Juniper Secure Analytics

(1)

Log Sources Users Guide

Release

2014.6

(2)

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

(3)

About the Documentation . . . vii

Documentation and Release Notes . . . vii

Documentation Conventions . . . vii

Documentation Feedback . . . ix

Requesting Technical Support . . . x

Self-Help Online Tools and Resources . . . x

Opening a Case with JTAC . . . x

Part 1 Juniper Secure Analytics Log Sources

Chapter 1 Installing Protocols . . . 3

Installing Protocols . . . 3

Chapter 2 Managing Log Sources . . . 5

Log Sources Management . . . 6

Adding a Log Source . . . 6

Blue Coat Web Security Service REST API protocol configuration options . . . 8

Configuring the Cisco NSEL Protocol . . . 8

Configuring the EMC VMware Protocol . . . 9

Configuring the IBM Tivoli Endpoint Manager SOAP Protocol . . . 10

Configuring the JDBC Protocol . . . 10

Configuring the JDBC - SiteProtector Protocol . . . 12

Configuring the Juniper Networks NSM Protocol . . . 13

Configuring the Juniper Security Binary Log Collector Protocol . . . 14

Configuring the Log File Protocol . . . 14

Configuring the Microsoft DHCP Protocol . . . 16

Configuring the Microsoft Exchange Protocol . . . 16

Configuring the Microsoft IIS protocol . . . 17

Configuring the Microsoft Security Event Log Protocol . . . 18

MQ protocol configuration options . . . 19

Okta REST API protocol configuration options . . . 20

Configuring the OPSEC/LEA Protocol . . . 21

Configuring the Oracle Database Listener Protocol . . . 22

Configuring the PCAP Syslog Combination Protocol . . . 22

Configuring the SDEE Protocol . . . 23

Configuring the SMB Tail Protocol . . . 23

Configuring the SNMPv2 Protocol . . . 24

Configuring the SNMPv3 Protocol . . . 25

Seculert Protection REST API protocol configuration options . . . 25

Configuring the Sophos Enterprise Console JDBC Protocol . . . 26

(4)

Syslog Redirect protocol overview . . . 29

Configuring the TCP Multiline Syslog Protocol . . . 29

Configuring the TLS Syslog Protocol . . . 30

Configuring the UDP Multiline Syslog Protocol . . . 31

Configuring the VMware vCloud Director Protocol . . . 32

Adding Bulk Log Sources . . . 32

Log Source Parsing Order Overview . . . 33

Adding a Log Source Parsing Order . . . 33

Chapter 3 Log Source Extensions . . . 35

Log Source Extensions Overview . . . 35

Patterns in log source extension documents . . . 36

Match Groups . . . 37

Matcher (matcher) . . . 37

Multi-event modifier (event-match-multiple) . . . 40

Single-event modifier (event-match-single) . . . 41

Extension document template . . . 42

Extension document example for parsing one event type . . . 42

Parsing basics . . . 44

Event name and device event category . . . 44

IP address and port patterns . . . 45

Creating a log source extensions document . . . 45

Building a Universal DSM . . . 46

Exporting the logs . . . 47

Common regular expressions . . . 49

Building regular expression patterns . . . 50

Uploading extension documents to JSA . . . 52

Mapping unknown events . . . 53

Parsing issues and examples . . . 55

Converting a protocol . . . 55

Making a single substitution . . . 55

Generating a colon-separated MAC address . . . 56

Combining IP address and port . . . 56

Modifying an Event Category . . . 56

Suppressing identity change events . . . 56

Encoding logs . . . 57

Formatting event dates and time stamps . . . 57

Multiple Log Formats in a Single Log Source . . . 57

Parsing a CSV log format . . . 58

Log Source Type IDs . . . 59

Chapter 4 Managing Log Source Extensions . . . 73

Log Source Extensions Overview . . . 73

Adding a Log Source Extension . . . 74

(5)

About the Documentation . . . vii

Table 1: Notice Icons . . . viii

Table 2: Text and Syntax Conventions . . . viii

Part 1 Juniper Secure Analytics Log Sources

Chapter 2 Managing Log Sources . . . 5

Table 3: Log Source parameters . . . 7

Table 4: Blue Coat Web Security Service REST API protocol parameters . . . 8

Table 5: Cisco NSEL Protocol Parameters . . . 9

Table 6: EMC VMware Protocol Parameters . . . 9

Table 7: IBM Tivoli Endpoint Manager SOAP Protocol Parameters . . . 10

Table 8: JDBC Protocol Parameters . . . 10

Table 9: JDBC - SiteProtector Protocol Parameters . . . 12

Table 10: Juniper Networks NSM Protocol Parameters . . . 13

Table 11: Juniper Security Binary Log Collector Protocol Parameters . . . 14

Table 12: Log File Protocol Parameters . . . 15

Table 13: Microsoft DHCP Protocol Parameters . . . 16

Table 14: Microsoft Exchange Protocol Parameters . . . 17

Table 15: Microsoft IIS Protocol Parameters . . . 18

Table 16: Microsoft Security Event Log Protocol Parameters . . . 19

Table 17: MQ protocol parameters . . . 20

Table 18: Okta REST API protocol parameters . . . 21

Table 19: OPSEC/LEA Protocol Parameters . . . 21

Table 20: Oracle Database Listener Protocol Parameters . . . 22

Table 21: PCAP Syslog Combination Protocol Parameters . . . 23

Table 22: SDEE Protocol Parameters . . . 23

Table 23: SMB Tail Protocol Parameters . . . 24

Table 24: SNMPv2 Protocol Parameters . . . 24

Table 25: SNMPv3 Protocol Parameters . . . 25

Table 26: Seculert Protection REST API protocol parameters . . . 25

Table 27: Sophos Enterprise Console JDBC Protocol Parameters . . . 26

Table 28: Sourcefire Defense Center Estreamer Protocol Parameters . . . 28

Table 29: Syslog Redirect protocol parameters . . . 29

Table 30: TCP Multiline Syslog Protocol Parameters . . . 30

Table 31: TLS Syslog Protocol Parameters . . . 30

Table 32: UDP Multiline Syslog Protocol Parameters . . . 31

Table 33: VMware vCloud Director Protocol Parameters . . . 32

Chapter 3 Log Source Extensions . . . 35

(6)

Table 35: Description of match group parameters . . . 37

Table 36: Description of matcher parameters . . . 38

Table 37: List of valid matcher field names . . . 39

Table 38: Description of single-event parameters . . . 41

Table 39: Common regex expressions . . . 49

Table 40: Translating pseudo-code to regular expressions . . . 51

Table 41: Mapping regular expressions to capture groups for event fields . . . 52

Table 42: Log Source Type ID . . . 59

Chapter 4 Managing Log Source Extensions . . . 73

(7)

• Documentation and Release Notes on page vii

• Documentation Conventions on page vii

• Documentation Feedback on page ix

• Requesting Technical Support on page x

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation, see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed athttp://www.juniper.net/books.

