Juniper Secure Analytics

Transcription

1 Juniper Secure Analytics Log Sources Users Guide Release Modified:

2 Juniper Networks, Inc Innovation Way Sunnyvale, California USA All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Juniper Secure Analytics Log Sources Users Guide All rights reserved. The information in this document is current as of the date on the title page. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year However, the NTP application is known to have some difficulty in the year END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii

3 Table of Contents About the Documentation vii Documentation and Release Notes vii Documentation Conventions vii Documentation Feedback ix Requesting Technical Support x Self-Help Online Tools and Resources x Opening a Case with JTAC x Part 1 Juniper Secure Analytics Log Sources Chapter 1 Installing Protocols Installing Protocols Chapter 2 Managing Log Sources Log Sources Overview Viewing the Status of a Log Source Adding a Log Source Editing Log Source Enabling or Disabling a Log Source Adding Bulk Log Sources Editing Bulk Log Sources Deleting a Log Source Chapter 3 Managing Protocol Configuration Protocol Configuration Overview Configuring the Syslog Protocol Configuring the JDBC Protocol Configuring the JDBC SiteProtector Protocol Configuring the Sophos Enterprise Console JDBC Protocol Configuring the Juniper Networks NSM Protocol Configuring the OPSEC/LEA Protocol Configuring the SDEE Protocol Configuring the SNMPv1 Protocol Configuring the SNMPv2 Protocol Configuring the SNMPv3 Protocol Configuring the Sourcefire Defense Center Estreamer Protocol Configuring the Log File Protocol Configuring the Microsoft Security Event Log Protocol Configuring the Microsoft Security Event Log Custom Protocol Configuring the Microsoft DHCP Protocol Configuring the Microsoft Exchange Protocol Configuring the Microsoft IIS protocol iii

4 Juniper Secure Analytics Log Sources Users Guide Configuring the SMB Tail Protocol Configuring the EMC VMware Protocol Configuring the Oracle Database Listener Protocol Configuring the Cisco NSEL Protocol Configuring the PCAP Syslog Combination Protocol Configuring the Forwarded Protocol Configuring the TLS Syslog Protocol Configuring the Juniper Security Binary Log Collector Protocol Configuring the UDP Multiline Syslog Protocol Configuring the TCP Multiline Syslog Protocol Configuring the VMware vcloud Director Protocol Configuring the IBM Tivoli Endpoint Manager SOAP Protocol Chapter 4 Grouping Log Sources Grouping Log Source Overview Viewing Log Source Groups Assigning a Log Source to a Group Creating a Log Source Group Editing a Log Source Group Copying a Log Source to Another Group Removing a Log Source From a Group Chapter 5 Adding Log Source Parsing Order Log Source Parsing Order Overview Adding a Log Source Parsing Order Chapter 6 Managing Log Source Extensions Log Source Extensions Overview Viewing the Status of a Log Source Extension Adding a Log Source Extension Editing a Log Source Extension Copying a Log Source Extension Enabling or Disabling a Log Source Extension Deleting a Log Source Extension Part 2 Index Index iv

5 List of Tables About the Documentation vii Table 1: Notice Icons viii Table 2: Text and Syntax Conventions viii Part 1 Juniper Secure Analytics Log Sources Chapter 2 Managing Log Sources Table 3: Console Settings Table 4: Log Source s Table 5: Bulk Log Source s Table 6: Bulk Edit Log Source s Chapter 3 Managing Protocol Configuration Table 7: Syslog Protocol s Table 8: JDBC Protocol s Table 9: JDBC - SiteProtector Protocol s Table 10: Sophos Enterprise Console JDBC Protocol s Table 11: Juniper Networks NSM Protocol s Table 12: OPSEC/LEA Protocol s Table 13: SDEE Protocol s Table 14: SNMPv1 Protocol s Table 15: SNMPv2 Protocol s Table 16: SNMPv3 Protocol s Table 17: Sourcefire Defense Center Estreamer Protocol s Table 18: Log File Protocol s Table 19: Microsoft Security Event Log Protocol s Table 20: Microsoft Security Event Log Protocol s Table 21: Microsoft DHCP Protocol s Table 22: Microsoft Exchange Protocol s Table 23: Microsoft IIS Protocol s Table 24: SMB Tail Protocol s Table 25: EMC VMware Protocol s Table 26: Oracle Database Listener Protocol s Table 27: Cisco NSEL Protocol s Table 28: PCAP Syslog Combination Protocol s Table 29: Forwarded Protocol s Table 30: TLS Syslog Protocol s Table 31: Juniper Security Binary Log Collector Protocol s Table 32: UDP Multiline Syslog Protocol s Table 33: TCP Multiline Syslog Protocol s Table 34: VMware vcloud Director Protocol s v

6 Juniper Secure Analytics Log Sources Users Guide Table 35: IBM Tivoli Endpoint Manager SOAP Protocol s Chapter 6 Managing Log Source Extensions Table 36: Log Source Extension s vi

7 About the Documentation Documentation and Release Notes Documentation and Release Notes on page vii Documentation Conventions on page vii Documentation Feedback on page ix Requesting Technical Support on page x Documentation Conventions To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes. Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at Table 1 on page viii defines notice icons used in this guide. vii

8 Juniper Secure Analytics Log Sources Users Guide Table 1: Notice Icons Icon Meaning Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser. Tip Indicates helpful information. Best practice Alerts you to a recommended use or implementation. Table 2: Text and Syntax Conventions Table 2 on page viii defines the text and syntax conventions used in this guide. Convention Examples Bold text like this Represents text that you type. To enter configuration mode, type the configure command: user@host> configure Fixed-width text like this Italic text like this Represents output that appears on the terminal screen. Introduces or emphasizes important new terms. Identifies guide names. Identifies RFC and Internet draft titles. user@host> show chassis alarms No alarms currently active A policy term is a named structure that defines match conditions and actions. Junos OS CLI User Guide RFC 1997, BGP Communities Attribute Italic text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Configure the machine s domain name: [edit] root@# set system domain-name domain-name viii

9 About the Documentation Table 2: Text and Syntax Conventions (continued) Convention Examples Text like this Represents names of configuration statements, commands, files, and directories; configuration hierarchy levels; or labels on routing platform components. To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE. < > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>; (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast multicast (string1 string2 string3) # (pound sign) Indicates a comment specified on the same line as the configuration statement to which it applies. rsvp { # Required for dynamic MPLS only [ ] (square brackets) Encloses a variable for which you can substitute one or more values. community name members [ community-ids ] Indention and braces ( { } ) ; (semicolon) Identifies a level in the configuration hierarchy. Identifies a leaf statement at a configuration hierarchy level. [edit] routing-options { static { route default { nexthop address; retain; } } } GUI Conventions Bold text like this Represents graphical user interface (GUI) items you click or select. In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel. > (bold right angle bracket) Separates levels in a hierarchy of menu selections. In the configuration editor hierarchy, select Protocols>Ospf. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods: Online feedback rating system On any page at the Juniper Networks Technical Documentation site at simply click the stars to rate the content, and use the pop-up form to provide us with information about your experience. Alternately, you can use the online feedback form at ix

10 Juniper Secure Analytics Log Sources Users Guide Send your comments to Include the document or topic name, URL or page number, and software version (if applicable). Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or Partner Support Service support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at Product warranties For product warranty information, visit JTAC hours of operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: Search for known bugs: Find product documentation: Find solutions and answer questions using our Knowledge Base: Download the latest versions of software and review release notes: Search technical bulletins for relevant hardware and software notifications: Join and participate in the Juniper Networks Community Forum: Open a case online in the CSC Case Management tool: To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at Call JTAC ( toll-free in the USA, Canada, and Mexico). x

11 About the Documentation For international or direct-dial options in countries without toll-free numbers, see xi

12 Juniper Secure Analytics Log Sources Users Guide xii

13 PART 1 Juniper Secure Analytics Log Sources Installing Protocols on page 3 Managing Log Sources on page 5 Managing Protocol Configuration on page 19 Grouping Log Sources on page 107 Adding Log Source Parsing Order on page 113 Managing Log Source Extensions on page 115 1

14 Juniper Secure Analytics Log Sources Users Guide 2

15 CHAPTER 1 Installing Protocols Installing Protocols This chapter describes about the following sections: Installing Protocols on page 3 You can download and install a Juniper Secure Analytics (JSA) protocol. To install JSA protocols: 1. Download the protocol file from Juniper Customer Support: 2. Copy the protocol file to your JSA console. 3. Using SSH, log in to the JSA host as the root user. 4. Navigate to the directory that includes the downloaded file. 5. Extract the contents of the file if they are compressed. 6. Type the following command: rpm -Uvh <filename> Where <filename> is the name of the downloaded file. For example: PROTOCOL-WinCollectMicrosoftIAS noarch.rpm. 7. Log in to JSA. Address> Where <IP Address> is the IP address of the JSA console or Event Collector. 8. On the Admin tab, click Deploy Changes. The installation is complete. Related Documentation Log Sources Overview on page 6 Adding a Log Source on page 7 Protocol Configuration Overview on page 20 3

16 Juniper Secure Analytics Log Sources Users Guide 4

17 CHAPTER 2 Managing Log Sources This chapter describes about the following sections: Log Sources Overview on page 6 Viewing the Status of a Log Source on page 6 Adding a Log Source on page 7 Editing Log Source on page 9 Enabling or Disabling a Log Source on page 11 Adding Bulk Log Sources on page 12 Editing Bulk Log Sources on page 15 Deleting a Log Source on page 17 5

18 Juniper Secure Analytics Log Sources Users Guide Log Sources Overview Administrators can manage log sources from the Admin tab. Log sources are a list of external appliances that provide events to Juniper Secure Analytics (JSA). References to JSA apply to all products capable of collecting log source information. Products that support log sources include Log Analytics. Log sources provide JSA the ability to collect, understand, and properly categorize events from external sources. A log source is a generic term for any external source that provides event information to JSA. A log source can be any type of network appliances, operating system, database, or security product that generates events for JSA. For example, a firewall or intrusion detection systems might provide security-based events where switches or routers might provide network-based events. JSA can read and interpret events from more than 300 log sources. Each log source in JSA contains a device support module (DSM). The DSM software contains the event patterns that are required to identify and parse events for a log source. Updated event patterns to parse new events and update your system are provided through weekly auto updates. Log sources can be created manually by an administrator or automatically discovered by JSA. Auto discovery means that JSA can detect and create a log source from events without manual configuration. Many log sources can be automatically discovered by JSA. Before you configure a log source, you must review and understand how the device, appliance, or software sends events to JSA. To review step-by-step configuration instructions for devices and the associated log source, see the Juniper Secure Analytics Administration Guide. To manage log sources in JSA, perform the following tasks: Viewing the Status of a Log Source on page 6. Adding a Log Source on page 7. Editing Log Source on page 9. Adding Bulk Log Sources on page 12. Editing Bulk Log Sources on page 15. Enabling or Disabling a Log Source on page 11. Deleting a Log Source on page 17. Viewing the Status of a Log Source You can view the status of a log source to determine if your device is sending events to Juniper Secure Analytics. To view the status of a log source: 1. Click the Admin tab. 6

19 Chapter 2: Managing Log Sources 2. Click the Log Sources icon. 3. Review the Status column to determine the status of your log sources. For example, log sources that do not send an event within 720 minutes display an error in the Status column. Log sources that display N/A are log sources that have been bulk added. Related Documentation Log Sources Overview on page 6 Adding a Log Source on page 7. Editing Log Source on page 9. Adding Bulk Log Sources on page 12. Editing Bulk Log Sources on page 15. Enabling or Disabling a Log Source on page 11. Deleting a Log Source on page 17. Adding a Log Source Administrators can add a log source to receive event from your network devices or appliances. Before a log source is manually added, the administrator can determine if the device supports automatic discovery. Table 3 describes the parameters of the log source fields. Table 3: Console Settings Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select the type of log source to add. Protocol Configuration From the list, select the protocol configuration for the log source. The protocol defines how Juniper Secure Analytics attempts to communicate with the log source. Protocols can either listen for events or they can initiate communication to a log source to collect events. The protocol options that are available for each log source is determined by the Log Source Type. The Juniper Secure Analytics provides step-by-step instructions to configure each log source. Log Source Identifier Type an IPv4 address or hostname to identify the log source that created the events. If your network contains multiple devices that are attached to a management console, you should specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents event searches from identifying the management console as the source for all of the events. 7

20 Juniper Secure Analytics Log Sources Users Guide Table 3: Console Settings (continued) Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. 8

21 Chapter 2: Managing Log Sources Table 3: Console Settings (continued) Groups Select one or more groups for the log source. To add a log source: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. The Juniper Secure Analytics provides step-by-step instructions to configure each log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Log Sources Overview on page 6 Viewing the Status of a Log Source on page 6. Editing Log Source on page 9. Adding Bulk Log Sources on page 12. Editing Bulk Log Sources on page 15. Enabling or Disabling a Log Source on page 11. Deleting a Log Source on page 17. Editing Log Source You can edit a log source to update the configuration parameters for a network device, appliance, or software. The Log Source Type and Protocol Configuration parameters cannot be edited. Table 4 on page 9 describes the editable parameters of the log source fields: Table 4: Log Source s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. 9

22 Juniper Secure Analytics Log Sources Users Guide Table 4: Log Source s (continued) Log Source Identifier Type an IPv4 address or hostname to identify the log source that created the events. If your network contains multiple devices that are attached to a management console, you should specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents event searches from identifying the management console as the source for all of the events. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. 10

