Juniper Secure Analytics

(1)

Log Sources Users Guide

Release

2014.1

(2)

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

The information in this document is current as of the date on the title page. YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

(3)

About the Documentation . . . vii

Documentation and Release Notes . . . vii

Documentation Conventions . . . vii

Documentation Feedback . . . ix

Requesting Technical Support . . . x

Self-Help Online Tools and Resources . . . x

Opening a Case with JTAC . . . x

Part 1 Juniper Secure Analytics Log Sources

Chapter 1 Installing Protocols . . . 3

Installing Protocols . . . 3

Chapter 2 Managing Log Sources . . . 5

Log Sources Overview . . . 6

Viewing the Status of a Log Source . . . 6

Adding a Log Source . . . 7

Editing Log Source . . . 9

Enabling or Disabling a Log Source . . . 11

Adding Bulk Log Sources . . . 12

Editing Bulk Log Sources . . . 15

Deleting a Log Source . . . 17

Chapter 3 Managing Protocol Configuration . . . 19

Protocol Configuration Overview . . . 20

Configuring the Syslog Protocol . . . 20

Configuring the JDBC Protocol . . . 23

Configuring the JDBC SiteProtector Protocol . . . 27

Configuring the Sophos Enterprise Console JDBC Protocol . . . 31

Configuring the Juniper Networks NSM Protocol . . . 36

Configuring the OPSEC/LEA Protocol . . . 38

Configuring the SDEE Protocol . . . 41

Configuring the SNMPv1 Protocol . . . 44

Configuring the Sourcefire Defense Center Estreamer Protocol . . . 51

Configuring the Log File Protocol . . . 54

Configuring the Microsoft Security Event Log Protocol . . . 59

Configuring the Microsoft Security Event Log Custom Protocol . . . 62

Configuring the Microsoft DHCP Protocol . . . 65

Configuring the Microsoft Exchange Protocol . . . 68

(4)

Configuring the SMB Tail Protocol . . . 74

Configuring the EMC VMware Protocol . . . 77

Configuring the Oracle Database Listener Protocol . . . 79

Configuring the Cisco NSEL Protocol . . . 82

Configuring the PCAP Syslog Combination Protocol . . . 84

Configuring the Forwarded Protocol . . . 86

Configuring the TLS Syslog Protocol . . . 89

Configuring the Juniper Security Binary Log Collector Protocol . . . 92

Configuring the UDP Multiline Syslog Protocol . . . 94

Configuring the TCP Multiline Syslog Protocol . . . 97

Configuring the VMware vCloud Director Protocol . . . 100

Configuring the IBM® Tivoli® Endpoint Manager SOAP Protocol . . . 102

Chapter 4 Grouping Log Sources . . . 107

Grouping Log Source Overview . . . 107

Viewing Log Source Groups . . . 108

Assigning a Log Source to a Group . . . 108

Creating a Log Source Group . . . 109

Editing a Log Source Group . . . 109

Copying a Log Source to Another Group . . . 110

Removing a Log Source From a Group . . . 110

Chapter 5 Adding Log Source Parsing Order . . . 113

Log Source Parsing Order Overview . . . 113

Adding a Log Source Parsing Order . . . 113

Chapter 6 Managing Log Source Extensions . . . 115

Log Source Extensions Overview . . . 115

Viewing the Status of a Log Source Extension . . . 116

Adding a Log Source Extension . . . 117

Editing a Log Source Extension . . . 118

Copying a Log Source Extension . . . 119

Enabling or Disabling a Log Source Extension . . . 121

Deleting a Log Source Extension . . . 121

(5)