Documentation Conventions

(8)

Table 1: Notice Icons

Description Meaning

Icon

Indicates important features or instructions. Informational note

Indicates a situation that might result in loss of data or hardware damage. Caution

Alerts you to the risk of personal injury or death. Warning

Alerts you to the risk of personal injury from a laser. Laser warning

Indicates helpful information. Tip

Alerts you to a recommended use or implementation. Best practice

Table 2 on page viiidefines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

Examples Description

Convention

To enter configuration mode, type the configure command:

user@host> configure Represents text that you type.

Bold text like this

user@host> show chassis alarms No alarms currently active Represents output that appears on the

terminal screen. Fixed-width text like this

• A policy term is a named structure that defines match conditions and actions.

• Junos OS CLI User Guide

• RFC 1997, BGP Communities Attribute • Introduces or emphasizes important

new terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure the machine’s domain name: [edit]

root@# set system domain-name

domain-name

Represents variables (options for which you substitute a value) in commands or configuration statements.

(9)

Table 2: Text and Syntax Conventions (continued)

Examples Description

Convention

• To configure a stub area, include the stubstatement at the[edit protocols ospf area area-id]hierarchy level. • The console port is labeledCONSOLE. Represents names of configuration

statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform

components. Text like this

stub <default-metric metric>; Encloses optional keywords or variables.

< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3) Indicates a choice between the mutually

exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. | (pipe symbol)

rsvp { # Required for dynamic MPLS only Indicates a comment specified on the

same line as the configuration statement to which it applies.

# (pound sign)

community name members [ community-ids ]

Encloses a variable for which you can substitute one or more values. [ ] (square brackets) [edit] routing-options { static { route default { nexthop address; retain; } } } Identifies a level in the configuration

hierarchy. Indention and braces ( { } )

Identifies a leaf statement at a configuration hierarchy level. ; (semicolon)

GUI Conventions

• In the Logical Interfaces box, select All Interfaces.

• To cancel the configuration, click Cancel.

Represents graphical user interface (GUI) items you click or select.

Bold text like this

In the configuration editor hierarchy, select Protocols>Ospf.

Separates levels in a hierarchy of menu selections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods:

• Online feedback rating system—On any page of the Juniper Networks TechLibrary site athttp://www.juniper.net/techpubs/index.html, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at

(10)

• E-mail—Send your comments to [email protected]. Include the document or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or Partner Support Service support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings:http://www.juniper.net/customers/support/

• Find product documentation:http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base:http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool:http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

• Use the Case Management tool in the CSC athttp://www.juniper.net/cm/.

(11)

For international or direct-dial options in countries without toll-free numbers, see

(12)

(13)

• Installing Protocols on page 3

• Managing Log Sources on page 5

• Log Source Extensions on page 35

(14)

(15)

This chapter describes about the following sections:

• Installing Protocols on page 3

Installing Protocols

You can download and install a Juniper Secure Analytics (JSA) protocol. To install JSA protocols:

1. Download the protocol file from Juniper Customer Support:

http://www.juniper.net/support/downloads

2. Copy the protocol file to your JSA console.

3. Using SSH, log in to the JSA host as the root user.

4. Navigate to the directory that includes the downloaded file.

5. Extract the contents of the file if they are compressed.

6. Type the following command: rpm -Uvh <filename>

Where <filename> is the name of the downloaded file. For example: PROTOCOL-WinCollectMicrosoftIAS-7.2-605867.noarch.rpm.

7. Log in to JSA. https://<IP Address>

Where <IP Address> is the IP address of the JSA console or Event Collector.

8. On the Admin tab, click Deploy Changes. The installation is complete.

Log Sources Management

You can configure Juniper Secure Analytics (JSA) to accept event logs from log sources that are on your network. A log source is a data source that creates an event log. For example, a firewall or Intrusion Protection System (IPS) logs security-based events, and switches or routers logs network-based events.

To receive raw events from log sources, JSA supports many protocols. Passive protocols listen for events on specific ports. Active protocols use Application Program Interfaces (APIs) or other communication methods to connect to external systems that poll and retrieve events.

Depending on your license limits, JSA can read and interpret events from more than 300 log sources.

To configure a log source for JSA, you must do the following tasks:

1. Download and install a Device Support Module (DSM) that supports the log source. A DSM is software application that contains the event patterns that are required to identify and parse events from the original format of the event log to the format that JSA can use. For more information about DSMs and the supported log sources, see the Juniper Secure Analytics Configuring DSMs guide.

2. If automatic discovery is supported for the DSM , wait for JSA to automatically add the log source to your list of configured log sources.

3. If automatic discover is not supported for the DSM, manually create the log source configuration. See:

• “Adding a Log Source” on page 6.

• “Adding Bulk Log Sources” on page 32.

Adding a Log Source

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

(19)

Table 3: Log Source parameters

Description Parameter

The IPv4 address or host name that identifies the log source.

If your network contains multiple devices that are attached to a single management console, specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents event searches from identifying the management console as the source for all of the events.

Log Source Identifier

When this option is not enabled, the log source does not collect events and the log source is not counted in the license limit.

Enabled

Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user-created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.

Credibility

Specifies the JSA Event Collector that polls the remote log source.

Use this parameter in a distributed deployment to improve JSA console system performance by moving the polling task to an Event Collector.