23 Chapter 2: Managing Log Sources Table 4: Log Source s (continued) Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To edit a log source: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Select a log source. 4. Click Edit. 5. Configure the parameters for your log source. The JSA provides step-by-step instructions to configure each log source. 6. Click Save to update your log source configuration. The log source is updated. Deploy changes is not required to edit a log source. Related Documentation Log Sources Overview on page 6 Viewing the Status of a Log Source on page 6. Adding a Log Source on page 7. Adding Bulk Log Sources on page 12. Editing Bulk Log Sources on page 15. Enabling or Disabling a Log Source on page 11. Deleting a Log Source on page 17. Enabling or Disabling a Log Source Administrators can enable or disable log source to start or stop event collection. Bulk log sources cannot be enabled or disabled. You can enable or disable a log source. 11

24 Juniper Secure Analytics Log Sources Users Guide To enable or disable a log source 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Select the log source to enable or disable. 4. Click Enable/Disable. When a log source is enabled, the Enabled column indicates true or the column indicates false when disabled. Disabled log sources do not count against the log source limit assigned to the license. If an administrator cannot enable a log source, the system might have exceeded the log source license limit. Administrators can review the system notifications to determine if the number of log sources exceeds the license limit. When this occurs, administrators can disable low priority log sources. If extra log source capacity is required, contact your sales representative. Related Documentation Log Sources Overview on page 6 Viewing the Status of a Log Source on page 6. Adding a Log Source on page 7 Editing Log Source on page 9. Adding Bulk Log Sources on page 12. Editing Bulk Log Sources on page 15. Deleting a Log Source on page 17. Adding Bulk Log Sources Juniper Secure Analytics supports the ability to add up to 500 Windows-based or Universal DSM log sources in bulk. Bulk log sources share a common configuration and only differ by the IP address. Table 5 describes the default parameters of the log source configuration. These parameters might differ based on the Log Source Type selected: Table 5: Bulk Log Source s Bulk Log Source Name Type a unique name of the log source. When you add a bulk log source, a log source group is created with the name you input into this field. Log Source Type From the list, select a log source type for your Windows based log source or Universal DSM log source. 12

25 Chapter 2: Managing Log Sources Table 5: Bulk Log Source s (continued) Protocol Configuration From the list, select the protocol configuration for the log source. The protocol defines how the system attempts to communicate with the log source. Protocols can either listen for events or they can initiate communication to a log source to collect events. The protocol options that are available for each log source is determined by the Log Source Type. The Juniper Secure Analytics provides step-by-step instructions to configure each log source. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. 13

26 Juniper Secure Analytics Log Sources Users Guide Table 5: Bulk Log Source s (continued) Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. File Upload Select this option to specify the location of a text file that contains a list of IP addresses or host names to bulk add. The text file must contain one IP address or host name per line. Extra characters after an IP address or host names longer than 255 characters can result in a value being bypassed from the text file. The file upload lists a summary of all IP address or host names that were added as the bulk log source. Domain Query Select this option to search a domain for hosts to add as bulk log sources. To search a domain you must add the domain, username, and password before polling the domain for hosts to add. Click Query Domain to search for IP addresses or host name to the list. Domain Controller Type the IP address of the domain controller. Full Domain Name Type a valid domain name for your network. Manual Select this option to manually add an individual IP address or host names to the host list. Click Add Host to add an IP address or host name to the list. Add Clear any values from the Add check box to exclude host names or IP addresses from the list of bulk log sources. To add a bulk log source: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. From the Actions list, select Bulk Add. 4. Configure the parameters for the log source. The Juniper Secure Analytics provides step-by-step instructions to configure each log source. 5. Click Save. 6. Click Continue to add the log sources. 7. On the Admin tab, click Deploy Changes. The log sources are bulk added and a group is created for your bulk log sources. Related Documentation Log Sources Overview on page 6 Viewing the Status of a Log Source on page 6. 14

27 Chapter 2: Managing Log Sources Adding a Log Source on page 7 Editing Log Source on page 9. Enabling or Disabling a Log Source on page 11. Editing Bulk Log Sources on page 15. Deleting a Log Source on page 17. Editing Bulk Log Sources Administrators can edit a log source in bulk to update the configuration parameters for Windows-based log sources or Universal DSM log sources that were bulk added. The Log Source Type and Protocol Configuration parameters cannot be edited in bulk. Table 6 on page 15 describes the default parameters of the log source configuration. These parameters might differ based on the Log Source Type selected: Table 6: Bulk Edit Log Source s Bulk Log Source Name Type a unique name of the log source. When you add a bulk log source, a log source group is created with the name you input into this field. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. 15

28 Juniper Secure Analytics Log Sources Users Guide Table 6: Bulk Edit Log Source s (continued) Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. File Upload Select this option to specify the location of a text file that contains a list of IP addresses or host names to bulk add. The text file must contain one IP address or host name per line. Extra characters after an IP address or host names longer than 255 characters can result in a value being bypassed from the text file. The file upload lists a summary of all IP address or host names that were added as the bulk log source. Domain Query Select this option to search a domain for hosts to add as bulk log sources. To search a domain you must add the domain, username, and password before polling the domain for hosts to add. Click Query Domain to search for IP addresses or host name to the list. Domain Controller Type the IP address of the domain controller. Full Domain Name Type a valid domain name for your network. Manual Select this option to manually add an individual IP address or host names to the host list. Click Add Host to add an IP address or host name to the list. Add Clear any values from the Add check box to exclude host names or IP addresses from the list of bulk log sources. 16

29 Chapter 2: Managing Log Sources To edit a bulk log source: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Select a log source. 4. From the Actions list, select Bulk Edit. 5. Configure the parameters for the log source. The JSA provides step-by-step instructions to configure each log source. 6. Click Save to update your log source configuration. 7. Click Continue to add the log sources. 8. Optional. On the Admin tab, click Deploy Changes if you added a new IP address or host name to your bulk log source. The bulk log source is updated. Related Documentation Log Sources Overview on page 6 Viewing the Status of a Log Source on page 6. Adding a Log Source on page 7 Editing Log Source on page 9. Enabling or Disabling a Log Source on page 11. Adding Bulk Log Sources on page 12. Deleting a Log Source on page 17. Deleting a Log Source Administrators can delete a log source. Bulk log sources cannot be enabled or disabled. Administrators can delete unwanted log sources to stop event collection for an external device. To delete a log source: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Select the log source to enable or disable. 4. Click Delete. The log source is enabled or disabled. The event data for log sources is still available on your system. However, the data can be more difficult to locate when you attempt to search as the indexes to the log source is deleted. If you want to retain the log source index reference, you can disable a log 17

30 Juniper Secure Analytics Log Sources Users Guide source instead of deleting the log source from your system. This enables you to continue to search for events by log source or log source group. Related Documentation Log Sources Overview on page 6 Viewing the Status of a Log Source on page 6. Adding a Log Source on page 7 Editing Log Source on page 9. Enabling or Disabling a Log Source on page 11. Adding Bulk Log Sources on page 12. Editing Bulk Log Sources on page

31 CHAPTER 3 Managing Protocol Configuration This chapter describes about the following sections: Protocol Configuration Overview on page 20 Configuring the Syslog Protocol on page 20 Configuring the JDBC Protocol on page 23 Configuring the JDBC SiteProtector Protocol on page 27 Configuring the Sophos Enterprise Console JDBC Protocol on page 31 Configuring the Juniper Networks NSM Protocol on page 36 Configuring the OPSEC/LEA Protocol on page 38 Configuring the SDEE Protocol on page 41 Configuring the SNMPv1 Protocol on page 44 Configuring the SNMPv2 Protocol on page 46 Configuring the SNMPv3 Protocol on page 49 Configuring the Sourcefire Defense Center Estreamer Protocol on page 51 Configuring the Log File Protocol on page 54 Configuring the Microsoft Security Event Log Protocol on page 59 Configuring the Microsoft Security Event Log Custom Protocol on page 62 Configuring the Microsoft DHCP Protocol on page 65 Configuring the Microsoft Exchange Protocol on page 68 Configuring the Microsoft IIS protocol on page 71 Configuring the SMB Tail Protocol on page 74 Configuring the EMC VMware Protocol on page 77 Configuring the Oracle Database Listener Protocol on page 79 Configuring the Cisco NSEL Protocol on page 82 Configuring the PCAP Syslog Combination Protocol on page 84 Configuring the Forwarded Protocol on page 86 Configuring the TLS Syslog Protocol on page 89 Configuring the Juniper Security Binary Log Collector Protocol on page 92 Configuring the UDP Multiline Syslog Protocol on page 94 19

32 Juniper Secure Analytics Log Sources Users Guide Protocol Configuration Overview Configuring the TCP Multiline Syslog Protocol on page 97 Configuring the VMware vcloud Director Protocol on page 100 Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 102 Log source protocols provide Juniper Secure Analytics (JSA) the ability to receive or actively collect log source events from external sources. Passive protocols actively listen for events on specific ports and active protocols leverage APIs or other communication methods to reach out to external systems to poll and retrieve events. Before you configure a log source, you must review and understand how the device, appliance, or software sends events to JSA. For detailed protocol information and step-by-step configuration instructions for many devices, see the Juniper Secure Analytics Administartion Guide. To review protocol configuration parameters for your log source, select the protocol for the device: Related Documentation Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the Syslog Protocol The Syslog protocol is the most common form of event collection. Juniper Secure Analytics (JSA) can passively listen for Syslog events on TCP or UDP port 514. Table 7 on page 20 describes the parameters of the Syslog protocol. Table 7: Syslog Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select the type of log source to add. 20

33 Chapter 3: Managing Protocol Configuration Table 7: Syslog Protocol s (continued) Protocol Configuration From the list, select Syslog. The protocol defines how JSA attempts to communicate with the log source. Protocols can either listen for events or they can initiate communication to a log source to collect events. The protocol options that are available for each log source is determined by the Log Source Type. The JSA provides step-by-step instructions to configure each log source. Log Source Identifier Type an IPv4 address or host name to identify the log source that created the events. If the network contains multiple devices that are attached to a management console, administrators can specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents event searches from identifying the management console as the source for all of the events. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. 21

34 Juniper Secure Analytics Log Sources Users Guide Table 7: Syslog Protocol s (continued) Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the syslog protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. The JSA provides step-by-step instructions to configure each log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the SDEE Protocol on page 41. Configuring the SNMPv1 Protocol on page 44. Configuring the SNMPv2 Protocol on page

35 Chapter 3: Managing Protocol Configuration Configuring the JDBC Protocol Log sources configured with the Java Database Connectivity (JDBC) protocol can remotely poll databases for events. The JDBC protocol enables Juniper Secure Analytics (JSA) to collect information from tables or views that contain event data from several database types. Table 8 on page 23 describes the parameters of the JDBC protocol. Table 8: JDBC Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select the type of log source to add. Protocol Configuration From the list, select JDBC. Log Source Identifier Type the log source identifer in one of the following formats: database@hostname table name database@hostname The databasename must match the value of the Database Name parameter. The database name is a required parameter. The hostname is the hostname or IP address for the device that hosts the database. Thehostname must match the parameter in the IP or Hostnamefield. The hostname is a required parameter. Optional. The table name is the name of the table or view on the database which contains the event records. If you define the name of a table or view, you must include a pipe ( ) character as a separator. The name of the view or table must match the Table Name field. Database Type From the list box, select the type of database that contains the events. Database Name Type the name of the database to which the protocol can connect. The database name must match the database name specified in the Log Source Identifier field. IP or Hostname Type the IP address or hostname of the database server. 23

36 Juniper Secure Analytics Log Sources Users Guide Table 8: JDBC Protocol s (continued) Port Type the port number used by the database server. The default displayed depends on the selected Database Type. The valid range is 0 to The defaults include: MSDE 1433 Postgres 5432 MySQL 3306 Sybase 1521 Oracle 1521 Informix 9088 The JDBC port must match the listen port configured on the remote database. The database must permit incoming TCP connections. If a Database Instance is used with the MSDE database type, administrators must leave the Port parameter blank in the log source configuration. Username Type the database username. The username can be up to 255 alphanumeric characters in length and can include underscore (_) characters. To track access to database access for audit purposes, administrators can create a create a specific user on the database for JSA. Password Type the database password. The password can be up to 255 characters in length. Confirm Password Confirm the password to access the database. Authentication Domain Type a domain for the database. A domain must be configured for MSDE databases that are within a Windows domain. If your network does not use a domain, leave this field blank. Database Instance Type the database instance, if required. MSDE databases can include multiple SQL server instances on one server. When a non-standard port is used for the database or administrators have blocked access to port 1434 for SQL database resolution, the Database Instance parameter must be blank in the log source configuration. Predefined Query Optional. Select a predefined database query for the log source. If a predefined query is not available for the log source type, administrators can select none. Table Name Type the name of the table or view that includes the event records. The table name can include the following special characters: dollar sign ( $ ), number sign ( # ), underscore ( _ ), en dash ( - ), and period(. ). Select List Type the list of fields to include when the table is polled for events. Administrators can use a comma separated list or type * to select all fields from the table or view. If a comma-separated list is defined, the list must contain the field defined in the Compare Field. 24