About the Documentation . . . vii

Table 1: Notice Icons . . . viii

Table 2: Text and Syntax Conventions . . . viii

Part 1 Juniper Secure Analytics Log Sources

Chapter 2 Managing Log Sources . . . 5

Table 3: Console Settings . . . 7

Table 4: Log Source Parameters . . . 9

Table 5: Bulk Log Source Parameters . . . 12

Table 6: Bulk Edit Log Source Parameters . . . 15

Chapter 3 Managing Protocol Configuration . . . 19

Table 7: Syslog Protocol Parameters . . . 20

Table 8: JDBC Protocol Parameters . . . 23

Table 9: JDBC - SiteProtector Protocol Parameters . . . 27

Table 10: Sophos Enterprise Console JDBC Protocol Parameters . . . 32

Table 11: Juniper Networks NSM Protocol Parameters . . . 36

Table 12: OPSEC/LEA Protocol Parameters . . . 38

Table 13: SDEE Protocol Parameters . . . 42

Table 14: SNMPv1 Protocol Parameters . . . 44

Table 17: Sourcefire Defense Center Estreamer Protocol Parameters . . . 52

Table 18: Log File Protocol Parameters . . . 54

Table 19: Microsoft Security Event Log Protocol Parameters . . . 60

Table 20: Microsoft Security Event Log Protocol Parameters . . . 63

Table 21: Microsoft DHCP Protocol Parameters . . . 65

Table 22: Microsoft Exchange Protocol Parameters . . . 68

Table 23: Microsoft IIS Protocol Parameters . . . 72

Table 24: SMB Tail Protocol Parameters . . . 74

Table 25: EMC VMware Protocol Parameters . . . 77

Table 26: Oracle Database Listener Protocol Parameters . . . 79

Table 27: Cisco NSEL Protocol Parameters . . . 82

Table 28: PCAP Syslog Combination Protocol Parameters . . . 84

Table 29: Forwarded Protocol Parameters . . . 87

Table 30: TLS Syslog Protocol Parameters . . . 89

Table 31: Juniper Security Binary Log Collector Protocol Parameters . . . 92

Table 32: UDP Multiline Syslog Protocol Parameters . . . 94

Table 33: TCP Multiline Syslog Protocol Parameters . . . 97

(6)

Table 35: IBM Tivoli Endpoint Manager SOAP Protocol Parameters . . . 102

Chapter 6 Managing Log Source Extensions . . . 115

(7)

• Documentation and Release Notes on page vii

• Documentation Conventions on page vii

• Documentation Feedback on page ix

• Requesting Technical Support on page x

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation, see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed athttp://www.juniper.net/books.

Documentation Conventions

(8)

Table 1: Notice Icons

Description Meaning

Icon

Indicates important features or instructions. Informational note

Indicates a situation that might result in loss of data or hardware damage. Caution

Alerts you to the risk of personal injury or death. Warning

Alerts you to the risk of personal injury from a laser. Laser warning

Indicates helpful information. Tip

Alerts you to a recommended use or implementation. Best practice

Table 2 on page viiidefines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

Examples Description

Convention

To enter configuration mode, type the configure command:

user@host> configure Represents text that you type.

Bold text like this

user@host> show chassis alarms No alarms currently active Represents output that appears on the

terminal screen. Fixed-width text like this

• A policy term is a named structure that defines match conditions and actions.

• Junos OS CLI User Guide

• RFC 1997, BGP Communities Attribute

• Introduces or emphasizes important new terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure the machine’s domain name: [edit]

root@# set system domain-name

domain-name

Represents variables (options for which you substitute a value) in commands or configuration statements.

(9)

Table 2: Text and Syntax Conventions (continued)

Examples Description

Convention

• To configure a stub area, include the stubstatement at the[edit protocols ospf area area-id]hierarchy level.

• The console port is labeledCONSOLE. Represents names of configuration

statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform

components. Text like this

stub <default-metric metric>; Encloses optional keywords or variables.

< > (angle brackets)

broadcast | multicast (string1 | string2 | string3) Indicates a choice between the mutually

exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. | (pipe symbol)

rsvp { # Required for dynamic MPLS only Indicates a comment specified on the

same line as the configuration statement to which it applies.

# (pound sign)

community name members [ community-ids ]

Encloses a variable for which you can substitute one or more values. [ ] (square brackets) [edit] routing-options { static { route default { nexthop address; retain; } } } Identifies a level in the configuration

hierarchy. Indention and braces ( { } )

Identifies a leaf statement at a configuration hierarchy level. ; (semicolon)

GUI Conventions

• In the Logical Interfaces box, select All Interfaces.

• To cancel the configuration, click Cancel.

Represents graphical user interface (GUI) items you click or select.

Bold text like this

In the configuration editor hierarchy, select Protocols>Ospf.