Target Event Collector

Increases the event count when the same event occurs multiple times within a short time interval. Coalesced events provide a way to view and determine the frequency with which a single event type occurs on the Log Activity tab.

When this check box is clear, events are viewed individually and events are not bundled.

New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. You can use this check box to override the default behavior of the system settings for an individual log source.

Coalescing Events

To add a log source:

1. Click the Admin tab.

2. Click the Log Sources icon.

3. Click Add.

4. Configure the common parameters for your log source.

5. Configure the protocol-specific parameters for your log source.

6. Click Save.

7. On the Admin tab, click Deploy Changes.

Log Sources Management on page 6

•

(20)

Blue Coat Web Security Service REST API protocol configuration options

To receive events from Blue Coat Web Security Service, configure a log source to use the Blue Coat Web Security Service REST API protocol.

The Blue Coat Web Security Service REST API protocol queries the Blue Coat Web Security Service Sync API and retrieves recently hardened log data from the cloud. The following table describes the protocol-specific parameters for the Blue Coat Web Security Service REST API protocol:

Table 4 on page 8describes the Blue Coat Web Security Service REST API protocol parameters.

Table 4: Blue Coat Web Security Service REST API protocol parameters

Description

Parameter

The API user name that is used for authenticating with the Blue Coat Web Security Service. The API user name is configured through the Blue Coat Threat Pulse Portal.

API Username

The password that is used for authenticating with the Blue Coat Web Security Service. Password

Confirmation of the Password field. Confirm Password

When you configure a proxy, all traffic for the log source travels through the proxy for JSA to access the Blue Coat Web Security Service.

Configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.

Use Proxy

If you select Yes from the list, JSA downloads the certificate and begins trusting the target server.

Automatically Acquire Server Certificate(s)

You can specify when the log collects data. The format is M/H/D for Months/Hours/Days. The default is 5 M.

Recurrence

The upper limit for the maximum number of events per second (EPS). The default is 5000. EPS Throttle

•

Configuring the Cisco NSEL Protocol

To monitor NetFlow packet flows from a Cisco Adaptive Security Appliance (ASA), configure the Cisco Network Security Event Logging (NSEL) protocol source.

(21)

syslog events from Cisco ASA using NetFlow and NSEL. For more information, see the

Juniper Secure Analytics Configuring DSMs.

Table 5 on page 9describes the protocol-specific parameters for the Cisco NSEL protocol.

Table 5: Cisco NSEL Protocol Parameters

Cisco NSEL Protocol Configuration

If the network contains devices that are attached to a management console, administrators can specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents event searches from identifying the management console as the source for all of the events.

Log Source Identifier

The UDP port number that Cisco ASA uses to forward NSEL events. JSA uses port 2055 for flow data on JSA Flow Processors. You must assign a different UDP port on the Cisco Adaptive Security Appliance for NetFlow.

Collector Port

Configuring the TCP Multiline Syslog Protocol on page 29.

•

• Configuring the VMware vCloud Director Protocol on page 32.

Configuring the EMC VMware Protocol

To receive event data from the VMWare web service for virtual environments, configure a log source to use the EMC VMWare protocol.

Table 6 on page 9describes the protocol-specific parameters for the EMC VMware protocol.

Table 6: EMC VMware Protocol Parameters

EMC VMware Protocol Configuration

The value for this parameter must match theVMware IPparameter. Log Source Identifier

The IP address of the VMWare ESXi server, for example, 1.1.1.1. The VMware protocol appends the IP address of your VMware ESXi server with HTTPS before the protocol requests event data.

VMware IP

Configuring the JDBC Protocol on page 10.

•

(22)

Configuring the IBM Tivoli Endpoint Manager SOAP Protocol

To receive Log Extended Event Format (LEEF) formatted events from IBM Tivoli Endpoint Manager appliances, configure a log source that uses the IBM Tivoli Endpoint Manager SOAP protocol.

This protocol requires IBM Tivoli Endpoint Manager versions V8.2.x or later and the Web Reports application for Tivoli Endpoint Manager.

The Tivoli Endpoint Manager SOAP protocol retrieves events in 30-second intervals over HTTP or HTTPS. As events are retrieved, the IBM Tivoli Endpoint Manager DSM parses and categorizes the events.

Table 7 on page 10describes the protocol-specific parameters for the IBM Tivoli Endpoint Manager SOAP protocol.

Table 7: IBM Tivoli Endpoint Manager SOAP Protocol Parameters

Description

Parameter

IBM Tivoli Endpoint Manager SOAP Protocol Configuration

If a certificate is required to connect with HTTPS, administrators must copy any certificates that are required to the following directory:/opt/JSA/conf/ trusted_certificates. Certificates with the following file extensions:.crt,.cert, or.derare supported. Use HTTPS

By default, port 80 is the port number for communicating with IBM Tivoli Endpoint Manager. Most configurations use port 443 for HTTPS communications.

SOAP Port

Configuring the TLS Syslog Protocol on page 30.

•

• Configuring the Juniper Security Binary Log Collector Protocol on page 14.

Configuring the JDBC Protocol

Juniper Secure Analytics (JSA) uses the Java Database Connectivity (JDBC) protocol to collect information from tables or views that contain event data from several database types.

Table 8 on page 10describes the protocol-specific parameters for the JDBC protocol.

Table 8: JDBC Protocol Parameters

From the list box, select the type of database that contains the events. Database Type

The database name must match the database name that is specified in theLog Source Identifier field.

(23)

Table 8: JDBC Protocol Parameters (continued)

Description

Parameter

The JDBC port must match the listen port that is configured on the remote database. The database must permit incoming TCP connections. If aDatabase Instanceis used with the MSDE database type, administrators must leave thePortparameter blank in the log source

configuration. Port

A user account for JSA in the database. Username

A domain must be configured for MSDE databases that are within a Windows domain. If your network does not use a domain, leave this field blank.

Authentication Domain

The database instance, if required. MSDE databases can include multiple SQL server instances on one server.

When a non-standard port is used for the database or access is blocked to port 1434 for SQL database resolution, theDatabase Instanceparameter must be blank in the log source configuration.

Database Instance

Optional. Predefined Query

The name of the table or view that includes the event records. The table name can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period (.).