37 Chapter 3: Managing Protocol Configuration Table 8: JDBC Protocol s (continued) Compare Field Type a numeric value or timestamp field from the table or view that can identify new events added between queries to the table. This field enables the protocol to identify events that were previously polled by the protocol to ensure that duplicate events are not created. Use Prepared Statements Select this check box to use prepared statements. Prepared statements enable the JDBC protocol source to setup the SQL statement, and then execute the SQL statement numerous times with different parameters. For security and performance reasons, most JDBC protocol configurations can use prepared statements. Clear this check box to use an alternative method of querying that do not use precompiled statements. Start Date and Time Optional. Configure a start date and time for when the protocol can start to poll the database. If a start time is not defined, the protocol attempts to poll for events after the log source configuration is saved and deployed. Polling Interval Type the polling interval, which is the amount of time between queries to the database. The default polling interval is 10 seconds. Administrators can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values without an H or M designator poll in seconds. EPS Throttle Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is EPS. Use Named Pipe Communication If MSDE is configured as the database type, administrators can select this check box to use an alternative method to a TCP/IP port connection. Named pipe connections for MSDE databases require the username and password field to use a Windows authentication username and password and not the database username and password. The log source configuration must use the default named pipe on the MSDE database. Database Cluster Name If the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you use your SQL server in a cluster environment, define the cluster name to ensure that named pipe communications function properly. Use NTLMv2 Select the Use NTLMv2 check box to force MSDE connections to use the NTLMv2 protocol when communicating with SQL servers that require NTLMv2 authentication. The default value of the check box is selected. The Use NTLMv2 check box does not interrupt communications for MSDE connections that do not require NTLMv2 authentication. Use SSL Select this check box to enable SSL encryption for the JDBC protocol. Enabled Select this check box to enable the log source When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. 25

38 Juniper Secure Analytics Log Sources Users Guide Table 8: JDBC Protocol s (continued) Credibility Select the credibility of the log source. The range is 0 (lowest) 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. 26

39 Chapter 3: Managing Protocol Configuration To configure the JDBC protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for the log source. The JSA provides step-by-step instructions to configure each log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the JDBC SiteProtector Protocol Log sources configured with the Java Database Connectivity (JDBC) SiteProtector protocol can remotely poll IBM Proventia Management SiteProtector databases for events. The JDBC - SiteProtector protocol combines information from the SensorData1 and SensorDataAVP1 tables in the creation of the log source payload. The SensorData1 and SensorDataAVP1 tables are located in the IBM Proventia Management SiteProtector database. The maximum number of rows that the JDBC - SiteProtector protocol can poll in a single query is 30,000 rows. Table 9 on page 27 describes the parameters of the JDBC protocol. Table 9: JDBC - SiteProtector Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select the type of log source to add. Protocol Configuration From the list, select JDBC - SiteProtector. 27

40 Juniper Secure Analytics Log Sources Users Guide Table 9: JDBC - SiteProtector Protocol s (continued) Log Source Identifier Type the log source identifer in one of the following formats: database@hostname table name database@hostname The database name must match the value of the Database Name parameter. The database name is a required parameter. The hostname is the hostname or IP address for the device that hosts the database. The hostname must match the parameter in theip or Hostnamefield. The hostname is a required parameter. Optional. The table name is the name of the table or view on the database that contains the event records. If you define the name of a table or view, you must include a pipe ( ) character as a separator. The name of the view or table must match the Table Name field. Database Type From the list box, select MSDE as the type of database to use for the event source. Database Name Type RealSecureDB the name of the database to which the protocol can connect. IP or Hostname Type the IP address or hostname of the database server. Port Type the port number used by the database server. The default displayed depends on the selected Database Type. The valid range is 0 to The defaults include: MSDE 1433 Postgres 5432 MySQL 3306 Sybase 1521 Oracle 1521 Informix 9088 The JDBC SiteProtector configuration port must match the listener port of the database. The database must have incoming TCP connections enabled. If you define a Database Instance when with MSDE as the database type, you must leave the Port parameter blank in your log source configuration. Username Type the database username. The username can be up to 255 alphanumeric characters in length and can include underscores (_). If you want to track access to a database by the JDBC protocol, you can create a specific use for your JSA system. Password Type the database password. The password can be up to 255 characters in length. Confirm Password Confirm the password to access the database. Authentication Domain If you select MSDE and the database is configured for Windows, you must define a Windows domain. If your network does not use a domain, leave this field blank. 28

41 Chapter 3: Managing Protocol Configuration Table 9: JDBC - SiteProtector Protocol s (continued) Database Instance If you select MSDE and you have multiple SQL server instances on one server, define the instance to which you want to connect. If you use a non-standard port in your database configuration, or have blocked access to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration Predefined Query From the list, select a predefined database query for your log source. Predefined database queries are only available for special log source connections. Table Name Type SensorData1. AVP View Name Type SensorDataAVP. Response View Name Type SensorDataResponse. Select List Type * to include all fields from the table or view. Compare Field TypeSensorDataRowID to identify new events added between queries to the table Use Prepared Statements Select this check box to use prepared statements. Prepared statements allow the JDBC protocol source to setup the SQL statement, and then execute the SQL statement numerous times with different parameters. For security and performance reasons, we recommend that you use prepared statements. Clear this check box to use an alternative method of querying that does not use pre-compiled statements. Include Audit Events Select this check box to collect audit events from IBM SiteProtector. By default, this check box is clear. Start Date and Time Optional. Configure a start date and time for when the protocol can start to poll the database. Polling Interval Type the polling interval, which is the amount of time between queries to the event table. The default polling interval is 10 seconds. Administrators can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values without an H or M designator poll in seconds. EPS Throttle Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is EPS. Use Named Pipe Communication If you select MSDE as the database type, select the check box to use an alternative method to a TCP/IP port connection. When administrators use a Named Pipe connection, the username and password must be the appropriate Windows authentication username and password and not the database username and password. The log source configuration must use the default named pipe. 29

42 Juniper Secure Analytics Log Sources Users Guide Table 9: JDBC - SiteProtector Protocol s (continued) Database Cluster Name If the Use Named Pipe Communication check box is selected, the Database Cluster Name parameter is displayed. Type the cluster name to ensure that named pipe communications function properly. Use NTLMv2 Select the Use NTLMv2 check box to force MSDE connections to use the NTLMv2 protocol when communicating with SQL servers that require NTLMv2 authentication. The default value of the check box is selected. The Use NTLMv2 check box does not interrupt communications for MSDE connections that do not require NTLMv2 authentication. Use SSL Select this check box to enable SSL encryption for the JDBC protocol. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. 30

43 Chapter 3: Managing Protocol Configuration Table 9: JDBC - SiteProtector Protocol s (continued) Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the JDBC siteprotector protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. The JSA provides step-by-step instructions to configure each log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the SDEE Protocol on page 41. Configuring the Sophos Enterprise Console JDBC Protocol Sophos Enterprise console JDBC protocol can poll Sophos Enterprise consoles for events. The Sophos Enterprise console JDBC protocol combines payload information from application control logs, device control logs, data control logs, tamper protection logs, 31

44 Juniper Secure Analytics Log Sources Users Guide and firewall logs in the vevents Common Data table to provide events to Juniper Secure Analytics (JSA). If the Sophos Enterprise console does not have the Sophos Reporting Interface, administrators can use the standard JDBC protocol to collect antivirus events. Detailed configuration steps for Sophos Enterprise consoles are provided in the JSA. Table 10 on page 32 describes the parameters of the Sophos Enterprise console JDBC protocol. Table 10: Sophos Enterprise Console JDBC Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select the type of log source to add. Protocol Configuration From the list, select Sophos Enterprise console JDBC. Log Source Identifier Type the log source identifier in one of the following formats: database@hostname table name database@hostname The database name must match the value of the Database Name parameter. The database name is a required parameter. The hostname is the host name or IP address for the device that hosts the database. Thehostname must match the parameter in the IP or Hostname field. The host name is a required parameter. Optional. The table name is the name of the table or view on the database that contains the event records. If you define the name of a table or view, you must include a pipe ( ) character as a separator. The name of the view or table must match the Table Name field. Database Type From the list box, select MSDE. Database Name Type the name of the Sophos database. The database name must match the database name that is specified in the Log Source Identifier field. IP or Hostname Type the IP address or host name of the database server. Port Type the port number that is used by the database server. The default port for MSDE in Sophos Enterprise console is The JDBC configuration port must match the listener port of the Sophos database. The Sophos database must have incoming TCP connections enabled to communicate with JSA. If a Database Instance is used with the MSDE database type, administrators must leave the Port parameter blank in the log source configuration. Username Type the database user name. The user name can be up to 255 alphanumeric characters in length and can include underscore (_) characters. 32

45 Chapter 3: Managing Protocol Configuration Table 10: Sophos Enterprise Console JDBC Protocol s (continued) Password Type the database password that is required to access the database on the database. Confirm Password Confirm the password to access the database. Authentication Domain Type a domain for the database. A domain must be configured for MSDE databases that are within a Windows domain. If your network does not use a domain, leave this field blank. Database Instance Type the database instance, if required. MSDE databases can include multiple SQL server instances on one server. When a non-standard port is used for the database or administrators block access to port 1434 for SQL database resolution, the Database Instance parameter must be blank. Table Name Type veventscommondata as the name of the table or view that includes the event records. The table name can include the following special characters: dollar sign ( $ ), number sign ( # ), underscore ( _ ), en dash ( - ), and period(. ). Select List Type * for all fields from the table or view. Compare Field Type InsertedAt to identify new events added between queries to the database table. Use Prepared Statements Select this check box to use prepared statements. Prepared statements enable the protocol source to setup the SQL statement, and then execute the SQL statement numerous times with different parameters. For security and performance reasons, most configurations can use prepared statements. Clear this check box to use an alternative method of querying that do not use precompiled statements. Start Date and Time Optional. Configure a start date and time for when the protocol can start to poll the database. If a start time is not defined, the protocol attempts to poll for events after the log source configuration is saved and deployed. Polling Interval Type the polling interval, which is the amount of time between queries to the database. The default polling interval is 10 seconds. Administrators can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values without an H or M designator poll in seconds. EPS Throttle Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is EPS. 33

46 Juniper Secure Analytics Log Sources Users Guide Table 10: Sophos Enterprise Console JDBC Protocol s (continued) Use Named Pipe Communication If MSDE is configured as the database type, administrators can select this check box to use an alternative method to a TCP/IP port connection. Named pipe connections for MSDE databases require the username and password field to use a Windows authentication username and password and not the database username and password. The log source configuration must use the default named pipe on the MSDE database. Database Cluster Name If the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you use your SQL server in a cluster environment, define the cluster name to ensure that named pipe communications function properly. Use NTLMv2 Select the Use NTLMv2 check box to force MSDE connections to use the NTLMv2 protocol when communicating with SQL servers that require NTLMv2 authentication. The default value of the check box is selected. The Use NTLMv2 check box does not interrupt communications for MSDE connections that do not require NTLMv2 authentication. Use SSL Select this check box to enable SSL encryption for the protocol. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. 34

47 Chapter 3: Managing Protocol Configuration Table 10: Sophos Enterprise Console JDBC Protocol s (continued) Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the sophos enterprise console JDBC protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for the log source. The JSA provides step-by-step instructions to configure each log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Juniper Networks NSM Protocol on page

48 Juniper Secure Analytics Log Sources Users Guide Configuring the OPSEC/LEA Protocol on page 38. Configuring the SDEE Protocol on page 41. Configuring the Juniper Networks NSM Protocol The Juniper Networks Network and Security Manager Protocol (NSM protocol) can poll Sophos Enterprise consoles for events. The Juniper Networks Network and Security Manager protocol can accept Juniper Networks NSM and Juniper Networks Secure Service Gateway (SSG) logs. Detailed configuration steps are provided in the Juniper Secure Analytics (JSA). Table 11: Juniper Networks NSM Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select Juniper Networks Network and Security Manager. Protocol Configuration From the list, select Juniper NSM. Log Source Identifier Type an IP address, host name, or unique name to identify the log source. IP Type the IP address or host name of the Juniper Networks NSM server. Inbound Port Type the inbound port to which the Juniper Networks NSM sends events. The valid range is 0 to The default is 514. Redirect Listen Port Type the port to which traffic is forwarded. The default is 516. Use NSM Address for Log Source Select this check box to use the Juniper NSM management server IP address instead of the log source IP address. By default, the check box is selected. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. 36

49 Chapter 3: Managing Protocol Configuration Table 11: Juniper Networks NSM Protocol s (continued) Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the juniper networks NSM protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for the log source. The JSA provides step-by-step instructions to configure each log source. 37

50 Juniper Secure Analytics Log Sources Users Guide 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the OPSEC/LEA Protocol on page 38. Configuring the SDEE Protocol on page 41. Configuring the OPSEC/LEA Protocol The OPSEC/LEA protocol is a protocol that continuously polls for event data on Detailed configuration steps for each log source type is provided in the Juniper Secure Analytics (JSA). Table 12: OPSEC/LEA Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select a log source type. Protocol Configuration From the list, select OPSEC/LEA. Log Type an IP address, host name, or unique name to identify the log source. Server IP Type the IP address or host name of the Juniper Networks NSM server. Server Port Type the port used for OPSEC/LEA communication. The valid range is 0 to Administrators must verify that JSA can communicate on port to communicate with the OPSEC/LEA protocol. Use Server IP for Log Source Select this check box if you want to use the LEA server s IP address instead of the managed device s IP address for a log source. By default, the check box is selected. 38

51 Chapter 3: Managing Protocol Configuration Table 12: OPSEC/LEA Protocol s (continued) Statistics Report Interval Type the interval, in seconds, during which the number of syslog events are recorded in the qradar.log file. The valid range is 4 to 2,147,483,648. Authentication Type From the list box, select the authentication type you want to use for this LEA configuration. The type selected must match the authentication method used by the server. The options include sslca, sslca_clear, or clear. OPSEC Application Object SIC Type the Secure Internal Communications (SIC) name of the OPSEC Attribute (SIC Name) Application Object. The SIC name is the distinguished name (DN) of the application, for example: CN=LEA, o=fwconsole..7psasx. The name can be up to 255 characters in length and is case sensitive. Log Source SIC Attribute (Entity SIC Name) Type the SIC name of the server, for example: cn=cp_mgmt,o=fwconsole..7psasx. The name can be up to 255 characters in length and is case sensitive. Specify Certificate Select this check box to define a certificate for this LEA configuration. JSA attempts to retrieve the certificate with these parameters when the certificate is required. Certificate Filename Type the directory path of the certificate you want to use for this configuration. This option only appears if Specify Certificate is selected. Certificate Authority IP Type the IP address of the server that contains the certificate. Pull Certificate Password Type the password to use to request the certificate. OPSEC Application Type the name of the application that makes the certificate request. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source does not count against the log source limit in the license. 39