Separates levels in a hierarchy of menu selections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods:

• Online feedback rating system—On any page at the Juniper Networks Technical Documentation site athttp://www.juniper.net/techpubs/index.html, simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at

(10)

• E-mail—Send your comments to [email protected]. Include the document or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or Partner Support Service support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

• Find CSC offerings:http://www.juniper.net/customers/support/

• Search for known bugs:http://www2.juniper.net/kb/

• Find product documentation:http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base:http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool:http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

(11)

For international or direct-dial options in countries without toll-free numbers, see

(12)

(13)

• Installing Protocols on page 3

• Managing Log Sources on page 5

• Managing Protocol Configuration on page 19

• Grouping Log Sources on page 107

• Adding Log Source Parsing Order on page 113

(14)

(15)

This chapter describes about the following sections:

• Installing Protocols on page 3

Installing Protocols

You can download and install a Juniper Secure Analytics (JSA) protocol. To install JSA protocols:

1. Download the protocol file from Juniper Customer Support:

http://www.juniper.net/support/downloads 2. Copy the protocol file to your JSA console.

3. Using SSH, log in to the JSA host as the root user.

4. Navigate to the directory that includes the downloaded file.

5. Extract the contents of the file if they are compressed.

6. Type the following command: rpm -Uvh <filename>

Where <filename> is the name of the downloaded file. For example: PROTOCOL-WinCollectMicrosoftIAS-7.2-605867.noarch.rpm.

7. Log in to JSA. https://<IP Address>

Where <IP Address> is the IP address of the JSA console or Event Collector.

8. On the Admin tab, click Deploy Changes. The installation is complete.

Log Sources Overview

Administrators can manage log sources from the Admin tab. Log sources are a list of external appliances that provide events to Juniper Secure Analytics (JSA).

References to JSA apply to all products capable of collecting log source information. Products that support log sources include Log Analytics.

Log sources provide JSA the ability to collect, understand, and properly categorize events from external sources. A log source is a generic term for any external source that provides event information to JSA. A log source can be any type of network appliances, operating system, database, or security product that generates events for JSA. For example, a firewall or intrusion detection systems might provide security-based events where switches or routers might provide network-based events. JSA can read and interpret events from more than 300 log sources. Each log source in JSA contains a device support module (DSM). The DSM software contains the event patterns that are required to identify and parse events for a log source. Updated event patterns to parse new events and update your system are provided through weekly auto updates.

Log sources can be created manually by an administrator or automatically discovered by JSA. Auto discovery means that JSA can detect and create a log source from events without manual configuration. Many log sources can be automatically discovered by JSA. Before you configure a log source, you must review and understand how the device, appliance, or software sends events to JSA. To review step-by-step configuration instructions for devices and the associated log source, see the Juniper Secure Analytics

Administration Guide.

To manage log sources in JSA, perform the following tasks:

• “Viewing the Status of a Log Source” on page 6.

• “Adding a Log Source” on page 7.

• “Editing Log Source” on page 9.

• “Adding Bulk Log Sources” on page 12.

• “Editing Bulk Log Sources” on page 15.

• “Enabling or Disabling a Log Source” on page 11.

• “Deleting a Log Source” on page 17.

Viewing the Status of a Log Source

You can view the status of a log source to determine if your device is sending events to Juniper Secure Analytics.

(19)

2. Click the Log Sources icon.

3. Review the Status column to determine the status of your log sources.

For example, log sources that do not send an event within 720 minutes display an error in the Status column. Log sources that display N/A are log sources that have been bulk added.

Log Sources Overview on page 6

•

• Adding a Log Source on page 7.

• Editing Log Source on page 9.

• Adding Bulk Log Sources on page 12.

• Editing Bulk Log Sources on page 15.

• Enabling or Disabling a Log Source on page 11.

• Deleting a Log Source on page 17.

Adding a Log Source

Administrators can add a log source to receive event from your network devices or appliances. Before a log source is manually added, the administrator can determine if the device supports automatic discovery.

Table 3 describes the parameters of the log source fields.

Table 3: Console Settings

Description Parameter

Type a unique name of the log source. Log Source Name

Optional. Type a description for the log source. Log Source Description

From the list, select the type of log source to add. Log Source Type

From the list, select the protocol configuration for the log source.

The protocol defines how Juniper Secure Analytics attempts to communicate with the log source. Protocols can either listen for events or they can initiate communication to a log source to collect events. The protocol options that are available for each log source is determined by theLog Source Type.

The Juniper Secure Analytics provides step-by-step instructions to configure each log source. Protocol Configuration

Type an IPv4 address or hostname to identify the log source that created the events.

If your network contains multiple devices that are attached to a management console, you should specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents event searches from identifying the management console as the source for all of the events.

(20)

Table 3: Console Settings (continued)

Select this check box to enable the log source.

When this check box is clear, the log source does not collect events and the log source is not counted in the license limit.

Enabled

Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5.

Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.

Credibility

Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events.

The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments.

Target Event Collector

Select this check box to enable the log source to coalesce (bundle) events.

Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab.

When this check box is clear, events are viewed individually and events are not bundled.

New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source.

Coalescing Events

Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source.

Store Event Payload

Select the language of the events that are generated by the log source.

The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages.

Log Source Language

Optional. Select the name of the extension to apply to the log source.

This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM).

Log Source Extension

From the list box, select the use condition for the log source extension. The options include:

(21)

Table 3: Console Settings (continued)

Select one or more groups for the log source. Groups

To add a log source:

1. Click the Admin tab.

3. Click Add.

4. Configure the parameters for your log source. The Juniper Secure Analytics provides step-by-step instructions to configure each log source.

5. Click Save.

6. On the Admin tab, click Deploy Changes.

•

• Viewing the Status of a Log Source on page 6.

Editing Log Source

You can edit a log source to update the configuration parameters for a network device, appliance, or software. The Log Source Type and Protocol Configuration parameters cannot be edited.

Table 4 on page 9describes the editable parameters of the log source fields:

Table 4: Log Source Parameters

(22)

Table 4: Log Source Parameters (continued)

Type an IPv4 address or hostname to identify the log source that created the events.

If your network contains multiple devices that are attached to a management console, you should specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents event searches from identifying the management console as the source for all of the events.

Log Source Identifier

Enabled

Credibility

Coalescing Events

Store Event Payload

(23)

Table 4: Log Source Parameters (continued)

• Parsing enhancement—Select this option when most fields parse correctly for the log source.

• Parsing override—Select this option when the log source is unable to correctly parse events. Extension Use

Condition

To edit a log source:

3. Select a log source.

4. Click Edit.

5. Configure the parameters for your log source. The JSA provides step-by-step instructions to configure each log source.

6. Click Save to update your log source configuration.

The log source is updated. Deploy changes is not required to edit a log source. Related

Documentation

•

• Adding a Log Source on page 7.

Enabling or Disabling a Log Source

Administrators can enable or disable log source to start or stop event collection. Bulk log sources cannot be enabled or disabled.

(24)

To enable or disable a log source

3. Select the log source to enable or disable.

4. Click Enable/Disable.

When a log source is enabled, the Enabled column indicates true or the column indicates false when disabled. Disabled log sources do not count against the log source limit assigned to the license. If an administrator cannot enable a log source, the system might have exceeded the log source license limit. Administrators can review the system notifications to determine if the number of log sources exceeds the license limit. When this occurs, administrators can disable low priority log sources. If extra log source capacity is required, contact your sales representative.

•

Adding Bulk Log Sources

Juniper Secure Analytics supports the ability to add up to 500 Windows-based or Universal DSM log sources in bulk. Bulk log sources share a common configuration and only differ by the IP address.

Table 5 describes the default parameters of the log source configuration. These parameters might differ based on the Log Source Type selected:

Table 5: Bulk Log Source Parameters

Type a unique name of the log source.

When you add a bulk log source, a log source group is created with the name you input into this field. Bulk Log Source

Name

(25)

Table 5: Bulk Log Source Parameters (continued)

From the list, select the protocol configuration for the log source.

The protocol defines how the system attempts to communicate with the log source. Protocols can either listen for events or they can initiate communication to a log source to collect events. The protocol options that are available for each log source is determined by the Log Source Type.

The Juniper Secure Analytics provides step-by-step instructions to configure each log source. Protocol

Configuration

Enabled

Credibility

Coalescing Events

Store Event Payload

(26)

Table 5: Bulk Log Source Parameters (continued)

Condition

Select this option to specify the location of a text file that contains a list of IP addresses or host names to bulk add.

The text file must contain one IP address or host name per line. Extra characters after an IP address or host names longer than 255 characters can result in a value being bypassed from the text file. The file upload lists a summary of all IP address or host names that were added as the bulk log source. File Upload

Select this option to search a domain for hosts to add as bulk log sources. To search a domain you must add the domain, username, and password before polling the domain for hosts to add. ClickQuery Domainto search for IP addresses or host name to the list.

• Domain Controller—Type the IP address of the domain controller.

• Full Domain Name—Type a valid domain name for your network. Domain Query

Select this option to manually add an individual IP address or host names to the host list. ClickAdd Hostto add an IP address or host name to the list.

Manual

Clear any values from the Add check box to exclude host names or IP addresses from the list of bulk log sources.

Add

To add a bulk log source:

3. From the Actions list, select Bulk Add.

4. Configure the parameters for the log source. The Juniper Secure Analytics provides step-by-step instructions to configure each log source.

5. Click Save.

6. Click Continue to add the log sources.

The log sources are bulk added and a group is created for your bulk log sources. Related

Documentation

(27)

Editing Bulk Log Sources

Administrators can edit a log source in bulk to update the configuration parameters for Windows-based log sources or Universal DSM log sources that were bulk added. The Log Source Typeand Protocol Configuration parameters cannot be edited in bulk.

Table 6 on page 15describes the default parameters of the log source configuration. These parameters might differ based on the Log Source Type selected:

Table 6: Bulk Edit Log Source Parameters

Type a unique name of the log source.

When you add a bulk log source, a log source group is created with the name you input into this field. Bulk Log Source

Name

Enabled

Credibility

(28)

Table 6: Bulk Edit Log Source Parameters (continued)

Coalescing Events

Store Event Payload

Log Source Language

Condition

Select this option to specify the location of a text file that contains a list of IP addresses or host names to bulk add.

The text file must contain one IP address or host name per line. Extra characters after an IP address or host names longer than 255 characters can result in a value being bypassed from the text file. The file upload lists a summary of all IP address or host names that were added as the bulk log source. File Upload

Select this option to search a domain for hosts to add as bulk log sources. To search a domain you must add the domain, username, and password before polling the domain for hosts to add. ClickQuery Domainto search for IP addresses or host name to the list.

• Domain Controller—Type the IP address of the domain controller.

• Full Domain Name—Type a valid domain name for your network. Domain Query

Select this option to manually add an individual IP address or host names to the host list. ClickAdd Hostto add an IP address or host name to the list.

Manual

(29)

To edit a bulk log source:

3. Select a log source.

4. From the Actions list, select Bulk Edit.

5. Configure the parameters for the log source. The JSA provides step-by-step instructions to configure each log source.

6. Click Save to update your log source configuration.

7. Click Continue to add the log sources.

8. Optional. On the Admin tab, click Deploy Changes if you added a new IP address or host name to your bulk log source.

The bulk log source is updated. Related

Documentation

•

Deleting a Log Source

Administrators can delete a log source. Bulk log sources cannot be enabled or disabled. Administrators can delete unwanted log sources to stop event collection for an external device.

To delete a log source:

3. Select the log source to enable or disable.

4. Click Delete.

The log source is enabled or disabled.

(30)

source instead of deleting the log source from your system. This enables you to continue to search for events by log source or log source group.

(31)

• Protocol Configuration Overview on page 20

• Configuring the Syslog Protocol on page 20

• Configuring the JDBC Protocol on page 23

• Configuring the JDBC SiteProtector Protocol on page 27

• Configuring the Sophos Enterprise Console JDBC Protocol on page 31

• Configuring the Juniper Networks NSM Protocol on page 36

• Configuring the OPSEC/LEA Protocol on page 38

• Configuring the SDEE Protocol on page 41

• Configuring the SNMPv1 Protocol on page 44

• Configuring the Sourcefire Defense Center Estreamer Protocol on page 51

• Configuring the Log File Protocol on page 54

• Configuring the Microsoft Security Event Log Protocol on page 59

• Configuring the Microsoft Security Event Log Custom Protocol on page 62

• Configuring the Microsoft DHCP Protocol on page 65

• Configuring the Microsoft Exchange Protocol on page 68

• Configuring the Microsoft IIS protocol on page 71

• Configuring the SMB Tail Protocol on page 74

• Configuring the EMC VMware Protocol on page 77

• Configuring the Oracle Database Listener Protocol on page 79

• Configuring the Cisco NSEL Protocol on page 82

• Configuring the PCAP Syslog Combination Protocol on page 84

• Configuring the Forwarded Protocol on page 86

• Configuring the TLS Syslog Protocol on page 89

• Configuring the Juniper Security Binary Log Collector Protocol on page 92

(32)

• Configuring the TCP Multiline Syslog Protocol on page 97

• Configuring the VMware vCloud Director Protocol on page 100

• Configuring the IBM® Tivoli® Endpoint Manager SOAP Protocol on page 102

Protocol Configuration Overview

Log source protocols provide Juniper Secure Analytics (JSA) the ability to receive or actively collect log source events from external sources. Passive protocols actively listen for events on specific ports and active protocols leverage APIs or other communication methods to reach out to external systems to poll and retrieve events.

Before you configure a log source, you must review and understand how the device, appliance, or software sends events to JSA. For detailed protocol information and step-by-step configuration instructions for many devices, see the Juniper Secure Analytics

Administartion Guide.

To review protocol configuration parameters for your log source, select the protocol for the device:

Configuring the Syslog Protocol on page 20.

•

• Configuring the JDBC Protocol on page 23.

• Configuring the JDBC - SiteProtector Protocol on page 27.

• Configuring the Sophos Enterprise Console JDBC Protocol on page 31.

• Configuring the Juniper Networks NSM Protocol on page 36.

• Configuring the OPSEC/LEA Protocol on page 38.

Configuring the Syslog Protocol

The Syslog protocol is the most common form of event collection. Juniper Secure Analytics (JSA) can passively listen for Syslog events on TCP or UDP port 514.

Table 7 on page 20describes the parameters of the Syslog protocol.

Table 7: Syslog Protocol Parameters

(33)

Table 7: Syslog Protocol Parameters (continued)

From the list, selectSyslog.

The protocol defines how JSA attempts to communicate with the log source. Protocols can either listen for events or they can initiate communication to a log source to collect events. The protocol options that are available for each log source is determined by the Log Source Type.

The JSA provides step-by-step instructions to configure each log source. Protocol Configuration

Type an IPv4 address or host name to identify the log source that created the events.

If the network contains multiple devices that are attached to a management console, administrators can specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents event searches from identifying the management console as the source for all of the events.

Enabled

Credibility

Coalescing Events

(34)

Table 7: Syslog Protocol Parameters (continued)

Log Source Language

• Parsing override—Select this option when the log source is unable to correctly parse events. Extension Use Condition

To configure the syslog protocol:

3. Click Add.

4. Configure the parameters for your log source. The JSA provides step-by-step instructions to configure each log source.

5. Click Save.

Protocol Configuration Overview on page 20.

•

• Configuring the JDBC Protocol on page 23.

• Configuring the SDEE Protocol on page 41.

• Configuring the SNMPv1 Protocol on page 44.

(35)

Configuring the JDBC Protocol

Log sources configured with the Java Database Connectivity (JDBC) protocol can remotely poll databases for events.

The JDBC protocol enables Juniper Secure Analytics (JSA) to collect information from tables or views that contain event data from several database types.

Table 8 on page 23describes the parameters of the JDBC protocol.

Table 8: JDBC Protocol Parameters

From the list, selectJDBC. Protocol Configuration

Type the log source identifer in one of the following formats:

• database@hostname

• table name|database@hostname

Thedatabasename must match the value of the Database Name parameter. The database name is a required parameter.

Thehostnameis the hostname or IP address for the device that hosts the database. Thehostname must match the parameter in the IP or Hostnamefield. The hostname is a required parameter. Optional. Thetable nameis the name of the table or view on the database which contains the event records. If you define the name of a table or view, you must include a pipe ( | ) character as a separator. The name of the view or table must match the Table Name field.

From the list box, select the type of database that contains the events. Database Type

Type the name of the database to which the protocol can connect. The database name must match the database name specified in the Log Source Identifier field.

Database Name

(36)

Table 8: JDBC Protocol Parameters (continued)

Type the port number used by the database server. The default displayed depends on the selected Database Type. The valid range is 0 to 65536. The defaults include:

• MSDE–1433 • Postgres–5432 • MySQL–3306 • Sybase–1521 • Oracle–1521 • Informix–9088

The JDBC port must match the listen port configured on the remote database. The database must permit incoming TCP connections.

If a Database Instance is used with the MSDE database type, administrators must leave the Port parameter blank in the log source configuration.

Port

Type the database username. The username can be up to 255 alphanumeric characters in length and can include underscore (_) characters.

To track access to database access for audit purposes, administrators can create a create a specific user on the database for JSA.

Username

Type the database password. The password can be up to 255 characters in length. Password

Confirm the password to access the database. Confirm Password

Type a domain for the database.

A domain must be configured for MSDE databases that are within a Windows domain. If your network does not use a domain, leave this field blank.

Authentication Domain

Type the database instance, if required. MSDE databases can include multiple SQL server instances on one server.

When a non-standard port is used for the database or administrators have blocked access to port 1434 for SQL database resolution, the Database Instance parameter must be blank in the log source configuration.

Database Instance

Optional. Select a predefined database query for the log source. If a predefined query is not available for the log source type, administrators can selectnone.

Predefined Query

Type the name of the table or view that includes the event records.

The table name can include the following special characters: dollar sign ( $ ), number sign ( # ), underscore ( _ ), en dash ( - ), and period( . ).

Table Name

Type the list of fields to include when the table is polled for events. Administrators can use a comma separated list or type * to select all fields from the table or view.

(37)

Table 8: JDBC Protocol Parameters (continued)

Type a numeric value or timestamp field from the table or view that can identify new events added between queries to the table.

This field enables the protocol to identify events that were previously polled by the protocol to ensure that duplicate events are not created.

Compare Field

Select this check box to use prepared statements.

Prepared statements enable the JDBC protocol source to setup the SQL statement, and then execute the SQL statement numerous times with different parameters. For security and performance reasons, most JDBC protocol configurations can use prepared statements.

Clear this check box to use an alternative method of querying that do not use precompiled statements. Use Prepared

Statements

Optional. Configure a start date and time for when the protocol can start to poll the database. If a start time is not defined, the protocol attempts to poll for events after the log source configuration is saved and deployed.

Start Date and Time

Type the polling interval, which is the amount of time between queries to the database. The default polling interval is 10 seconds.

Administrators can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values without an H or M designator poll in seconds.

Polling Interval

Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is 20000 EPS.

EPS Throttle

If MSDE is configured as the database type, administrators can select this check box to use an alternative method to a TCP/IP port connection.

Named pipe connections for MSDE databases require the username and password field to use a Windows authentication username and password and not the database username and password. The log source configuration must use the default named pipe on the MSDE database.

Use Named Pipe Communication

If the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you use your SQL server in a cluster environment, define the cluster name to ensure that named pipe communications function properly.

Database Cluster Name

Select theUse NTLMv2check box to force MSDE connections to use the NTLMv2 protocol when communicating with SQL servers that require NTLMv2 authentication. The default value of the check box is selected.

The Use NTLMv2 check box does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

Use NTLMv2

Select this check box to enable SSL encryption for the JDBC protocol. Use SSL

Select this check box to enable the log source

(38)

Table 8: JDBC Protocol Parameters (continued)

Select the credibility of the log source. The range is 0 (lowest) – 10 (highest). The default credibility is 5.

Credibility

Coalescing Events

Store Event Payload

Log Source Language

• Parsing override—Select this option when the log source is unable to correctly parse events. Extension Use Condition

(39)

To configure the JDBC protocol:

3. Click Add.

4. Configure the parameters for the log source. The JSA provides step-by-step instructions to configure each log source.

5. Click Save.

Protocol Configuration Overview on page 20.

•

• Configuring the Syslog Protocol on page 20.

Configuring the JDBC SiteProtector Protocol

Log sources configured with the Java Database Connectivity (JDBC) SiteProtector protocol can remotely poll IBM Proventia Management SiteProtector databases for events. The JDBC - SiteProtector protocol combines information from the SensorData1 and SensorDataAVP1 tables in the creation of the log source payload. The SensorData1 and SensorDataAVP1 tables are located in the IBM Proventia Management SiteProtector database. The maximum number of rows that the JDBC - SiteProtector protocol can poll in a single query is 30,000 rows.

Table 9 on page 27describes the parameters of the JDBC protocol.

Table 9: JDBC - SiteProtector Protocol Parameters

(40)

Table 9: JDBC - SiteProtector Protocol Parameters (continued)

Type the log source identifer in one of the following formats:

• database@hostname

• table name|database@hostname

Thedatabasename must match the value of the Database Name parameter. The database name is a required parameter.

Thehostnameis the hostname or IP address for the device that hosts the database. The

hostnamemust match the parameter in theIP or Hostnamefield. The hostname is a required parameter.

Optional. Thetable nameis the name of the table or view on the database that contains the event records. If you define the name of a table or view, you must include a pipe (|) character as a separator. The name of the view or table must match the Table Name field.

From the list box, selectMSDEas the type of database to use for the event source. Database Type

Type RealSecureDB the name of the database to which the protocol can connect. Database Name

Type the IP address or hostname of the database server. IP or Hostname

Type the port number used by the database server. The default displayed depends on the selected Database Type. The valid range is 0 to 65536. The defaults include:

• MSDE–1433 • Postgres–5432 • MySQL–3306 • Sybase–1521 • Oracle–1521 • Informix–9088

The JDBC SiteProtector configuration port must match the listener port of the database. The database must have incoming TCP connections enabled.

If you define a Database Instance when with MSDE as the database type, you must leave the Port parameter blank in your log source configuration.

Port

Type the database username. The username can be up to 255 alphanumeric characters in length and can include underscores (_).

If you want to track access to a database by the JDBC protocol, you can create a specific use for your JSA system.

Username

Type the database password. The password can be up to 255 characters in length. Password

Confirm the password to access the database. Confirm Password

If you select MSDE and the database is configured for Windows, you must define a Windows domain.

(41)

Table 9: JDBC - SiteProtector Protocol Parameters (continued)

If you select MSDE and you have multiple SQL server instances on one server, define the instance to which you want to connect.

If you use a non-standard port in your database configuration, or have blocked access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration

Database Instance

From the list, select a predefined database query for your log source. Predefined database queries are only available for special log source connections.

Predefined Query

Type SensorData1. Table Name

Type SensorDataAVP. AVP View Name

Type SensorDataResponse. Response View Name

Type * to include all fields from the table or view. Select List

TypeSensorDataRowID to identify new events added between queries to the table Compare Field

Select this check box to use prepared statements.

Prepared statements allow the JDBC protocol source to setup the SQL statement, and then execute the SQL statement numerous times with different parameters. For security and performance reasons, we recommend that you use prepared statements.

Clear this check box to use an alternative method of querying that does not use pre-compiled statements.

Use Prepared Statements

Select this check box to collect audit events from IBM SiteProtector. By default, this check box is clear.

Include Audit Events

Optional. Configure a start date and time for when the protocol can start to poll the database. Start Date and Time

Type the polling interval, which is the amount of time between queries to the event table. The default polling interval is 10 seconds.

Administrators can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values without an H or M designator poll in seconds.

Polling Interval

Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is 20000 EPS.

EPS Throttle

If you select MSDE as the database type, select the check box to use an alternative method to a TCP/IP port connection.

When administrators use a Named Pipe connection, the username and password must be the appropriate Windows authentication username and password and not the database username and password. The log source configuration must use the default named pipe.

(42)

Table 9: JDBC - SiteProtector Protocol Parameters (continued)

If the Use Named Pipe Communication check box is selected, the Database Cluster Name parameter is displayed.

Type the cluster name to ensure that named pipe communications function properly. Database Cluster Name

Select theUse NTLMv2check box to force MSDE connections to use the NTLMv2 protocol when communicating with SQL servers that require NTLMv2 authentication. The default value of the check box is selected.

TheUse NTLMv2check box does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

Use NTLMv2

Select this check box to enable SSL encryption for the JDBC protocol. Use SSL

Enabled

Credibility

Coalescing Events