Table Name

The list of fields to include when the table is polled for events. You can use a comma-separated list or type * to select all fields from the table or view. If a comma-separated list is defined, the list must contain the field that is defined in theCompare Field.

Select List

A numeric value or time stamp field from the table or view that identifies new events that are added to the table between queries. Enables the protocol to identify events that were previously polled by the protocol to ensure that duplicate events are not created.

Compare Field

Prepared statements enable the JDBC protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most JDBC protocol configurations can use prepared statements.

Use Prepared Statements

If a start time is not defined, the protocol attempts to poll for events after the log source configuration is saved and deployed.

Start Date and Time

The default polling interval is 10 seconds. Polling Interval

The upper limit for the permitted number of Events Per Second (EPS). EPS Throttle

Named pipe connections for MSDE databases require that the user name and password field use a Windows authentication user name and password instead of the database user name and password. The log source configuration must use the default named pipe on the MSDE database.

Use Named Pipe Communication

TheUse NTLMv2check box does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

(24)

Configuring the Sophos Enterprise Console JDBC Protocol on page 26.

•

• Configuring the Juniper Networks NSM Protocol on page 13.

• Configuring the OPSEC/LEA Protocol on page 21.

Configuring the JDBC - SiteProtector Protocol

To receive events from remote JSA Proventia Management SiteProtector databases, configure a log source to use the Java Database Connectivity (JDBC) - SiteProtector protocol.

The JDBC - SiteProtector protocol combines information from the SensorData1 and SensorDataAVP1 tables in the creation of the log source payload. The SensorData1 and SensorDataAVP1 tables are in the JSA Proventia Management SiteProtector database. The maximum number of rows that the JDBC - SiteProtector protocol can poll in a single query is 30,000 rows.

Table 9 on page 12describes the protocolspecific parameters for the JDBC -SiteProtector protocol.

Table 9: JDBC - SiteProtector Protocol Parameters

Description Parameter JDBC - SiteProtector Protocol Configuration MSDE Database Type

Type RealSecureDB the name of the database to which the protocol can connect. Database Name

The JDBC - SiteProtector configuration port must match the listener port of the database. The database must have incoming TCP connections enabled. If you define aDatabase Instancewhen with MSDE as the database type, you must leave thePortparameter blank. Port

If you select MSDE and the database is configured for Windows, you must define a Windows domain.

If your network does not use a domain, leave this field blank. Authentication Domain

If you select MSDE and you have multiple SQL server instances on one server, define the instance to which you want to connect.

If you use a non-standard port in your database configuration, or have blocked access to port 1434 for SQL database resolution, you must leave theDatabase Instanceparameter blank in your configuration

Database Instance

SensorData1 Table Name

SensorDataAVP AVP View Name

(25)

Table 9: JDBC - SiteProtector Protocol Parameters (continued)

Description

Parameter

Type * to include all fields from the table or view. Select List

SensorDataRowID Compare Field

Prepared statements allow the JDBC protocol source to set up the SQL statement, and then execute the SQL statement numerous times with different parameters. For security and performance reasons, use prepared statements. You can clear this check box to use an alternative method of querying that does not use pre-compiled statements.

The number of Events Per Second (EPS) that you do not want this protocol to exceed. EPS Throttle

If you select MSDE as the database type, select the check box to use an alternative method to a TCP/IP port connection. When you use a Named Pipe connection, the user name and password must be the appropriate Windows authentication username and password and not the database user name and password. The log source configuration must use the default named pipe.

Use Named Pipe Communication

The cluster name to ensure that named pipe communications function properly. Database Cluster Name

Forces MSDE connections to use the NTLMv2 protocol with SQL servers that require NTLMv2 authentication. TheUse NTLMv2check box does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

Use NTLMv2

•

• Configuring the OPSEC/LEA Protocol on page 21.

Configuring the Juniper Networks NSM Protocol

To receive Juniper Networks Network and Security Manager (NSM) and Juniper Networks Secure Service Gateway (SSG) logs events, configure a log source to use the Juniper Networks NSM protocol.

Table 10 on page 13describes the protocol-specific parameters for the Juniper Networks Network and Security Manager protocol.

Table 10: Juniper Networks NSM Protocol Parameters

Juniper NSM Log Source Type

Juniper NSM Protocol Configuration

•

(26)

Configuring the Juniper Security Binary Log Collector Protocol

You can configure a log source to use the Security Binary Log Collector protocol. With this protocol, Juniper appliances can send audit, system, firewall, and intrusion prevention system (IPS) events in binary format to JSA.

The binary log format from Juniper SRX or J Series appliances are streamed by using the UDP protocol. You must specify a unique port for streaming binary formatted events. The standard syslog port 514 cannot be used for binary formatted events. The default port that is assigned to receive streaming binary events from Juniper appliances is port 40798.

Table 11 on page 14describes the protocol-specific parameters for the Juniper Security Binary Log Collector protocol.

Table 11: Juniper Security Binary Log Collector Protocol Parameters

Description

Parameter

Security Binary Log Collector Protocol Configuration

The path to the XML file used to decode the binary stream from your Juniper SRX or Juniper J Series appliance. By default, the device support module (DSM) includes an XML file for decoding the binary stream.

The XML file is in the following directory: /opt/JSA/conf/ security_log.xml. XML Template File Location

Configuring the VMware vCloud Director Protocol on page 32.

•

• Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 10.

Configuring the Log File Protocol

To receive events from remote hosts, configure a log source to use the log file protocol. The log file protocol is intended for systems that write daily event logs. It is not appropriate to use the log file protocol for devices that append information to their event files. Log files are retrieved one at a time. The log file protocol can manage plain text, compressed files, or file archives. Archives must contain plain-text files that can be processed one line at a time. When the log file protocol downloads an event file, the information that is received in the file updates the Log Activity tab. If more information is written to the file after the download is complete, the appended information is not processed.

(27)

Table 12: Log File Protocol Parameters

Log File Protocol Configuration

If the remote host uses a non-standard port number, you must adjust the port value to retrieve events.

Remote Port

The path to the SSH key, if the system is configured to use key authentication. When an SSH key file is used, the Remote Password field is ignored.