52 Juniper Secure Analytics Log Sources Users Guide Table 12: OPSEC/LEA Protocol s (continued) Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events created by a log source. The credibility value assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. 40

53 Chapter 3: Managing Protocol Configuration Table 12: OPSEC/LEA Protocol s (continued) Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the OPSEC/LEA protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for the log source. The JSA provides step-by-step instructions to configure each log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the SDEE Protocol on page 41. Configuring the SDEE Protocol The Security Device Event Exchange (SDEE) protocol enables Juniper Secure Analytics (JSA) to use subscriptions to collect events from appliances that use SDEE servers. Detailed configuration steps for each log source type is provided in the JSA. 41

54 Juniper Secure Analytics Log Sources Users Guide Table 13: SDEE Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select a log source type. Protocol Configuration From the list, select SDEE. Log Source Identifier Type an IP address, host name, or name to identify the SDEE event source. IP addresses or host names are suggested as they identify a unique value for the event source. URL Type an HTTP or HTTPS URL required to access the log source. For example, The options include: Administrators with SDEE/CIDEE (Cisco IDS v5.x and above), the URL must end with /cgi-bin/sdee-server. Administrators with RDEP (Cisco IDS v4.x), the URL must end with /cgibin/ event-server. Username Type the username required to access the URL. Password Type the password required to access the URL. Events / Query Type the maximum number of events to retrieve per query. The valid range is 0 to 501 and the default is 100. Force Subscription Select this check box to force a new SDEE subscription. When the check box is selected, the protocol forces the server to drop the least active connection and accept a new SDEE subscription connection for the log source. Clearing the check box continues with any existing SDEE subscription. Severity Filter Select a check box for each severity level the log source can subscribe to and collect with the log source. Informational Low Medium High Event Filter Select a check box for each severity level the log source can subscribe to and collect with the log source. Alerts Status Errors 42

55 Chapter 3: Managing Protocol Configuration Table 13: SDEE Protocol s (continued) Event Collection Interval Type the time interval to indicate the frequency with which the subscription can collect events. The time interval is defined in seconds. Connection Retry On Failure Type a time interval to indicate how long the subscription must wait before another subscription is attempted. The wait time interval is defined in seconds. Maximum Wait To Block For Events Type the interval to indicate the length of the event block. When a collection request is made and no new events are available, the protocol enables an event block. The block prevents another event request from being made to a remote device that did not have any new events. This timeout is intended to conserve system resources. The time interval is defined in seconds. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source does not count against the log source limit in the license. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events created by a log source. The credibility value assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. 43

56 Juniper Secure Analytics Log Sources Users Guide Table 13: SDEE Protocol s (continued) Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the SDEE protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. The JSA provides step-by-step instructions to configure each log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the SNMPv1 Protocol on page 44. Configuring the SNMPv1 Protocol Table 14: SNMPv1 Protocol s The SNMPv1 protocol provides log sources the ability to receive SNMPv1 events. Table 14 on page 44 describes the parameters of the SNMPv1 protocol. Log Source Name Type a unique name of the log source. 44

57 Chapter 3: Managing Protocol Configuration Table 14: SNMPv1 Protocol s (continued) Log Source Optional. Type a description for the log source. Log Source Type From the list, select the type of log source to add. Protocol Configuration From the list, select SNMPv1. Log Source Identifier Type an IPv4 address or host name to identify the log source that created the events. If the network contains devices that are attached to a management console, administrators can specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents event searches from identifying the management console as the source for all of the events. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. 45

58 Juniper Secure Analytics Log Sources Users Guide Table 14: SNMPv1 Protocol s (continued) Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the SNMPv1 protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for the log source. The JSA provides step-by-step instructions to configure each log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the SNMPv2 Protocol The SNMPv2 protocol provides log sources the ability to receive SNMPv2 events. Table 15 on page 47 describes the parameters of the SNMPv2 protocol. 46

59 Chapter 3: Managing Protocol Configuration Table 15: SNMPv2 Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select the type of log source to add. Protocol Configuration From the list, select SNMPv2. Log Source Identifier Type an IPv4 address or hostname to identify the log source that created the events. If the network contains devices that are attached to a management console, administrators can specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents searches from identifying the management console as the source for all of the events. Community Type the SNMP community name required to access the system containing SNMP events. The default is Public. Include OIDs in Event Payload This options allows the SNMP event payload to be constructed using namevalue pairs instead of the standard event payload format. Including OIDs in the event payload is required for processing SNMPv2 or SNMPv3 events when you select specific log sources from the Log Source Types list. For more information, see the JSA. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. 47

60 Juniper Secure Analytics Log Sources Users Guide Table 15: SNMPv2 Protocol s (continued) Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the X configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the X configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the SNMPv2 protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. The Juniper Secure Analytics Configuring DSMs Guide provides step-by-step instructions to configure each log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. 48

61 Chapter 3: Managing Protocol Configuration Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the SNMPv3 Protocol Table 16: SNMPv3 Protocol s The SNMPv3 protocol provides log sources the ability to receive SNMPv3 events. Table 16 on page 49 describes the parameters of the SNMPv3 protocol. Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select the type of log source to add. Protocol Configuration From the list, select SNMPv3. Log Source Identifier Type an IPv4 address or hostname to identify the log source that created the events. If the network contains devices that are attached to a management console, administrators can specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents event searches from identifying the management console as the source for all of the events. Authentication Protocol From the list, select the algorithm you want to use to authenticate SNMP traps. The options include: MD5 SHA Authentication Password Type the password you want to use to authenticate SNMP. The password can be up to 64 characters in length. NOTE: Your authentication password must include a minimum of 8 characters. Decryption Protocol From the list box, select the protocol you want to use to decrypt SNMP traps.the default is AES256. Decryption Password Type the password used to decrypt SNMP traps. The password can be up to 64 characters in length. 49

62 Juniper Secure Analytics Log Sources Users Guide Table 16: SNMPv3 Protocol s (continued) User Type the user access for this protocol. The default is AdminUser. The username can be up to 255 characters in length. Include OIDs in Event Payload This options allows the SNMP event payload to be constructed using namevalue pairs instead of the standard event payload format. Including OIDs in the event payload is required for processing SNMPv2 or SNMPv3 events when you select specific log sources from the Log Source Types list. For more information, see the JSA. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. 50

63 Chapter 3: Managing Protocol Configuration Table 16: SNMPv3 Protocol s (continued) Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the SNMPv3 protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. The JSA provides step-by-step instructions to configure each log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the Sourcefire Defense Center Estreamer Protocol The Sourcefire Defense Center Estreamer protocol enables Juniper Secure Analytics (JSA) to receive streaming event data from a Sourcefire Defense Center Estreamer (Event Streamer) service. Event files are streamed to JSA to be processed after the Sourcefire Defense Center DSM is configured. Detailed configuration steps for Sourcefire Defense Center is provided in the JSA. 51

64 Juniper Secure Analytics Log Sources Users Guide Table 17: Sourcefire Defense Center Estreamer Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select a log source type. Protocol Configuration From the list, select Sourcefire Defense Center Estreamer. Log Source Identifier Type an IP address, host name, or name to identify the Sourcefire Defense Center event source. IP addresses or host names are suggested as they identify a unique value for the event source. Server Address Type the IP address or hostname of the Sourcefire Defense Center device. Server Port Type the port number JSA uses to receive Sourcefire Defense Center Estreamer events. The default is Keystore Filename Type the directory path and file name for the keystore private key and associated certificate. By default, the import script creates the keystore file in the following directory: /opt/qradar/conf/estreamer.keystore. Truststore Filename Type the directory path and file name for the truststore files. The truststore file contain the certificates trusted by the client. By default, the import script creates the truststore file in the following directory: /opt/qradar/conf/estreamer.truststore. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. 52

65 Chapter 3: Managing Protocol Configuration Table 17: Sourcefire Defense Center Estreamer Protocol s (continued) Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the sourcefire defense center estreamer protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for the log source. The JSA provides step-by-step instructions to configure each log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page

66 Juniper Secure Analytics Log Sources Users Guide Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the SDEE Protocol on page 41. Configuring the Log File Protocol The log file protocol retrieves event files that are stored from hosts to process events stored in remote locations. The log file protocol is intended for systems that write daily event logs. It is not appropriate to use the log file protocol for devices that appended information to their event files. Log files are retrieved one at a time to be processed. The log file protocol can manage plain text, compressed files, or file archives. Archives must contain plain-text files that can be processed one line at a time. When the log file protocol downloads an event file, the information received in the file updates the Log Activity tab. If more information is written to the file after the download is complete, the appended information is not processed. Table 18: Log File Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select the type of log source to add. Protocol Configuration From the list, select Log File. Log Source Identifier Type an IPv4 address or host name to identify the log source that created the events. If the remote source contains multiple devices, such as a file repository, administrators must specify the IP address of the device that created the event. Unique identifiers ensure that events are associated to the correct device in the network, instead of identifying the event for the management console or file repository. 54

67 Chapter 3: Managing Protocol Configuration Table 18: Log File Protocol s (continued) Service Type From the list box, select the protocol to use when retrieving log files from a remove server. The options include: SFTP Secure file transfer protocol FTP File transfer protocol SCP Secure copy protocol The default is SFTP. The server that is specified in the Remote IP or Hostname field must have the SFTP subsystem enabled to retrieve log files with SCP or SFTP. Remote IP or Hostname Type the IP address or host name of the device that contains the event log files. Remote Port Type the port that is used to communicate with the remote host. The valid range is The options include: FTP TCP Port 21 SFTP TCP Port 22 SCP TCP Port 22 If the remote host uses a non-standard port number, administrators must adjust the port value to retrieve events. Remote User Type the user name necessary to log in to the host that contains the event files. Remote Password Type the password necessary to log in to the host. Confirm Password Confirm the password necessary to log in to the host. SSH Key File Type the path to the SSH key, if the system is configured to use key authentication. When an SSH key file is used, the Remote Password field is ignored. Remote Directory Type the directory location on the remote host from which the files are retrieved. The directory path is relative to the user account that is used to log in. NOTE: For FTP only. If the log files are in the remote user s home directory, you can leave the remote directory blank. A blank remote directory field supports systems where a change in the working directory (CWD) command is restricted. Recursive Select this check box to enable the file pattern to search sub folders. By default, the check box is clear. This option is ignored for SCP file transfers. FTP File Pattern Type the regular expression (regex) required to identify the files to download from the remote host. All files that match the regular expression are included in the download. This field applies to the SFTP or FTP file transfers. SCP Remote File For SCP file transfers, type the name of the file on the remote host. 55

68 Juniper Secure Analytics Log Sources Users Guide Table 18: Log File Protocol s (continued) FTP Transfer Mode From the list box, select the transfer mode for the log source: Binary Select this option for log sources that require binary data files or compressed archive files. ASCII Select ASCII for log sources that require an ASCII FTP file transfer. Administrators must select NONE in the Processor field and LINEBYLINE in the Event Generator field for ASCII transfers over FTP. Start Time Type the time of day for the log source to start the file import. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Recurrence Type a time interval to determine how frequently the remote directory is scanned for new event log files. The minimum value is 15 minutes. The time interval can include values in hours (H), minutes (M), or days (D). For example, a recurrence of 2H scans the remote directory every 2 hours. Run On Save Select this check box to start the log file import immediately after the administrators saves the log source. After the first file import, the log file protocol follows the start time and recurrence schedule that is defined by the administrator. When selected, this check box clears the list of previously downloaded and processed files. EPS Throttle Type the number of Events Per Second (EPS) that the protocol cannot exceed. The valid range is Processor If the files on the remote host are stored in an archive format, select the processor that is required to un-compress the event log. Ignore Previously Processed File(s) Select this check box to track files that were processed by the log source. This option prevents duplicate events from files that are processed a second time. This check box applies to FTP and SFTP file transfers. Change Local Directory? Select this check box to define the local directory on the Target Event Collector to store event logs before they are processed. Administrators can leave this check box clear for more configurations. Local Directory Type the local directory on the Target Event Collector. This option is used with the Change Local Directory field. The directory must exist before the log file protocol attempts to retrieve events. 56

69 Chapter 3: Managing Protocol Configuration Table 18: Log File Protocol s (continued) Event Generator From the Event Generator list box, select one of the following options: LineByLine Each line of the file is processed as a single event. For example, if a file has 10 lines of text, 10 separate events are created. HPTandem The file is processed as a HPTandem NonStop binary audit log. Each record in the log file (whether primary or secondary) is converted into text and processed as a single event. HPTandem audit logs use the following file name pattern: [aa]\d{7}. WebSphere Application Server Processes event logs for WebSphere Application Server. The remote directory must define the file path that is configured in the DSM. W3C Processes log files from sources that use the w3c format. The header of the log file identifies the order and data that is contained in each line of the file. Fair Warning Processes log files from Fair Warning devices that protect patient identity and medical information. The remote directory must define the file path to the event logs that are generated by the Fair Warning device. DPI Subscriber Data The file is processed as a DPI statistic log produced by a Juniper Networks MX router. The header of the file identifies the order and data that is contained in each line of the file. Each line in the file after the header is formatted to a tab-delimited name=value pair event. SAP Audit Logs Process files for SAP Audit Logs to keep a record of security-related events in SAP systems. Each line of the file is formatted to be processed. Oracle BEA WebLogic Processes files for Oracle BEA WebLogic application log files. Each line of the file is formatted to be processed. Juniper SBR Processes event log files from Juniper Steel-belted RADIUS. Each line of the file is formatted to be processed. ID-Linked Multiline Processes multiline event logs that contain a common value at the start of each line in a multiline event message. This option uses regular expressions to identify and reassemble the multiline event in to single event payload. File Encoding From the list box, select the character encoding that is used by the events in your log file. Folder Separator Type the character that is used to separate folders for your operating system. The default value is /. Most configurations can use the default value in Folder Separator field. This field is intended for operating systems that use a different character to define separate folders. For example, periods that separate folders on mainframe systems. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events created by a log source. The credibility value assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. 57

70 Juniper Secure Analytics Log Sources Users Guide Table 18: Log File Protocol s (continued) Target Event Collector Select the Event Collector to use as the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. This enables administrators to poll and process events on the target event collector, instead of the console appliance. This can improve performance in distributed deployments. When an administrator verifies firewall ports between JSA and the remote database, the firewall must allow communication between the target event collector and the remote database. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, the events are displayed individually and the information is not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is only available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns defined by a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the log file protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 58

71 Chapter 3: Managing Protocol Configuration 4. Configure the parameters for the log source. The JSA provides step-by-step instructions to configure each log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the Microsoft Security Event Log Protocol The Microsoft Security Event Log protocol provides remote agentless Windows event log collection for Windows with the Microsoft Windows Management Instrumentation (WMI) API. The WMI API is a Microsoft technology that is used to communicate and exchange information between operating systems. This API requires that firewall configurations accept incoming external communications on port 135 and any dynamic ports that are required for DCOM. The following log source limitations apply when administrators deploy the Microsoft Security Event Log Protocol in your environment: Systems that exceed 50 events per second (eps) can exceed the capabilities of this protocol. WinCollect can be used for systems that exceed 50 eps. A Juniper Secure Analytics (JSA) all-in-one installation can support up to 250 log sources with the Microsoft Security Event Log protocol. Dedicated Event Collectors can support up to 500 log sources with the Microsoft Security Event Log protocol. The Microsoft Security Event Log protocol is not suggested for remote servers that are accessed over network links. For example, systems with high round-trip delay times, such as satellite or slow WAN networks. Round-trip delay can be confirmed by examining request and response time between a server ping. Network delays that are created by slow connections decrease the EPS throughput available to those remote servers. In addition, event collection from busy servers or Domain Controllers rely on low round-trip delay times to keep up with incoming events. If it is not possible to decrease your network round-trip delay time, administrators can use WinCollect to process Windows events. The Microsoft Security Event Log supports the following software versions with the Microsoft Windows Management Instrumentation (WMI) API: 59

72 Juniper Secure Analytics Log Sources Users Guide Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Windows Server 2008 (all versions) Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Table 19: Microsoft Security Event Log Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select a log source type. Protocol Configuration From the list, select Windows Security Event Log. Log Source Identifier Type the IP address or host name of the Windows host The log source identifier must be unique for the log source type. Domain Optional. Type the domain that is required for the server. Username Type the user name that is required to access the Windows host. Password Type the password that is required to access the Windows host Confirm Password Confirm the password that is required to access the server. Standard Log Types Select a check boxes for each log type to monitor. At least one check box must be selected. Security System Application DNS Server File Replication Service Directory Service Event Types Select a check boxes for each event type to monitor. At least one check box must be selected. Informational Warning Error Success Audit Failure Audit 60

73 Chapter 3: Managing Protocol Configuration Table 19: Microsoft Security Event Log Protocol s (continued) Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. This enables administrators to poll and process events on the target event collector, instead of the console appliance. This can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, the events are displayed individually and the information is not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is only available after you upload a log source extension to JSA. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns defined by a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. 61

74 Juniper Secure Analytics Log Sources Users Guide Table 19: Microsoft Security Event Log Protocol s (continued) Groups Select one or more groups for the log source. To configure the microsoft security event log protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the Microsoft Security Event Log Custom Protocol The Microsoft Security Event Log protocol provides remote agentless Windows event log collection for customized event logs with the Microsoft (WMI) API. The WMI API is a Microsoft technology that is used to communicate and exchange information between operating systems. This API requires that firewall configurations accept incoming external communications on port 135 and any dynamic ports that are required for DCOM. The following log source limitations apply when administrators deploy the Microsoft Security Event Log Custom protocol in your environment: Systems that exceed 50 events per second (eps) can exceed the capabilities of this protocol. Win Collect can be used for systems that exceed 50 eps. A Juniper Secure Analytics (JSA) all-in-one installation can support up to 250 log sources with the Microsoft Security Event Log Custom protocol. Dedicated Event Collectors can support up to 500 log sources with the Microsoft Security Event Log Custom protocol. The Microsoft Security Event Log protocol is not suggested for remote servers that are accessed over network links. For example, systems with high round-trip delay times, such 62

75 Chapter 3: Managing Protocol Configuration as satellite or slow WAN networks. Round-trip delay can be confirmed by examining request and response time between a server ping. Network delays that are created by slow connections decrease the EPS throughput available to those remote servers. In addition, event collection from busy servers or Domain Controllers rely on low round-trip delay times to keep up with incoming events. If it is not possible to decrease your network round-trip delay time, administrators can use Win Collect to process Windows events. The Microsoft Security Event Log supports the following software versions with the Microsoft Windows Management Instrumentation (WMI) API: Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Windows Server 2008 (all versions) Microsoft Windows XP Microsoft Windows Vista Microsoft Windows 7 Table 20: Microsoft Security Event Log Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select a log source type. Protocol Configuration From the list, select Windows Security Event Log. Log Source Identifier Type the IP address or host name of the Windows host. The log source identifier must be unique for the log source type. Domain Optional. Type the domain that is required for the server. Username Type the user name that is required to access the Windows host. Password Type the password that is required to access the Windows host Confirm Password Confirm the password that is required to access the server. Monitored Event Logs Type the name of the custom event log. 63

76 Juniper Secure Analytics Log Sources Users Guide Table 20: Microsoft Security Event Log Protocol s (continued) Event Types Select a check boxes for each event type to monitor. At least one check box must be selected: Informational Warning Error Success Audit Failure Audit Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. This option enables administrators to poll and process events on the target event collector, instead of the console appliance. This can improve performance in distributed deployments. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is only available after you upload a log source extension to JSA. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns defined by a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. 64

77 Chapter 3: Managing Protocol Configuration To configure the microsoft security event log custom protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the Microsoft DHCP Protocol The Microsoft DHCP protocol supports a single connection to a Microsoft DHCP server to remotely collect events. The Microsoft authentication protocol NTLMv2 is not supported by the Microsoft DHCP protocol. Folder paths that contain an administrative share (C$), require NetBIOS privileges on the administrative share (C$) to read the log files. Local or domain administrators have sufficient privileges to access log files on administrative shares. Fields for the Microsoft DHCP protocol that support file paths allow administrators to define a drive letter with the path information. For example, the field can contain c$\logfiles\ for an administrative share, or LogFiles\ for a public share folder path, but not c:\logfiles. Detailed configuration steps for Microsoft DHCP are provided in the Juniper Secure Analytics (JSA). Table 21: Microsoft DHCP Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. 65

78 Juniper Secure Analytics Log Sources Users Guide Table 21: Microsoft DHCP Protocol s (continued) Log Source Type From the list, select a log source type. Protocol Configuration From the list, select Microsoft DHCP. Log Source Identifier Type an IP address, host name, or name to identify the Microsoft DHCP server. The log source identifier must be unique for the log source type. Domain Optional. Type the domain that is required to access the Microsoft DHCP server. Username Type the user name that is required to access the Microsoft DHCP server. Password Type the password that is required to access the Microsoft DHCP server. Confirm Password Confirm the password that is required to access Microsoft DHCP server. Folder Path Type the directory path to access the DHCP log files. The default is \WINDOWS\system32\dhcp\. File Pattern Type the regular expression (regex) to identify and download the event logs. The log files must contain a three-character abbreviation for a day of the week. The available file patterns are: IPv4 file pattern - DhcpSrvLog-(?:Sun Mon Tue Wed Thu Fri Sat)\.log. IPv6 file pattern - DhcpV6SrvLog-(?:Sun Mon Tue Wed Thu Fri Sat) \.log. Mixed IPv4 and IPv6 file pattern - Dhcp.*SrvLog-(?:Sun Mon Tue Wed Thu Fri Sat) \.log. All files that match the file pattern are processed. Recursive Select this check box if you want the file pattern to search sub folders. By default, the check box is selected. Polling Interval (seconds) Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The minimum polling interval is 10 seconds, with a maximum polling interval of 3,600 seconds. Throttle Events/Second Type the maximum number of events the DHCP protocol can forward per second. The minimum value is 100 EPS and the maximum value is 20,000 EPS. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. 66

79 Chapter 3: Managing Protocol Configuration Table 21: Microsoft DHCP Protocol s (continued) Credibility Select the credibility of the log source. The range is 0 (lowest) 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. This option enables administrators to poll and process events on the target event collector, instead of the console appliance. This can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, the events are displayed individually and the information is not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is only available after you upload a log source extension to JSA. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns defined by a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. 67

80 Juniper Secure Analytics Log Sources Users Guide To configure the microsoft DHCP protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the Microsoft Exchange Protocol The Microsoft Windows Exchange protocol supports SMTP, OWA, and message tracking logs for Microsoft Exchange 2007 and The Microsoft Exchange protocol does not support Microsoft Exchange 2003 or Microsoft authentication protocol NTLMv2 Session. Folder paths that contain an administrative share (C$), require NetBIOS privileges on the administrative share (C$) to read the log files. Local or domain administrators have sufficient privileges to access log files on administrative shares. Fields for the Microsoft Exchange protocol that support file paths allow administrators to define a drive letter with the path information. For example, the field can contain c$\logfiles\ for an administrative share, or LogFiles\for a public share folder path, but not c:\logfiles. Detailed configuration steps for Microsoft Exchange is provided in the Juniper Secure Analytics (JSA). Table 22: Microsoft Exchange Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. 68

81 Chapter 3: Managing Protocol Configuration Table 22: Microsoft Exchange Protocol s (continued) Log Source Type From the list, select a log source type. Protocol Configuration From the list, select Microsoft Exchange. Log Source Identifier Type an IP address, host name, or name to identify the Windows Exchange event source. The log source identifier must be unique for the log source type. Domain Optional. Type the domain that is required to access the Microsoft Exchange server. Username Type the user name that is required to access the Microsoft Exchange server. Password Type the password that is required to access the Microsoft Exchange server. Confirm Password Confirm the password that is required to access Microsoft Exchange server. SMTP Log Folder Path Type the directory path to access the SMTP log files. The default is Program Files\Microsoft\Exchange Server \TransportRoles\Logs\ProtocolLog\. When the folder path is clear, SMTP event collection is disabled. OWA Log Folder Path Type the directory path to access the OWA log files. The default is Windows\system32\LogFiles\W3SVC1. When the folder path is clear, OWA event collection is disabled. MSGTRK Log Folder Path Type the directory path to access message tracking log files. The default is Program Files\Microsoft\Exchange Server \TransportRoles\Logs\MessageTracking/. Message tracking is available on Microsoft Exchange 2007 or 2010 servers assigned the Hub Transport, Mailbox, or Edge Transport server role. File Pattern Type the regular expression (regex) to identify and download the event logs. The default is.*\.(?:log LOG). All files that match the regex pattern are processed. Force File Read Select this check box to force the protocol to read the log file. By default, the check box is selected. If the check box is clear, the log file is read only when JSA detects a change in the modified time or file size. Recursive Select this check box if you want the file pattern to search sub folders. By default, the check box is selected. Polling Interval (seconds) Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The minimum polling interval is 10 seconds, with a maximum polling interval of 3,600 seconds. 69

82 Juniper Secure Analytics Log Sources Users Guide Table 22: Microsoft Exchange Protocol s (continued) Throttle Events/Second Type the maximum number of events the Exchange protocol can forward per second. The minimum value is 100 EPS and the maximum value is 20,000 EPS. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. This enables administrators to poll and process events on the target event collector, instead of the console appliance. This can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, the events are displayed individually and the information is not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is only available after you upload a log source extension to JSA. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns defined by a device support module (DSM). 70

83 Chapter 3: Managing Protocol Configuration Table 22: Microsoft Exchange Protocol s (continued) Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the microsoft windows exchange protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the Microsoft IIS protocol The Microsoft IIS protocol supports a single point of collection for w3c format log files that are located on a Microsoft IIS web servers. The Microsoft authentication protocol NTLMv2 is not supported by the Microsoft IIS protocol. Folder paths that contain an administrative share (C$), require NetBIOS privileges on the administrative share (C$) to read the log files. Local or domain administrators have sufficient privileges to access log files on administrative shares. Fields for the Microsoft IIS protocol that support file paths allow administrators to define a drive letter with the path information. For example, the field can contain c$\logfiles\ for an administrative share, or LogFiles\ for a public share folder path, but not c:\logfiles. 71

84 Juniper Secure Analytics Log Sources Users Guide Detailed configuration steps for Microsoft IIS are provided in the Juniper Secure Analytics (JSA). Table 23: Microsoft IIS Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select a log source type. Protocol Configuration From the list, select Microsoft IIS. Log Source Identifier Type an IP address, host name, or name to identify the Microsoft IIS server. The log source identifier must be unique for the log source type. Domain Optional. Type the domain that is required to access the Microsoft IIS server. Username Type the user name that is required to access the Microsoft IIS server. Password Type the password that is required to access the Microsoft IIS server. Confirm Password Confirm the password that is required to access Microsoft IIS server. Folder Path Type the directory path to access the IIS log files. The default is \WINDOWS\system32\LogFiles\W3SVC1\. File Pattern Type the regular expression (regex) to identify and download the event logs. The default file pattern is (?:u_)?ex.*\.(?:log LOG). All files that match the file pattern are processed. Recursive Select this check box if you want the file pattern to search sub folders. By default, the check box is selected. Polling Interval (seconds) Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The minimum polling interval is 10 seconds, with a maximum polling interval of 3,600 seconds. Throttle Events/Second Type the maximum number of events the IIS protocol can forward per second. The minimum value is 100 EPS and the maximum value is 20,000 EPS. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source does not count against the log source limit in the license. 72

85 Chapter 3: Managing Protocol Configuration Table 23: Microsoft IIS Protocol s (continued) Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events created by a log source. The credibility value assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for the log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. 73

86 Juniper Secure Analytics Log Sources Users Guide To configure the microsoft IIS protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the SMB Tail Protocol The SMB Tail protocol enables administrators to remotely watch event a file in a remote directory on a Samba share to determine when new lines are added to an event log to retrieve the remote events. Table 24: SMB Tail Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select a log source type. Protocol Configuration From the list, select SMB Tail. Log Source Identifier Type an IP address, hostname, or name to identify the SMB Tail event source. IP addresses or host names are suggested as they identify a unique value for the event source. Server Address Type the IP address or hostname of the samba server. Domain Optional. Type the domain required for the SMB (samba) server. Username Type the username required to access the remote server. 74

87 Chapter 3: Managing Protocol Configuration Table 24: SMB Tail Protocol s (continued) Password Type the password required to access the remote server. Confirm Password Confirm the password required to access the server. Log Folder Path Type the directory path to access the log files. For example, administrators can use c$\logfiles\ for an administrative share, or LogFiles\ for a public share folder path. However, c:\logfiles is not a supported log folder path. If a log folder path contains an administrative share (C$), users with NetBIOS access on the administrative share (C$) have the privileges required to read the log files. Local system or domain administrator privileges are also sufficient to access a log files that reside on an administrative share. File Pattern Type the regular expression (regex) to identify and download the event logs. All matching files are included in the processing. Force File Read Select this check box to force the protocol to read the log file. By default, the check box is selected. If the check box is clear, the log file is read only when JSA detects a change in the modified time or file size. Recursive Select this check box if you want the file pattern to search sub folders. By default, the check box is selected. Polling Interval (seconds) Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The minimum polling interval is 10 seconds, with a maximum polling interval of 3,600 seconds. Throttle Events/Second Type the maximum number of events the SMB Tail protocol forwards per second. The minimum value is 100 EPS and the maximum value is 20,000 EPS. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events created by a log source. The credibility value assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. 75

88 Juniper Secure Analytics Log Sources Users Guide Table 24: SMB Tail Protocol s (continued) Target Event Collector Select the Event Collector to use as the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. This enables administrators to poll and process events on the target event collector, instead of the console appliance. This can improve performance in distributed deployments. When an administrator verifies firewall ports between JSA and the remote database, the firewall must allow communication between the target event collector and the remote database. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, the events are displayed individually and the information is not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is only available after you upload a log source extension to JSA. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns defined by a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the SMB tail protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 76

89 Chapter 3: Managing Protocol Configuration 4. Configure the parameters for your log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the EMC VMware Protocol The EMC VMware protocol provides log sources the ability to receive event data from the VMware web service for virtual environments. Table 25 on page 77 describes the parameters of the EMC VMware protocol. Table 25: EMC VMware Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select the type of log source to add. Protocol Configuration From the list, select EMC VMware. Log Source Identifier Type the IP address or hostname for the log source. The value for this parameter must match the VMware IP. VMware IP Type the IP address of the VMware ESXi server. For example, The VMware protocol appends the IP address of your VMware ESXi server with HTTPS before the protocol requests event data. User Name Type the username required to access the VMware server. If you want to configure a read-only account to use with the VMware protocol, you can create a user on your VMware with read-only permission. Password Confirm the password that is required to remotely access the VMware Server. 77

90 Juniper Secure Analytics Log Sources Users Guide Table 25: EMC VMware Protocol s (continued) Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source does not count against the log source limit in the license. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events created by a log source. The credibility value assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is only available after you upload a log source extension to JSA. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns defined by a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. 78

91 Chapter 3: Managing Protocol Configuration To confiugre the EMC VMware protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. The JSA provides step-by-step instructions to configure each log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the SDEE Protocol on page 41. Configuring the Oracle Database Listener Protocol The Oracle Database Listener protocol source enables administrators to remotely collect log files generated from an Oracle database server. Before you configure the Oracle Database Listener protocol to monitor log files for processing, you must obtain the directory path to the Oracle database log files. Detailed configuration steps for Oracle are provided in the Juniper Secure Analytics (JSA). Table 26: Oracle Database Listener Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select a log source type. Protocol Configuration From the list, select Oracle Database Listener. Log Source Identifier Type an IP address, host name, or name to identify the Oracle database server. The log source identifier must be unique for the log source type. 79

92 Juniper Secure Analytics Log Sources Users Guide Table 26: Oracle Database Listener Protocol s (continued) Domain Optional. Type the domain that is required to access the Oracle database server. Username Type the user name that is required to access the Oracle database server. Password Type the password that is required to access the Oracle database server. Confirm Password Confirm the password that is required to access Oracle database server. Log Folder Path Type the directory path to access the Oracle database log files. File Pattern Type the regular expression (regex) to identify and download the event logs. The default file pattern is listener\.log. All files that match the file pattern are processed. Recursive Select this check box if you want the file pattern to search sub folders. By default, the check box is selected. Polling Interval (seconds) Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The minimum polling interval is 10 seconds, with a maximum polling interval of 3,600 seconds. Throttle Events/Second Type the maximum number of events the protocol can forward per second. The minimum value is 100 EPS and the maximum value is 20,000 EPS. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. This option enables administrators to poll and process events on the target event collector, instead of the console appliance. This can improve performance in distributed deployments. 80

93 Chapter 3: Managing Protocol Configuration Table 26: Oracle Database Listener Protocol s (continued) Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, the events are displayed individually and the information is not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the oracle database listener protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for the log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page

94 Juniper Secure Analytics Log Sources Users Guide Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the Sophos Enterprise Console JDBC Protocol on page 31. Configuring the Juniper Networks NSM Protocol on page 36. Configuring the OPSEC/LEA Protocol on page 38. Configuring the Cisco NSEL Protocol The Cisco Network Security Event Logging (NSEL) protocol source allows Juniper Secure Analytics (JSA) to monitor NetFlow packet flows from a Cisco Adaptive Security Appliance (ASA). To integrate Cisco ASA using NetFlow with JSA, you must manually create a log source to receive NetFlow events. JSA does not automatically discover or create log sources for syslog events from Cisco ASA using NetFlow and NSEL. For more information, see the JSA. Table 27 on page 82 describes the parameters of the Cisco NSEL protocol. Table 27: Cisco NSEL Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select the type of log source to add. Protocol Configuration From the list, select Cisco NSEL. Log Source Identifier Type an IPv4 address or hostname to identify the log source that created the events. If the network contains devices that are attached to a management console, administrators can specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents event searches from identifying the management console as the source for all of the events. Collector Port Type the UDP port number used by Cisco ASA to forward NSEL events. The valid range of the Collector Port parameter is JSA uses port 2055 for flow data on QFlow Collectors. Administrators must assign a different UDP port on the Cisco Adaptive Security Appliance for NetFlow using NSEL. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. 82

95 Chapter 3: Managing Protocol Configuration Table 27: Cisco NSEL Protocol s (continued) Credibility Select the credibility of the log source. The range is 0 (lowest) 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. 83

96 Juniper Secure Analytics Log Sources Users Guide To configure the cisco NSEL protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. The JSA provides step-by-step instructions to configure each log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the TCP Multiline Syslog Protocol on page 97. Configuring the VMware vcloud Director Protocol on page 100. Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 102. Configuring the PCAP Syslog Combination Protocol The PCAP Syslog Combination protocol enables events to be collected from Juniper Networks SRX Series appliances that forward packet capture (PCAP) data. Administrators must determine the outgoing PCAP port configured on the Juniper Networks SRX appliance before the log source can be configured. PCAP data cannot be forwarded to port 514. Detailed configuration steps are provided in the Juniper Secure Analytics (JSA). Table 28: PCAP Syslog Combination Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select a log source type. Protocol Configuration From the list, select PCAP Syslog Combination. Log Source Identifier Type an IP address, host name, or name to identify the Juniper Networks SRX Series appliance. The log source identifier must be unique for the log source type. 84

97 Chapter 3: Managing Protocol Configuration Table 28: PCAP Syslog Combination Protocol s (continued) Incoming PCAP Port Specify the port number used by the Juniper Networks SRX Series appliance to forward incoming PCAP data. The PCAP UDP port number must be configured from your Juniper SRX Series appliance. If the outgoing PCAP port is edited on the Juniper Networks SRX Series appliance, the administrator must edit the log source. To edit the Incoming PCAP Port number, complete the following steps: 1. Type the new port number for receiving PCAP data 2. Click Save. 3. On the Admin tab, select Advanced > Deploy Full Configuration. Attention: When administrators click Deploy Full Configuration, the system restarts all services, resulting in a gap in data collection for events and flows until the deployment completes. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. This option enables administrators to poll and process events on the target event collector, instead of the console appliance. This can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, the events are displayed individually and the information is not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. 85

98 Juniper Secure Analytics Log Sources Users Guide Table 28: PCAP Syslog Combination Protocol s (continued) Log Source Language Select the language of the events generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns defined by a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the PCAP syslog combination protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the Syslog Protocol on page 20. Configuring the JDBC Protocol on page 23. Configuring the JDBC - SiteProtector Protocol on page 27. Configuring the TLS Syslog Protocol on page 89. Configuring the Juniper Security Binary Log Collector Protocol on page 92. Configuring the UDP Multiline Syslog Protocol on page 94. Configuring the Forwarded Protocol The forwarded protocol enables administrators to receive events from another console in your deployment. The forwarded protocol is typically used in a scenario where administrators want to forward events to another Juniper Secure Analytics (JSA) console. In this scenario, console 86

99 Chapter 3: Managing Protocol Configuration A is configured with an off-site target in the deployment editor, which points to console B. Log sources that are automatically discovered are automatically added to console B. Any log sources from console A that is not automatically discovered must be added to console B as a log source with the forwarded protocol. Table 29: Forwarded Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select a log source type. Protocol Configuration From the list, select Forwarded. Log Source Identifier Type an IP address or host name for the originating log source. For example, the identifier is the IP address or host name of the log source in Network A. The log source identifier must be unique for the log source type. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. 87

100 Juniper Secure Analytics Log Sources Users Guide Table 29: Forwarded Protocol s (continued) Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. This can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, the events are displayed individually and the information is not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is only available after you upload a log source extension to JSA. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns defined by a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. 88

101 Chapter 3: Managing Protocol Configuration To configure the forwarded protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the TLS Syslog Protocol on page 89. Configuring the Juniper Security Binary Log Collector Protocol on page 92. Configuring the UDP Multiline Syslog Protocol on page 94. Configuring the TCP Multiline Syslog Protocol on page 97. Configuring the VMware vcloud Director Protocol on page 100. Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 102. Configuring the TLS Syslog Protocol TLS Syslog protocol enables log sources to receive encrypted syslog events from up to 50 network devices that support TLS Syslog event forwarding. The log source creates a listen port for incoming TLS Syslog events and generate a certificate file for the network devices. Up to 50 network appliances can forward events to the port created for the log source. Table 30: TLS Syslog Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select a log source type. Protocol Configuration From the list, select TLS Syslog. Log Source Identifier Type the IP address or host name of the network device forwarding encrypted syslog. 89

102 Juniper Secure Analytics Log Sources Users Guide Table 30: TLS Syslog Protocol s (continued) TLS Listen Port Type the port number to accept incoming TLS Syslog events. The default TLS listen port is The port number that is specified as the listen port for TLS events can be used by up to 50 log sources. If multiple network devices are forwarding TLS syslog events, they can also use 6514 as their default TLS syslog port. To edit the port number, complete the following steps: 1. Type the new port number for the TLS syslog protocol. 2. Click Save. 3. On the Admin tab, select Advanced > Deploy Full Configuration. Attention: When administrators click Deploy Full Configuration, the system restarts all services, resulting in a gap in data collection for events and flows until the deployment completes. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, the events are displayed individually and the information is not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. 90

103 Chapter 3: Managing Protocol Configuration Table 30: TLS Syslog Protocol s (continued) Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns defined by a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the TLS syslog protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. After the log source is saved, a syslog-tls certificate is created for log source device. The certificate must be copied to any device on your network that is capable of forwarding encrypted syslog. Additional network devices with a syslogtls certificate file and the TLS listen port number can be automatically discovered as a TLS syslog log source in JSA. Related Documentation Protocol Configuration Overview on page 20. Configuring the Juniper Security Binary Log Collector Protocol on page 92. Configuring the UDP Multiline Syslog Protocol on page 94. Configuring the TCP Multiline Syslog Protocol on page 97. Configuring the VMware vcloud Director Protocol on page 100. Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page

104 Juniper Secure Analytics Log Sources Users Guide Configuring the Juniper Security Binary Log Collector Protocol The Juniper Binary Log Collector protocol can accept audit, system, firewall, and intrusion prevention system (IPS) events in binary format. Administrators must configure their Juniper appliances to stream binary formatted events. The port number that is used by Juniper to stream binary events is required before an administrator can configure the log source. The binary log format from Juniper SRX or J Series appliances are streamed with the UDP protocol. You must specify a unique port for streaming binary formatted events, the standard syslog port (514) cannot be used for binary formatted events. The default port that is assigned to receive streaming binary events from Juniper appliances is port Table 31: Juniper Security Binary Log Collector Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select a log source type. Protocol Configuration From the list, select Security Binary Log Collector. Log Source Identifier Type an IP address or host name to identify the log source. The identifier address must be the Juniper SRX or J Series appliance that generates the binary event stream. Binary Collector Port Type the port number to accept incoming binary events. The default listen port is To edit the port number, complete the following steps: 1. Type the new port number for the protocol. 2. Click Save. 3. On the Admin tab, select Advanced > Deploy Full Configuration. Attention: When administrators click Deploy Full Configuration, the system restarts all services, resulting in a gap in data collection for events and flows until the deployment completes. XML Template File Location Type the path to the XML file used to decode the binary stream from your Juniper SRX or Juniper J-Series appliance. By default, the device support module (DSM) includes an XML file for decoding the binary stream. The XML file is in the following directory: /opt/qradar/conf/ security_log.xml. 92

105 Chapter 3: Managing Protocol Configuration Table 31: Juniper Security Binary Log Collector Protocol s (continued) Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, the events are displayed individually and the information is not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns defined by a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. 93

106 Juniper Secure Analytics Log Sources Users Guide Table 31: Juniper Security Binary Log Collector Protocol s (continued) Groups Select one or more groups for the log source. To configure the juniper security binary log collector protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the UDP Multiline Syslog Protocol on page 94. Configuring the TCP Multiline Syslog Protocol on page 97. Configuring the VMware vcloud Director Protocol on page 100. Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 102. Configuring the UDP Multiline Syslog Protocol The UDP multiline syslog protocol uses a regular expression to identify and reassemble the multiline syslog messages in to single event payload. The UDP multiline protocol enables administrators to add a log source that creates a single-line syslog event from a multiline event. The original event must contain a value that repeats that a regular expression can use identify and reassemble the multiline event. An example event that contains a repeated value is provided as an example. 15:08: slapd[517]: conn= op=2 SEARCH RESULT tag=101 15:08: slapd[517]: conn= op=2 SRCH base="dc=iso-n,dc=com" 15:08: slapd[517]: conn= op=2 SRCH attr=gidnumber 15:08: slapd[517]: conn= op=1 SRCH base="dc=iso-n,dc=com Table 32: UDP Multiline Syslog Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select a log source type. 94

107 Chapter 3: Managing Protocol Configuration Table 32: UDP Multiline Syslog Protocol s (continued) Protocol Configuration From the list, select UDP Multiline Syslog. Log Source Identifier Type the IP address or host name of the network device forwarding encrypted syslog. Listen Port Type the port number to accept incoming UDP multiline Syslog events. The default listen port is 517. To edit the port number, complete the following steps: 1. Type the new port number for the protocol. 2. Click Save. 3. On the Admin tab, select Advanced > Deploy Full Configuration. Attention: When administrators click Deploy Full Configuration, the system restarts all services, resulting in a gap in data collection for events and flows until the deployment completes. Message ID Pattern Type the regular expression (regex) required to filter the event payload messages. The UDP multiline event messages must contain a common identifying value that repeats on each line of the event message. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. 95

108 Juniper Secure Analytics Log Sources Users Guide Table 32: UDP Multiline Syslog Protocol s (continued) Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, the events are listed individually and the information is not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns that are defined by a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the UDP multiline syslog protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. After the log source is saved, a syslog-tls certificate is created for log source device. The certificate must be copied to any device on your network configured to forward encrypted syslog. Additional network devices with a syslog-tls certificate file and the TLS listen port number can be automatically discovered as a TLS syslog log source. 96

109 Chapter 3: Managing Protocol Configuration Related Documentation Protocol Configuration Overview on page 20. Configuring the Juniper Security Binary Log Collector Protocol on page 92. Configuring the TCP Multiline Syslog Protocol on page 97. Configuring the VMware vcloud Director Protocol on page 100. Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 102. Configuring the TCP Multiline Syslog Protocol The TCP multiline syslog protocol uses regular expressions to identify the start and end pattern of multiline events to create a single-line event. The TCP multiline protocol enables administrators to add a log source that creates a single-line syslog event from a multiline event. An example multiline event is provided as an example. 06/13/ :15:15 PM Log Name=Security Source Name=Microsoft Windows security auditing. Event Code=5156 Event Type=0 Task Category=Filtering Platform Connection Keywords=Audit Success Message=The Windows Filtering Platform permitted a connection. Process ID: 4 Application Name: System Direction: Inbound Source Address: Source Port: 80 Destination Address: Destination Port:444 Table 33: TCP Multiline Syslog Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select a log source type. Protocol Configuration From the list, select TCP Multiline Syslog. Log Source Identifier Type the IP address or host name of the network device forwarding encrypted syslog. 97

110 Juniper Secure Analytics Log Sources Users Guide Table 33: TCP Multiline Syslog Protocol s (continued) Listen Port Type the port number to accept incoming TCP multiline syslog events. The default listen port is To edit the port number, complete the following steps: 1. Type the new port number for the protocol. 2. Click Save. 3. On the Admin tab, select Advanced > Deploy Full Configuration. Attention: When administrators click Deploy Full Configuration, the system restarts all services, resulting in a gap in data collection for events and flows until the deployment completes. Event Formatter From the list, select one of the following options: No Formatting Select this option when no extra formatting is required for the multiline events. Windows Multiline Select this option for multiline events are formatted specifically for Windows. Event Start Pattern Type the regular expression (regex) required to identify the start of a TCP multiline event payload. Syslog headers typically begin with a date or time stamp. The protocol can create a single-line event that are based on solely an event start pattern, such as a time stamp. When a start pattern is all that is available, the protocol captures all the information between each start value to create a valid event. Event End Pattern Type the regular expression (regex) required to identify the last field of a TCP multiline event payload. If the syslog event ends with the same value, administrators can use a regular expression to determine the end of an event. The protocol can capture events based on solely on an event end pattern. When an end pattern is all that is available, the protocol captures all the information between end start value to create a valid event. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. 98

111 Chapter 3: Managing Protocol Configuration Table 33: TCP Multiline Syslog Protocol s (continued) Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, the events are displayed individually and the information is not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns defined by a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the TCP multiline syslog protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for your log source. 99

112 Juniper Secure Analytics Log Sources Users Guide 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the TLS Syslog Protocol on page 89. Configuring the Juniper Security Binary Log Collector Protocol on page 92. Configuring the UDP Multiline Syslog Protocol on page 94. Configuring the VMware vcloud Director Protocol on page 100. Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 102. Configuring the VMware vcloud Director Protocol The VMware vcloud Director protocol provides log sources the ability to use the VMware API to collect events from the VMware vcloud Director virtual environments. Table 34 on page 100 describes the parameters of the VMware vcloud Director protocol. Table 34: VMware vcloud Director Protocol s Log Source Name Type a unique name of the log source. Log Source Optional. Type a description for the log source. Log Source Type From the list, select the type of log source to add. Protocol Configuration From the list, select VMware vcloud Director. Log Source Identifier Type an IPv4 address or host name to identify the log source that created the events. vcloud URL Type the URL configured on the VMware vcloud appliance to access the REST API. The URL must match the address that is configured as the VCD public REST API base URL on the vcloud Server. For example, User Name Type the user name that is required to remotely access the vcloud Server. For example, console/user@organization. To configure a read-only account to use with the vcloud Director protocol, administrators can create a user in the organization with console Access Only permission. Password Confirm the password that is required to remotely access the vcloud Server. 100

113 Chapter 3: Managing Protocol Configuration Table 34: VMware vcloud Director Protocol s (continued) Polling Interval Type a polling interval, which is the amount of time between queries to the vcloud Server for new events. The default polling interval is 10 seconds. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). 101

114 Juniper Secure Analytics Log Sources Users Guide Table 34: VMware vcloud Director Protocol s (continued) Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the VMware vcloud director protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for the log source. The JSA provides step-by-step instructions to configure each log source. 5. Click Save. 6. On the Admin tab, click Deploy Changes. Related Documentation Protocol Configuration Overview on page 20. Configuring the TLS Syslog Protocol on page 89. Configuring the Juniper Security Binary Log Collector Protocol on page 92. Configuring the UDP Multiline Syslog Protocol on page 94. Configuring the TCP Multiline Syslog Protocol on page 97. Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 102. Configuring the IBM Tivoli Endpoint Manager SOAP Protocol The IBM Tivoli Endpoint Manager SOAP protocol retrieves Log Extended Event Format (LEEF) formatted events from IBM Tivoli Endpoint Manager appliances. This protocol requires IBM Tivoli Endpoint Manager versions V8.2.x or above and the Web Reports application for Tivoli Endpoint Manager. The Tivoli Endpoint Manager SOAP protocol retrieves events in 30-second intervals over HTTP or HTTPS. As events are retrieved the IBM Tivoli Endpoint Manager DSM parses and categorizes the events. Table 35: IBM Tivoli Endpoint Manager SOAP Protocol s Log Source Name Type a unique name of the log source. 102

115 Chapter 3: Managing Protocol Configuration Table 35: IBM Tivoli Endpoint Manager SOAP Protocol s (continued) Log Source Optional. Type a description for the log source. Log Source Type From the list, select a log source type. Protocol Configuration From the list, select IBM Tivoli Endpoint Manager SOAP. Log Source Identifier Type the IP address or host name of the network device forwarding encrypted syslog. Use HTTPS Select this check box to connect to your IBM Tivoli Endpoint Manager with HTTPS. If a certificate is required to connect with HTTPS, administrators must copy any certificates that are required to the following directory: /opt/qradar/conf/ trusted_certificates. Certificates with the following file extensions:.crt,.cert, or.der are supported. Administrators must copy certificates to the trusted certificates directory before the log source is saved and deployed. SOAP Port Type the port number used to connect to the IBM Tivoli Endpoint Manager using the SOAP API. By default, port 80 is the port number for communicating with IBM Tivoli Endpoint Manager. If administrators use HTTPS, the port field must be updated appropriately. Most configurations use port 443 for HTTPS communications. Username Type the username required to access IBM Tivoli Endpoint Manager. Password Type the password required to access IBM Tivoli Endpoint Manager. Confirm Password Confirm the password to access IBM Tivoli Endpoint Manager. Enabled Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. Credibility Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. Target Event Collector Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. The target event collector enables administrators to poll and process events on the target event collector, instead of the console appliance. Distributing event across target event collectors can improve performance in distributed deployments. 103

116 Juniper Secure Analytics Log Sources Users Guide Table 35: IBM Tivoli Endpoint Manager SOAP Protocol s (continued) Coalescing Events Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Store Event Payload Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. Log Source Language Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages. Log Source Extension Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing of a device support module (DSM). Extension Use Condition From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events. Groups Select one or more groups for the log source. To configure the IBM tivoli endpoint manager SOAP protocol: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. Click Add. 4. Configure the parameters for the log source. Administrators should copy certificates to the trusted certificates directory before the log source is saved and deployed. 5. Click Save. 6. On the Admin tab, click Deploy Changes. 104

117 Chapter 3: Managing Protocol Configuration Related Documentation Protocol Configuration Overview on page 20. Configuring the TLS Syslog Protocol on page 89. Configuring the Juniper Security Binary Log Collector Protocol on page 92. Configuring the UDP Multiline Syslog Protocol on page 94. Configuring the TCP Multiline Syslog Protocol on page 97. Configuring the VMware vcloud Director Protocol on page

118 Juniper Secure Analytics Log Sources Users Guide 106

119 CHAPTER 4 Grouping Log Sources Grouping Log Source Overview This chapter describes about the following sections: Grouping Log Source Overview on page 107 Viewing Log Source Groups on page 108 Assigning a Log Source to a Group on page 108 Creating a Log Source Group on page 109 Editing a Log Source Group on page 109 Copying a Log Source to Another Group on page 110 Removing a Log Source From a Group on page 110 Administrators can create log source groups to categorize their log sources by type, location, or functionality. Administrators can create and manage multiple levels of log source groups to help users efficiently search for events. Log source groups are name associations to log sources that administrators can create to categorize log sources. Each group can contain a maximum of 1,000 log sources. Auto discovered log sources are assigned to a generic log source group. Log source groups for bulk log sources are automatically created when administrators add bulk log sources. Related Documentation Viewing Log Source Groups on page 108. Assigning a Log Source to a Group on page 108. Creating a Log Source Group on page 109. Editing a Log Source Group on page 109. Copying a Log Source to Another Group on page 110. Removing a Log Source From a Group on page

120 Juniper Secure Analytics Log Sources Users Guide Viewing Log Source Groups Administrators can sort the list of log sources to view log sources that are assigned to a group. To view the log source groups: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. From the Search For list, select the log source group. 4. Click Go. The log source list refreshes to show log sources associated to the group. Related Documentation Grouping Log Source Overview on page 107 Assigning a Log Source to a Group on page 108. Creating a Log Source Group on page 109. Editing a Log Source Group on page 109. Copying a Log Source to Another Group on page 110. Removing a Log Source From a Group on page 110. Assigning a Log Source to a Group Administrators can use the assign feature to move one or more log sources from one group to another. The assign feature can also be used to quickly assign a log source to multiple groups. Auto discovered log sources often require a new log source assignments because all auto discovered log sources are categorized to a generic group. To assign a log source to a group: 1. Click the Admin tab. 2. Click the Log Source icon. 3. Select one or more log sources to assign to a group. 4. Click Assign. 5. Select a group for the log source. 6. Click Assign Groups. The log sources are reassigned to the group selected by the administrator. Related Documentation Grouping Log Source Overview on page 107 Viewing Log Source Groups on page 108. Creating a Log Source Group on page

121 Chapter 4: Grouping Log Sources Editing a Log Source Group on page 109. Copying a Log Source to Another Group on page 110. Removing a Log Source From a Group on page 110. Creating a Log Source Group Administrators can create log source groups for users to organize the list of log sources for users. A log source can belong to multiple groups at the same time and administrators can create multiple levels of log source groups. To create a log source group: 1. Click the Admin tab. 2. Click the Log Source Groups icon. 3. Click New Group. 4. Click Go. The log source list refreshes with a list of log sources based on the group you selected. Related Documentation Grouping Log Source Overview on page 107 Viewing Log Source Groups on page 108. Assigning a Log Source to a Group on page 108. Editing a Log Source Group on page 109. Copying a Log Source to Another Group on page 110. Removing a Log Source From a Group on page 110. Editing a Log Source Group Administrators can sort the list of log sources to view log sources that are assigned to a group. To edit a log source group: 1. Click the Admin tab. 2. Click the Log Sources icon. 3. From the Search For list, select the log source group. 4. Click Go. The log source list refreshes to show log sources associated to the group. Related Documentation Grouping Log Source Overview on page 107 Viewing Log Source Groups on page

122 Juniper Secure Analytics Log Sources Users Guide Assigning a Log Source to a Group on page 108. Creating a Log Source Group on page 109. Copying a Log Source to Another Group on page 110. Removing a Log Source From a Group on page 110. Copying a Log Source to Another Group Administrators can copy log source groups to move log sources between groups. To copy a log source to another group: 1. Click the Admin tab. 2. Click the Log Source Groups icon. 3. Select the name of a group to view a list of log sources. 4. Select the log source to copy to a new group. 5. Click Copy. 6. Select the new group for the log source. This selection can include multiple groups. 7. Click Assign Groups. The log source is reassigned to the groups selected by the administrator. Related Documentation Grouping Log Source Overview on page 107 Viewing Log Source Groups on page 108. Assigning a Log Source to a Group on page 108. Creating a Log Source Group on page 109. Editing a Log Source Group on page 109. Removing a Log Source From a Group on page 110. Removing a Log Source From a Group Administrators can remove log sources from groups when a group is no longer required. To remove a log source from a group: 1. Click the Admin tab. 2. Click the Log Source Groups icon. 3. Select the name of a group to view a list of log sources. 4. Select the log source to remove from the group. 110

123 Chapter 4: Grouping Log Sources 5. Click Remove. 6. Click OK. The log source is removed from the group. Related Documentation Grouping Log Source Overview on page 107 Viewing Log Source Groups on page 108. Assigning a Log Source to a Group on page 108. Creating a Log Source Group on page 109. Editing a Log Source Group on page 109. Copying a Log Source to Another Group on page

124 Juniper Secure Analytics Log Sources Users Guide 112

125 CHAPTER 5 Adding Log Source Parsing Order Log Source Parsing Order Overview This chapter describes about the following sections: Log Source Parsing Order Overview on page 113 Adding a Log Source Parsing Order on page 113 Administrators can assign an order to prioritize the events parsed by the target event collector assigned to the log source. Administrators can order the importance of the log sources by defining the parsing order for log sources that share a common IP address or host name. Defining the parsing order for log sources ensures that certain log sources are parsed in a specific order, regardless of changes to the log source configuration. The parsing order ensures system performance is not affected by changes to log source configuration by preventing unnecessary parsing. The parsing order ensures that low level event sources are not parsed for events above more important log source. Related Documentation Adding a Log Source Parsing Order on page 113 Adding a Log Source Parsing Order Administrators can assign an order to prioritize the events parsed by the target event collector assigned to the log source. To add a log source parsing order: 1. Click the Admin tab. 2. Click the Log Source Parsing Ordering icon. 3. Select a log source based on the IP address or host name. 4. Optional. From the Selected Event Collector list, select the Event Collector to define the log source parsing order. 5. Optional. From the Log Source Host list, select a log source. 113

126 Juniper Secure Analytics Log Sources Users Guide 6. Prioritize the log source parsing order. 7. Click Save. Related Documentation Log Source Parsing Order Overview on page

127 CHAPTER 6 Managing Log Source Extensions Log Source Extensions Overview This chapter describes about the following sections: Log Source Extensions Overview on page 115 Viewing the Status of a Log Source Extension on page 116 Adding a Log Source Extension on page 117 Editing a Log Source Extension on page 118 Copying a Log Source Extension on page 119 Enabling or Disabling a Log Source Extension on page 121 Deleting a Log Source Extension on page 121 Log source extensions can be created by administrators to extend or modify the parsing routines of specific devices. A log source extension is an XML file that includes all of the regular expression patterns required to identify and categorize events from the event payload. Extension files can be used to parse all events when a device support module (DSM) does not exist or an administrator needs to correct a parsing issue for or override the default parsing for an event from a DSM. An extension can provide event support when a DSM does not exist to parse events for an appliance or security device in your network. The Log Activity tab identifies log source events in three basic types: To log the source extensions: 1. Log sources that properly parse the event. Events that a properly parse by the system are assigned to the proper log source type and categorized correctly. In this case, no intervention or extension is required. 2. Log sources that parse events, but include Unknown events. Unknown events are log source events where the log source type is identified, but the payload information cannot be understood by the DSM. The system is unable to determine an event identifier from the available information to properly categorize the event. In this case, the event can be mapped to a category from the Log Activity tab or a log source extension can be written to repair the event parsing for unknown events. 115

128 Juniper Secure Analytics Log Sources Users Guide 3. Log sources that cannot identify the log source type and mark the event as a Stored event. Stored events require administrators to update their DSM files or write a log source extension to properly parse the event. After the event parses, the administrator can then map the events in the Log Activity tab. Before a log source extension is added, the administrator must create the extension document. The extension document is an XML document that can be created with any common word processing or text editing application. Multiple extension documents can be created, uploaded, and associated to various log source types. The format of the extension document must conform to a standard XML schema document (XSD). To develop an extension document, knowledge of and experience with XML coding is required. Related Documentation Viewing the Status of a Log Source Extension on page 116. Adding a Log Source Extension on page 117. Editing a Log Source Extension on page 118. Copying a Log Source Extension on page 119. Enabling or Disabling a Log Source Extension on page 121. Deleting a Log Source Extension on page 121. Viewing the Status of a Log Source Extension Administrators can view a list of log source extensions, the description, status, and log sources assigned to an extension. Log Source Extension s describes parameters in the user interface when an administrator views the status of a log source extension: Table 36: Log Source Extension s Extension Name The name of the log source. Administrators can click the name of the extension to download the xml file for the log source extension. The description for the log source extension. The description must not exceed 255 characters. Enabled A value of True indicates that the extension is enabled and the parsing patterns are active for the log source. False indicates that the log source extension is currently disabled. Defaults for Log Source Type The log source extension applies parsing from the extension XML file to all Log Source Types listed in this column. This includes auto discovered log sources that match the Log Source Type specified. A value of None indicates that the extension is uploaded, but not associated to a log source. 116

129 Chapter 6: Managing Log Source Extensions To view the status of a log source extension: 1. Click the Admin tab. 2. Click the Log Source Extensions icon. 3. Review the status of your log source extensions. Related Documentation Log Source Extensions Overview on page 115 Adding a Log Source Extension on page 117. Editing a Log Source Extension on page 118. Copying a Log Source Extension on page 119. Enabling or Disabling a Log Source Extension on page 121. Deleting a Log Source Extension on page 121. Adding a Log Source Extension Administrators can enable or disable a log source extensions. Enabled log source extensions are listed in the Status column as True. Disabled log source extension are listed in the Status column as False. The following table describes the parameters in a log source fields: To add a log source extension: 1. Click the Admin tab. 2. Click the Log Source Extensions icon. 3. Click Add. 4. Type a name for the log source extension. 5. Optional. Type a description for the log source extension. 6. From the Use Condition list, select one of the following options: Option Parsing Enhancement Select this option when the device support module (DSM) correctly parses most fields for the log source. The incorrectly parsed field values are enhanced with the new XML values. This is the default setting. Parsing Override Select this option when the device support module (DSM) is unable to parse correctly. The log source extension completely overrides the failed parsing by the DSM and substitutes the parsing with the new XML values. 117

130 Juniper Secure Analytics Log Sources Users Guide 7. From the Log Source Types list, select one of the following options: Option Available Select this option when the device support module (DSM) correctly parses most fields for the log source. The incorrectly parsed field values are enhanced with the new XML values. This is the default setting. Set to default for Select log sources to add or remove from the extension parsing. Administrators can add or remove extensions from a log source. When a log source extension is Set to default for a log source, this indicates that any new log sources of the same Log Source Type use the assigned log source extension. This includes auto discovered log sources. 8. Click Browse to locate your log source extension XML document. 9. Click Upload. The contents of the log source extension is displayed to ensure the proper extension file is uploaded. The extension file is evaluated against the XSD for errors when the file is uploaded. 10. Click Save. If the extension file does not contain any errors, the new log source extension is created and enabled. It is possible to upload a log source extension without applying the extension to a log source. Any change to the status of an extension is applied immediately and managed hosts or consoles enforce the new event parsing parameters in the log source extension. On the Log Activity tab, the parsing patterns for events should be verified to ensure that the parsing is applied correctly to your events. If the log source categorizes events as Stored, then this indicates that the parsing pattern in the log source extension requires adjustment. The administrator can review the extension file against log source events to locate any event parsing issues. Related Documentation Log Source Extensions Overview on page 115 Viewing the Status of a Log Source Extension on page 116. Editing a Log Source Extension on page 118. Copying a Log Source Extension on page 119. Enabling or Disabling a Log Source Extension on page 121. Deleting a Log Source Extension on page 121. Editing a Log Source Extension Log source extension files must be edited in an external editor. Administrators can edit a log source extension to modify the name or upload a new extension file to replace an existing log source extensions. 118

131 Chapter 6: Managing Log Source Extensions To edit a log source extension: 1. Click the Admin tab. 2. Click the Log Source Extensions icon. 3. Click Edit. 4. Edit the name or any other configuration parameters. 5. Click Browse to locate your log source extension XML document. 6. Click Upload. The log source extension is uploaded and the contents are displayed. Administrators can review or replace the extension before they save the changes. 7. Click Save. The new log source extension is created and enabled. It is possible to upload a log source extension without applying the extension to a log source. Any change to the status of an extension is applied immediately to the log source and managed hosts or consoles enforce the new event parsing parameters in the log source extension. On the Log Activity tab, the parsing patterns for events should be verified to ensure that the parsing is applied correctly to your events. If the log source categorizes events as Stored, then this indicates that the parsing pattern in the log source extension requires adjustment. The administrator can review the extension file against log source events to locate any event parsing issues. Related Documentation Log Source Extensions Overview on page 115 Viewing the Status of a Log Source Extension on page 116. Adding a Log Source Extension on page 117. Copying a Log Source Extension on page 119. Enabling or Disabling a Log Source Extension on page 121. Deleting a Log Source Extension on page 121. Copying a Log Source Extension Administrators can copy a log source extensions. Enabled log source extensions are listed in the Status column as True. Disabled log source extension are listed in the Status column as False. The following table describes the parameters in a log source fields: To copy a log source extension: 1. Click the Admin tab. 2. Click the Log Source Extensions icon. 3. Select a log source extension. 4. Click Copy. 119

132 Juniper Secure Analytics Log Sources Users Guide 5. Type a name for the log source extension. 6. Optional. Type a description for the log source extension. 7. From the Use Condition list, select one of the following options: Option Parsing Enhancement Select this option when the device support module (DSM) correctly parses most fields for the log source. The incorrectly parsed field values are enhanced with the new XML values. This is the default setting. Parsing Override Select this option when the device support module (DSM) is unable to parse correctly. The log source extension completely overrides the failed parsing by the DSM and substitutes the parsing with the new XML values. 8. From the Log Source Types list, select one of the following options: Option Available Select this option when the device support module (DSM) correctly parses most fields for the log source. The incorrectly parsed field values are enhanced with the new XML values. This is the default setting. Set to default for Select log sources to add or remove from the extension parsing. Administrators can add or remove extensions from a log source. When a log source extension is Set to default for a log source, this indicates that any new log sources of the same Log Source Type use the assigned log source extension. This includes auto discovered log sources. 9. Click Browse to locate your log source extension XML document. 10. Click Upload. The contents of the log source extension is displayed to ensure the proper extension file is uploaded. The extension file is evaluated against the XSD for errors when the file is uploaded. 11. Click Save. If the extension file does not contain any errors, the log source extension is copied to another log source and enabled. Any change to the status of an extension is applied immediately and managed hosts or consoles enforce the new event parsing parameters in the log source extension. On the Log Activity tab, the parsing patterns for events should be verified to ensure that the parsing is applied correctly to your events. If the log source categorizes events as Stored, then this indicates that the parsing pattern in the log source extension requires adjustment. The administrator can review the extension file against log source events to locate any event parsing issues. 120

133 Chapter 6: Managing Log Source Extensions Related Documentation Log Source Extensions Overview on page 115 Viewing the Status of a Log Source Extension on page 116. Adding a Log Source Extension on page 117. Editing a Log Source Extension on page 118. Enabling or Disabling a Log Source Extension on page 121. