter allows you to define an SSH private key file. When
you provide an SSH Key File, the Remote Password field is
ignored.
Remote Directory Type the directory location on the remote host from which the
files are retrieved, relative to the user account you are using
to log in.
Note: For FTP only. If your log files reside in the remote user’s
home directory, you can leave the remote directory blank. This
is to support operating systems where a change in the
working directory (CWD) command is restricted.
Recursive Select this check box if you want the file pattern to search sub
folders in the remote directory. By default, the check box is
clear.
The Recursive option is ignored if you configure SCP as the
Service Type.
FTP File Pattern If you select SFTP or FTP as the Service Type, this option
allows you to configure the regular expression (regex)
required to filter the list of files specified in the Remote
Directory. All matching files are included in the processing.
The FTP file pattern you specify must match the name you
assigned to your event files. For example, to collect files
ending with .log, type the following:
.*\.log
Use of this parameter requires knowledge of regular
expressions (regex). For more information, see the following
website:
http://download.oracle.com/javase/tutorial/essential/regex/
Table 20-1 Blue Coat SG log file protocol parameters (continued)
Parameter Description
Configuring DSMs
96 BLUE COAT SG
FTP Transfer Mode This option only appears if you select FTP as the Service
Type. The FTP Transfer Mode parameter allows you to define
the file transfer mode when retrieving log files over FTP.
From the list box, select the transfer mode you want to apply
to this log source:
Binary - Select Binary for log sources that require binary
data files or compressed zip, gzip, tar, or tar+gzip archive
files.
ASCII - Select ASCII for log sources that require an ASCII
FTP file transfer.
You must select NONE for the Processor parameter and
LINEBYLINE the Event Generator parameter when using
ASCII as the FTP Transfer Mode.
SCP Remote File If you select SCP as the Service Type you must type the file
name of the remote file.
Start Time Type the time of day you want the processing to begin. For
example, type 00:00 to schedule the Log File protocol to
collect event files at midnight.
This parameter functions with the Recurrence value to
establish when and how often the Remote Directory is
scanned for files. Type the start time, based on a 24 hour
clock, in the following format: HH:MM.
Recurrence Type the frequency, beginning at the Start Time, that you
want the remote directory to be scanned. Type this value in
hours (H), minutes (M), or days (D).
For example, type 2H if you want the remote directory to be
scanned every 2 hours from the start time. The default is 1H.
Run On Save Select this check box if you want the log file protocol to run
immediately after you click Save.
After the Run On Save completes, the log file protocol follows
your configured start time and recurrence schedule.
Selecting Run On Save clears the list of previously processed
files for the Ignore Previously Processed File parameter.
EPS Throttle Type the number of Events Per Second (EPS) that you do not
want this protocol to exceed. The valid range is 100 to 5000.
Processor If the files located on the remote host are stored in a zip, gzip,
tar, or tar+gzip archive format, select the processor that
allows the archives to be expanded and contents processed.
Table 20-1 Blue Coat SG log file protocol parameters (continued)
Parameter Description
Configuring DSMs
Retrieving Blue Coat Events 97
Step 10 Click Save.
Step 11 On the Admin tab, click Deploy Changes.
The log file protocol configuration for Blue Coat SG is complete.
Syslog Configuration To allow syslog event collection, you must configure your Blue Coat appliance to
forward syslog events.
CAUTION
CAUTION: If your Blue Coat SG appliance is reporting events using syslog (rather
than a file transfer protocol) and the destination syslog server becomes
unavailable, it is possible that other syslog destinations can stop receiving data
until all syslog destinations are again available. This creates the potential for some
syslog data to not be sent at all. If you are sending to multiple syslog destinations,
a disruption in availability in one syslog destination might interrupt the stream of
events to other syslog destinations from your Blue Coat SG appliance.
Procedure
Step 1 Select Configuration > Access Logging > Logs > Upload Client.
Step 2 From the Log list box, select the log containing your custom format.
Step 3 From the Client type drop-down list bow, select Custom Client.
Step 4 Click Settings.
Ignore Previously
Processed File(s)
Select this check box to track and ignore files that have
already been processed by the log file protocol.
JSA examines the log files in the remote directory to
determine if a file has been previously processed by the log
file protocol. If a previously processed file is detected, the log
file protocol does not download the file for processing. All files
that have not been previously processed are downloaded.
This option only applies to FTP and SFTP Service Types.
Change Local
Directory?
Select this check box to define a local directory on your JSA
system for storing downloaded files during processing.
We recommend that you leave this check box clear. When
this check box is selected, the Local Directory field is
displayed, which allows you to configure the local directory to
use for storing files.
Event Generator From the Event Generator list box, select LineByLine.
The Event Generator applies additional processing to the
retrieved event files. Each line of the file is a single event. For
example, if a file has 10 lines of text, 10 separate events are
created.
Table 20-1 Blue Coat SG log file protocol parameters (continued)
Parameter Description
Configuring DSMs
98 BLUE COAT SG
Step 5 From the Settings For list box, select Primary Custom Server.
Step 6 Configure the following values:
a Host - Type the IP address for your JSA.
b Port - Type 514 as the syslog port for JSA.
Step 7 Click OK.
Step 8 Select the Upload Schedule tab.
Step 9 From the Upload the access log, select continuously.
Step 10 Click Apply.
You are now ready to configure a log source for Blue Coat SG events.
Configure a log source
To integrate Barracuda Web Application Firewall with JSA, you must manually
create a log source to receive Blue Coat SG events.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Blue Coat SG Appliance.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The log source is added to JSA. Events forwarded to JSA by Blue Coat SG are
displayed on the Log Activity tab.
Table 20-2 Syslog Protocol Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your Blue Coat SG appliance.
Configuring DSMs
Creating Additional Custom Format Key-Value Pairs 99
Creating Additional
Custom Format
Key-Value Pairs
The custom format allows you to forward specific Blue Coat data or events to JSA
using the Extended Log File Format (ELFF).
The custom format is a series of pipe delimited fields starting with Bluecoat| and
containing $(Blue Coat ELFF Parameter). Custom format fields for JSA must
be separated by the pipe character.
For example:
Bluecoat|src=$(c-ip)|srcport=$(c-port)|dst=$(cs-uri-address)|ds
tport=$(cs-uri-port)|username=$(cs-username)|devicetime=$(gmtti
me)|s-action=$(s-action)|sc-status=$(sc-status)|cs-method=$(cs-
method)
For more information on the available Blue Coat ELFF parameters, see your Blue
Coat appliance documentation.
Table 20-3 JSA Custom Format Examples
Blue Coat ELFF Parameter JSA Custom Format Example
sc-bytes $(sc-bytes)
rs(Content-type) $(rs(Content-Type))
Configuring DSMs
18 BRIDGEWATER
The Bridgewater Systems DSM for Juniper Secure Analytics (JSA) accepts events
using syslog.
Supported Event
Types
JSA records all relevant events forwarded from Bridgewater AAA Service
Controller devices using syslog.
Configuring Syslog
for Your Bridgewater
Systems Device
You must configure your Bridgewater Systems appliance to send syslog events to
JSA.
Procedure
Step 1 Log in to your Bridgewater Systems device command-line interface (CLI).
Step 2 To log operational messages to the RADIUS and Diameter servers, open the
following file:
/etc/syslog.conf
Step 3 To log all operational messages, uncomment the following line:
local1.info /WideSpan/logs/oplog
Step 4 To log error messages only, change the local1.info /WideSpan/logs/oplog
line to the following:
local1.err /WideSpan/logs/oplog
NOTE
Note: RADIUS and Diameter system messages are stored in the
/var/adm/messages file.
Step 5 Add the following line:
local1.*@<IP address>
Where <IP address> is the IP address your JSA console.
Step 6 The RADIUS and Diameter server system messages are stored in the
/var/adm/messages file. Add the following line for the system messages:
<facility>.*@<IP address>
Where:
<facility> is the facility used for logging to the /var/adm/messages file.
Configuring DSMs
102 BRIDGEWATER
<IP address> is the IP address of your JSA console.
Step 7 Save and exit the file.
Step 8 Send a hang-up signal to the syslog daemon to make sure all changes are
enforced:
kill -HUP `cat /var/run/syslog.pid`
The configuration is complete. The log source is added to JSA as Bridgewater
Systems appliance events are automatically discovered. Events forwarded to JSA
by your Bridgewater Systems appliance are displayed on the Log Activity tab.
Configuring a Log
Source
JSA automatically discovers and creates a log source for syslog events from a
Bridgewater Systems appliance. The following configuration steps are optional.
Procedure
Step 1 Log in to JSA.
Step 2 Click the Admin tab.
Step 3 On the navigation menu, click Data Sources.
Step 4 Click the Log Sources icon.
Step 5 Click Add.
Step 6 In the Log Source Name field, type a name for your log source.
Step 7 In the Log Source Description field, type a description for the log source.
Step 8 From the Log Source Type list box, select Bridgewater Systems AAA Service
Controller.
Step 9 Using the Protocol Configuration list box, select Syslog.
Step 10 Configure the following values:
Step 11 Click Save.
Step 12 On the Admin tab, click Deploy Changes.
The configuration is complete.
Table 21-1 Syslog Parameters
Parameter Description
Log Source Identifier Type the IP address or host name for the log source as an
identifier for events from your Bridgewater Systems
appliance.
Configuring DSMs
19 BROCADE FABRIC OS
Juniper Secure Analytics (JSA) can collect and categorize syslog system and audit
events from Brocade switches and appliances that use Fabric OS V7.x.
To collect syslog events, you must configure your switch to forward syslog events.
Each switch or appliance must be configured to forward events.
Events that you forward from Brocade switches are automatically discovered. A
log source is configured for each switch or appliance that forwards events to JSA.
Brocade switches or appliance that run Fabric OS V7.x.
Configuring Syslog
for Brocade Fabric
OS Appliances
To collect events, you must configure syslog on your Brocade appliance to forward
events to JSA.
Procedure
To configure syslog for Brocade Fabric OS appliances:
Step 1 Log in to your appliance as an admin user.
Step 2 To configure an address to forward syslog events, type the following command:
syslogdipadd <IP address>
Where <IP address> is the IP address of the JSA console, Event Processor,
Event Collector, or all-in-one system.
Step 3 To verify the address, type the following command:
syslogdipshow
Result
As events are generated by the Brocade switch, they are forwarded to the syslog
destination you specified. The log source is automatically discovered after enough
events are forwarded by the Brocade appliance. It typically takes a minimum of 25
events to automatically discover a log source.
What to do next
Administrators can log in to the JSA console and verify that the log source is
created on the console and that the Log Activity tab displays events from the
Brocade appliance.
Configuring DSMs
20 CA TECHNOLOGIES
This section provides information on the following DSMs:
CA ACF2
CA SiteMinder
CA Top Secret
CA ACF2 Juniper Secure Analytics (JSA) includes two options for integrating CA Access
Control Facility (ACF2) events:
Integrate CA ACF2 with JSA Using IBM Security zSecure
Integrate CA ACF2 with JSA Using Audit Scripts
Integrate CA ACF2
with JSA Using IBM
Security zSecure
The CA ACF2 DSM allows you to integrate LEEF events from an ACF2 image on
an IBM z/OS mainframe using IBM Security zSecure.
Using a zSecure process, events from the System Management Facilities (SMF)
are recorded to an event file in the Log Enhanced Event format (LEEF). JSA
retrieves the LEEF event log files using the log file protocol and processes the
events. You can schedule JSA to retrieve events on a polling interval, which allows
JSA to retrieve the events on the schedule you have defined.
To integrate CA ACF2 events:
1 Confirm your installation meets any prerequisite installation requirements.
2 Configure your CA ACF2 z/OS image to write events in LEEF format. For more
information, see the IBM Security zSecure Suite: CARLa-Driven Components
Installation and Deployment Guide.
3 Create a log source in JSA for CA ACF2 to retrieve your LEEF formatted event
logs.
4 Optional. Create a custom event property for CA ACF2 in JSA. For more
information, see the Custom Event Properties for IBM z/OS technical note.
Before You begin
Before you can configure the data collection process, you must complete the basic
zSecure installation process.
Configuring DSMs
106 CA TECHNOLOGIES
The following installation prerequisites are required:
You must ensure parmlib member IFAPRDxx is not disabled for IBM Security
zSecure Audit on your z/OS image.
The SCKRLOAD library must be APF-authorized.
You must configure a process to periodically refresh your CKFREEZE and
UNLOAD data sets.
You must configure an SFTP, FTP, or SCP server on your z/OS image for JSA
to download your LEEF event files.
You must allow SFTP, FTP, or SCP traffic on firewalls located between JSA and
your z/OS image.
After installing the software, you must also perform the post-installation activities to
create and modify the configuration. For instructions on installing and configuring
zSecure, see the IBM Security zSecure Suite: CARLa-Driven Components
Installation and Deployment Guide.
Create a log source for ACF2 in JSA
You can use the Log File protocol to retrieve archived log files containing events
from a remote host.
Log files are transferred, one at a time, to JSA for processing. The log file protocol
can manage plain text event logs, compressed files, or archives. Archives must
contain plain-text files that can be processed one line at a time. Multi-line event
logs are not supported by the log file protocol. IBM z/OS with zSecure writes log
files to a specified directory as gzip archives. JSA extracts the archive and
processes the events, which are written as one event per line in the file.
To retrieve these events, you must create a log source using the Log File protocol.
JSA requires credentials to log in to the system hosting your LEEF formatted event
files and a polling interval.
To configure a log source in JSA for CA ACF2:
Step