SSH Key File

For FTP, if the log files are in the remote user’s home directory, you can leave the remote directory blank. A blank remote directory field supports systems where a change in the working directory (CWD) command is restricted.

Remote Directory

This option is ignored for SCP file transfers. Recursive

The regular expression (regex) required to identify the files to download from the remote host. FTP File Pattern

For ASCII transfers over FTP, you must select NONE in theProcessorfield and LINEBYLINE in theEvent Generatorfield.

FTP Transfer Mode

The time interval to determine how frequently the remote directory is scanned for new event log files. The time interval can include values in hours (H), minutes (M), or days (D). For example, a recurrence of 2H scans the remote directory every 2 hours.

Recurrence

Starts the log file import immediately after you save the log source configuration. When selected, this check box clears the list of previously downloaded and processed files. After the first file import, the log file protocol follows the start time and recurrence schedule that is defined by the administrator.

Run On Save

The number of Events Per Second (EPS) that the protocol cannot exceed. EPS Throttle

Changes the local directory on theTarget Event Collectorto store event logs before they are processed.

Change Local Directory?

The local directory on theTarget Event Collector. The directory must exist before the log file protocol attempts to retrieve events.

Local Directory

The character encoding that is used by the events in your log file. File Encoding

The character that is used to separate folders for your operating system. Most configurations can use the default value in Folder Separator field. This field is intended for operating systems that use a different character to define separate folders. For example, periods that separate folders on mainframe systems.

Folder Separator

•

(28)

Configuring the Microsoft DHCP Protocol

To receive events from Microsoft DHCP servers, configure a log source to use the Microsoft DHCP protocol.

To read the log files, folder paths that contain an administrative share (C$), require NetBIOS privileges on the administrative share (C$). Local or domain administrators have sufficient privileges to access log files on administrative shares.

Fields for the Microsoft DHCP protocol that support file paths allow administrators to define a drive letter with the path information. For example, the field can contain the c$/LogFiles/directory for an administrative share, or the LogFiles/directory for a public share folder path, but cannot contain the c:\LogFiles directory.

NOTE: The Microsoft authentication protocol NTLMv2 is not supported by the Microsoft DHCP protocol.

Table 13 on page 16describes the protocol-specific parameters for the Microsoft DHCP protocol.

Table 13: Microsoft DHCP Protocol Parameters

Description Parameter Microsoft DHCP Protocol Configuration Optional. Domain

The directory path to the DHCP log files. Folder Path

The regular expression (regex)that identifies event logs. The log files must contain a three-character abbreviation for a day of the week. Use one of the following file patterns: • IPv4 file pattern - DhcpSrvLog-(?:Sun|Mon|Tue|Wed|Thu| Fri| Sat)\.log.

• IPv6 file pattern - DhcpV6SrvLog-(?:Sun|Mon|Tue|Wed|Thu| Fri|Sat) \.log. • Mixed IPv4 and IPv6 file pattern - Dhcp.*SrvLog-(?:Sun|Mon| Tue|Wed|Thu|Fri|Sat)

\.log. File Pattern

•

• Configuring the JDBC - SiteProtector Protocol on page 12.

Configuring the Microsoft Exchange Protocol

(29)

Fields for the Microsoft Exchange protocol that support file paths allow administrators to define a drive letter with the path information. For example, the field can contain the c$/LogFiles/ directoryfor an administrative share, or the LogFiles/directory for a public share folder path, but cannot contain the c:\LogFiles directory.

NOTE: The Microsoft Exchange protocol does not support Microsoft Exchange 2003 or Microsoft authentication protocol NTLMv2 Session.

Table 14 on page 17describes the protocol-specific parameters for the Microsoft Exchange protocol.

Table 14: Microsoft Exchange Protocol Parameters

Description Parameter Microsoft Exchange Protocol Configuration Optional. Domain

When the folder path is clear, SMTP event collection is disabled. SMTP Log Folder Path

When the folder path is clear, OWA event collection is disabled. OWA Log Folder Path

Message tracking is available on Microsoft Exchange 2007 or 2010 servers assigned the Hub Transport, Mailbox, or Edge Transport server role.

MSGTRK Log Folder Path

The regular expression (regex) that identifies the event logs. The default is *\.(?:log|LOG).

File Pattern

If the check box is cleared, the log file is read only when Juniper Secure Analytics (JSA) detects a change in the modified time or file size.

Force File Read

The maximum number of events the Exchange protocol can forward per second. Throttle Events/Second

•

Configuring the Microsoft IIS protocol

(30)

Fields for the Microsoft IIS protocol that support file paths allow administrators to define a drive letter with the path information. For example, the field can contain the c$/LogFiles/ directory for an administrative share, or the LogFiles/directory for a public share folder path, but cannot contain the c:\LogFiles directory.

NOTE: The Microsoft authentication protocol NTLMv2 is not supported by the Microsoft IIS protocol.

Table 15 on page 18describes the protocol-specific parameters for the Microsoft IIS protocol.

Table 15: Microsoft IIS Protocol Parameters

Microsoft IIS Protocol Configuration

The regular expression (regex) that identifies the event logs. File Pattern

The maximum number of events the IIS protocol can forward per second. Throttle Events/Second

•

Configuring the Microsoft Security Event Log Protocol

You can configure a log source to use the Microsoft Security Event Log protocol. You can use Microsoft Windows Management Instrumentation (WMI) to collect customized event logs or agentless Windows Event Logs.

The WMI API requires that firewall configurations accept incoming external

communications on port 135 and on any dynamic ports that are required for DCOM. The following list describes the log source limitations that you use the Microsoft Security Event Log Protocol:

• Systems that exceed 50 events per second (eps) might exceed the capabilities of this protocol. Use WinCollect for systems that exceed 50 eps.

• A Juniper Secure Analytics (JSA) all-in-one installation can support up to 250 log sources with the Microsoft Security Event Log protocol.

(31)

The Microsoft Security Event Log protocol is not suggested for remote servers that are accessed over network links. For example, systems with high round-trip delay times, such as satellite or slow WAN networks. Round-trip delay can be confirmed by examining request and response time between a server ping. Network delays that are created by slow connections decrease the EPS throughput available to those remote servers. In addition, event collection from busy servers or Domain Controllers rely on low round-trip delay times to keep up with incoming events. If it is not possible to decrease your network round-trip delay time, administrators can use WinCollect to process Windows events. The Microsoft Security Event Log supports the following software versions with the Microsoft Windows Management Instrumentation (WMI) API:

• Microsoft Windows 2000

• Microsoft Windows Server 2003

• Microsoft Windows Server 2008

• Microsoft Windows Server 2008R3

• Microsoft Windows XP

• Microsoft Windows Vista

• Microsoft Windows 7

Table 16 on page 19describes the protocol-specific parameters for the Microsoft Security Event Log protocol.

Table 16: Microsoft Security Event Log Protocol Parameters

Windows Security Event Log Protocol Configuration

•

MQ protocol configuration options

To receive messages from a message queue (MQ) service, configure a log source to use the MQ protocol. The protocol name appears in JSA as MQ JMS.

JSA MQ is supported.

The MQ protocol can monitor multiple message queues, up to a maximum of 50 per log source.

(32)

Table 17: MQ protocol parameters

MQ JMS Protocol Name

The IP address or host name of the primary queue manager. IP or Hostname

The default port that is used for communicating with the primary queue manager is 1414.

Port

The IP address or host name of the standby queue manager. Standby IP or Hostname

The port that is used to communicate with the standby queue manager. Standby Port

The name of the queue manager. Queue Manager

The channel through which the queue manager sends messages. The default channel is SYSTEM.DEF.SVRCONN.

Channel

The queue or list of queues to monitor. A list of queues is specified with a comma-separated list.

Queue

The user name that is used for authenticating with the MQ service. Username

Optional: The password that is used to authenticate with the MQ service. Password

The upper limit for the maximum number of events per second (EPS). EPS Throttle

The character encoding that is used by incoming messages. Incoming Message Encoding

•

Okta REST API protocol configuration options

To receive events from Okta Identity Management, configure a log source to use the Okta REST API protocol.

The Okta REST API protocol queries the Okta Events and Users API endpoints to retrieve information about actions that are completed by users in an organization.

The MQ protocol can monitor multiple message queues, up to a maximum of 50 per log source.

(33)

Table 18: Okta REST API protocol parameters

Description

Parameter

oktaprise.okta.com IP or Hostname

A single authentication token that is generated by the Okta console and must be used for all API transactions.

Authentication Token

When a proxy is configured, all traffic for the log source travels through the proxy for JSA to access Okta Identity Management.

Use Proxy

If you select Yes from the list, JSA downloads the certificate and begins trusting the target server.

You can specify when the log source collects data. The format is M/H/D for Months/Hours/Days. The default is 1 M.

Recurrence

The maximum limit for the number of events per second. EPS Throttle

•

Configuring the OPSEC/LEA Protocol

To receive events on port 18484, configure a log source to use the OPSEC/LEA protocol is a protocol.

Table 19 on page 21describes the protocol-specific parameters for the OPSEC/LEA protocol.

Table 19: OPSEC/LEA Protocol Parameters

OPSEC/LEA Protocol Configuration

You must verify that JSA can communicate on port 18184 by using the OPSEC/LEA protocol.

Server Port

The interval, in seconds, during which the number of syslog events are recorded in the JSA.log file.

Statistics Report Interval

The Secure Internal Communications (SIC) name is the distinguished name (DN) of the application, for example:

(34)

Table 19: OPSEC/LEA Protocol Parameters (continued)

The SIC name of the server, for example:

cn=cp_mgmt,o=fwconsole..7psasx. Log Source SIC Attribute (Entity SIC Name)

The name of the application that makes the certificate request.

OPSEC Application

•

Configuring the Oracle Database Listener Protocol

To remotely collect log files that are generated from an Oracle database server, configure a log source to use the Oracle Database Listener protocol source.

Before you configure the Oracle Database Listener protocol to monitor log files for processing, you must obtain the directory path to the Oracle database log files.

Table 20 on page 22describes the protocol-specific parameters for the Oracle Database Listener protocol.

Table 20: Oracle Database Listener Protocol Parameters

Description

Parameter

Oracle Database Listener Protocol Configuration

•

Configuring the PCAP Syslog Combination Protocol

To collect events from Juniper Networks SRX Series appliances that forward packet capture (PCAP) data, configure a log source to use the PCAP Syslog Combination protocol .

Before you configure a log source that uses the PCAP Syslog Combination protocol, determine the outgoing PCAP port that is configured on the Juniper Networks SRX appliance. PCAP data cannot be forwarded to port 514.

(35)

Table 21: PCAP Syslog Combination Protocol Parameters

Description

Parameter

PCAP Syslog Combination Protocol Configuration

If the outgoing PCAP port is edited on the Juniper Networks SRX Series appliance, you must edit the log source to update the incoming PCAP Port. After you edit theIncoming PCAP Portfield, you must deploy your changes.

Incoming PCAP Port

•

Configuring the SDEE Protocol

You can configure a log source to use the Security Device Event Exchange (SDEE) protocol. Juniper Secure Analytics (JSA) uses the protocol to collect events from appliances that use SDEE servers.

Table 22 on page 23describes the protocol-specific parameters for the SDEE protocol.

Table 22: SDEE Protocol Parameters

The HTTP or HTTPS URL that is required to access the log source, for example,

https://www.mysdeeserver.com/cgi-bin/sdee-server.

For SDEE/CIDEE (Cisco IDS v5.x and later), the URL must end with/cgi-bin/sdee-server. Administrators with RDEP (Cisco IDS v4.x), the URL must end with/cgi-bin/event-server. URL

When the check box is selected, the protocol forces the server to drop the least active connection and accept a new SDEE subscription connection for the log source.

Force Subscription

When a collection request is made and no new events are available, the protocol enables an event block. The block prevents another event request from being made to a remote device that did not have any new events. This timeout is intended to conserve system resources.

Maximum Wait To Block For Events

•

Configuring the SMB Tail Protocol

You can configure a log source to use the SMB Tail protocol. Use this protocol to watch events on a remote Samba share and receive events from the Samba share when new lines are added to the event log.

(36)

Table 23: SMB Tail Protocol Parameters

SMB Tail Protocol Configuration

The directory path to access the log files. For example, administrators can use the c$/LogFiles/ directory for an administrative share, or the LogFiles/ directory for a public share folder path. However, the c:/LogFiles directory is not a supported log folder path.

If a log folder path contains an administrative share (C$), users with NetBIOS access on the administrative share (C$) have the privileges that are required to read the log files.

Local system or domain administrator privileges are also sufficient to access a log files that are on an administrative share.

Log Folder Path

If the check box is cleared, the log file is read only when JSA detects a change in the modified time or file size.

Force File Read

The maximum number of events the SMB Tail protocol forwards per second. Throttle Events/Second

•

Configuring the SNMPv2 Protocol

You can configure a log source to use the SNMPv2 protocol to receive SNMPv2 events.

Table 24 on page 24describes the protocol-specific parameters for the SNMPv2 protocol.

Table 24: SNMPv2 Protocol Parameters

SNMPv2 Protocol Configuration

The SNMP community name that is required to access the system that contains SNMP events.

Community

Specifies that the SNMP event payload is constructed by using name-value pairs instead of the event payload format.

When you select specific log sources from theLog Source Typeslist, OIDs in the event payload are required for processing SNMPv2 or SNMPv3 events.

Include OIDs in Event Payload

•

(37)

Configuring the SNMPv3 Protocol

You can configure a log source to use the SNMPv3 protocol to receive SNMPv3 events.

Table 25 on page 25describes the protocol-specific parameters for the SNMPv3 protocol.

Table 25: SNMPv3 Protocol Parameters

SNMPv3 Protocol Configuration

The algorithms used to authenticate SNMP traps. Authentication Protocol

Specifies that the SNMP event payload is constructed by using name-value pairs instead of the standard event payload format. When you select specific log sources from theLog Source Typeslist, OIDs in the event payload are required for processing SNMPv2 or SNMPv3 events.

Include OIDs in Event Payload

•

Seculert Protection REST API protocol configuration options

To receive events from Seculert, configure a log source to use the Seculert Protection REST API protocol.

Seculert Protection provides alerts on confirmed incidents of malware that are actively communicating or exfiltrating information.

Before you can configure a log source for Seculert, you must obtain your API key from the Seculert web portal.

1. Log in to the Seculert web portal.

2. On the dashboard, click the API tab.

3. Copy the value for Your API Key.

Table 26 on page 25describes the protocol-specific parameters for the Seculert Protection REST API protocol:

Table 26: Seculert Protection REST API protocol parameters

Description

Parameter

The API key that is used for authenticating with the Seculert Protection REST API. The API key value is obtained from the Seculert web portal.

(38)

Table 26: Seculert Protection REST API protocol parameters (continued)

Description

Parameter

When you configure a proxy, all traffic for the log source travels through the proxy for JSA to access the Seculert Protection REST API.

Use Proxy

If you select Yes form the list, JSA downloads the certificate and begins trusting the target server.

Specify when the log collects data. The format is M/H/D for Months/Hours/Days. The default is 1 M.

Recurrence

The upper limit for the maximum number of events per second (eps) for events that are received from the API.

EPS Throttle

•

Configuring the Sophos Enterprise Console JDBC Protocol

To receive events from Sophos Enterprise Consoles, configure a log source to use the Sophos Enterprise Console Java Database Connectivity (JDBC) protocol.

The Sophos Enterprise Console JDBC protocol combines payload information from application control logs, device control logs, data control logs, tamper protection logs, and firewall logs in the vEventsCommonData table. If the Sophos Enterprise Console does not have the Sophos Reporting Interface, you can use the standard JDBC protocol to collect antivirus events.

Table 27 on page 26describes the parameters of the Sophos Enterprise console JDBC protocol.

Table 27: Sophos Enterprise Console JDBC Protocol Parameters

Description

Parameter

Sophos Enterprise console JDBC Protocol Configuration

MSDE Database Type

The database name must match the database name that is specified in theLog Source Identifier field.

(39)

Table 27: Sophos Enterprise Console JDBC Protocol Parameters (continued)

Description

Parameter

The default port for MSDE in Sophos Enterprise Console is 1168. The JDBC configuration port must match the listener port of the Sophos database to communicate with JSA. The Sophos database must have incoming TCP connections enabled.

If aDatabase Instanceis used with the MSDE database type, administrators must leave thePort parameter blank in the log source configuration.

Port

If your network does not use a domain, leave this field blank. Authentication Domain

The database instance, if required. MSDE databases can include multiple SQL server instances on one server.

When a non-standard port is used for the database or administrators block access to port 1434 for SQL database resolution, theDatabase Instanceparameter must be blank.

Database Instance

vEventsCommonData

The table name can include the following special characters: dollar sign ( $ ), number sign ( # ), underscore ( _ ), en dash ( - ), and period( . ).

Table Name

* Select List

InsertedAt Compare Field

Prepared statements enable the protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most configurations can use prepared statements. Clear this check box to use an alternative method of querying that do not use pre-compiled statements.

Optional. A start date and time for when the protocol can start to poll the database. If a start time is not defined, the protocol attempts to poll for events after the log source configuration is saved and deployed.

Start Date and Time

The polling interval, which is the amount of time between queries to the database.

You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values without an H or M designator poll in seconds.

Polling Interval

The number of Events Per Second (EPS) that you do not want this protocol to exceed. EPS Throttle

If MSDE is configured as the database type, administrators can select this check box to use an alternative method to a TCP/IP port connection.

Named pipe connections for MSDE databases require the user name and password field to use a Windows authentication username and password and not the database user name and password. The log source configuration must use the default named pipe on the MSDE database. Use Named Pipe

Communication

If you use your SQL server in a cluster environment, define the cluster name to ensure that named pipe communications function properly.

(40)

Table 27: Sophos Enterprise Console JDBC Protocol Parameters (continued)

Description

Parameter

Forces MSDE connections to use the NTLMv2 protocol with SQL servers that require NTLMv2 authentication. The default value of the check box is selected.

TheUse NTLMv2check box does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

Use NTLMv2

•

Configuring the Sourcefire Defense Center Estreamer Protocol

To receive events from a Sourcefire Defense Center Estreamer (Event Streamer) service, configure a log source to use the Sourcefire Defense Center Estreamer protocol. Event files are streamed to JSA to be processed after the Sourcefire Defense Center DSM is configured.

Table 28 on page 28describes the protocol-specific parameters for the Sourcefire Defense Center Estreamer protocol.

Table 28: Sourcefire Defense Center Estreamer Protocol Parameters

Description

Parameter

Sourcefire Defense Center Estreamer. Protocol Configuration

The default port that JSA uses for Sourcefire Defense Center Estreamer is 8302. Server Port

The directory path and file name for the key store private key and associated certificate. By default, the import script creates the key store file in the following directory:

/opt/JSA/conf/estreamer.keystore. Key store Filename

The truststore file contains the certificates that are trusted by the client. By default, the import script creates the truststore file in the following directory:

/opt/JSA/conf/estreamer.truststore. Truststore Filename

Select this option to request extra data from Sourcefire Defense Center Estreamer, for example, extra data includes the original IP address of an event.

Request Extra Data

Select this option to use an alternative method for retrieving events from an eStreamer source.

Extended Requests are supported on Sourcefire DefenseCenter Estreamer version 5.0 or later.

Use Extended Requests

•

(41)

Syslog Redirect protocol overview

The Syslog Redirect protocol is used as an alternative to the Syslog protocol. Use this protocol when you want to JSA identify the specific device name that sent the events. JSA can passively listen for Syslog events on UDP port 517.

Table 29 on page 29describes the protocol-specific parameters for the Syslog Redirect protocol:

Table 29: Syslog Redirect protocol parameters

Syslog Redirect Protocol Configuration

devname=([\w-]+) Log Source Identifier RegEx

517 Listen Port UDP Protocol Related Documentation

•

Configuring the TCP Multiline Syslog Protocol

You can configure a log source that uses the TCP multiline syslog protocol. To create a single-line event, this protocol uses regular expressions to identify the start and end pattern of multiline events.

The following example is a multiline event:

06/13/2012 08:15:15 PM Log Name=Security

Source Name=Microsoft Windows security auditing. Event Code=5156

Event Type=0

TaskCategory=Filtering Platform Connection Keywords=Audit Success

Message=The Windows Filtering Platform permitted a connection. Process ID: 4

Application Name: System Direction: Inbound Source Address: 1.1.1.1 Source Port: 80

(42)

Table 30 on page 30describes the protocol-specific parameters for the TCP multiline syslog protocol.

Table 30: TCP Multiline Syslog Protocol Parameters

Description

Parameter

TCP Multiline Syslog Protocol Configuration

The default listen port is 12468. Listen Port

Use the Windows Multiline option for multiline events that are formatted specifically for Windows. Event Formatter

The regular expression (regex) that is required to identify the start of a TCP multiline event payload. Syslog headers typically begin with a date or time stamp. The protocol can create a single-line event that is based on solely an event start pattern, such as a time stamp. When only a start pattern is available, the protocol captures all the information between each start value to create a valid event.

Event Start Pattern

The regular expression (regex) that is required to identify the last field of a TCP multiline event payload. If the syslog event ends with the same value, you can use a regular expression to determine the end of an event. The protocol can capture events that are based on solely on an event end pattern. When only an end pattern is available, the protocol captures all the information between end start value to create a valid event.

Event End Pattern

Configuring the TLS Syslog Protocol on page 30.

•

• Configuring the Juniper Security Binary Log Collector Protocol on page 14.

Configuring the TLS Syslog Protocol

To receive encrypted syslog events from up to 50 network devices that support TLS Syslog event forwarding, configure a log source to use the TLS Syslog protocol. The log source creates a listen port for incoming TLS Syslog events and generates a certificate file for the network devices. Up to 50 network appliances can forward events to the listen port that is created for the log source. If you require more than 50 network appliances, create additional listen ports.

Table 31 on page 30describes the protocol-specific parameters for the TLS Syslog Combination protocol.

Table 31: TLS Syslog Protocol Parameters

TLS Syslog Protocol Configuration

The default TLS listen port is 6514. TLS Listen Port

(43)

Table 31: TLS Syslog Protocol Parameters (continued)

Description

Parameter

The absolute path to the client-certificate on disk. The certificate must be stored on the Console or Event Collector for this log source.

Client Certificate Path

The type of certificate to use for authentication. If you select the Provide Certificate option, you must configure the file paths for the server certificate and the private key. Certificate Type

The absolute path to the server certificate. Provided Server Certificate Path

The absolute path to the private key.

NOTE: The corresponding private key must be a DER-encoded PKCS8 key. The configuration fails with any other key format.

Provided Private Key Path

After the log source is saved, a syslog-tls certificate is created for log source device. The certificate must be copied to any device on your network that is capable of forwarding encrypted syslog. Additional network devices with a syslogtls certificate file and the TLS listen port number can be automatically discovered as a TLS syslog log source in JSA. Related

Documentation

Configuring the VMware vCloud Director Protocol on page 32.

•

• Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 10.

Configuring the UDP Multiline Syslog Protocol

To create a single-line syslog event from a multiline event, configure a log source to use the UDP multiline protocol . The UDP multiline syslog protocol uses a regular expression to identify and reassemble the multiline syslog messages into single event payload. The original event must contain a value that repeats that a regular expression can use identify and reassemble the multiline event. For example, this event contains a repeated value:

15:08:56 1.1.1.1 slapd[517]: conn=2467222 op=2 SEARCH RESULT tag=101 15:08:56 1.1.1.1 slapd[517]: conn=2467222 op=2 SRCH base="dc=iso-n,dc=com" 15:08:56 1.1.1.1 slapd[517]: conn=2467222 op=2 SRCH attr=gidNumber

15:08:56 1.1.1.1 slapd[517]: conn=2467222 op=1 SRCH base="dc=iso-n,dc=com”

Table 32 on page 31describes the protocol-specific parameters for the UDP multiline syslog protocol.

Table 32: UDP Multiline Syslog Protocol Parameters

Description

Parameter

UDP Multiline Syslog Protocol Configuration

The regular expression (regex) required to filter the event payload messages. The UDP multiline event messages must contain a common identifying value that repeats on each line of the event message.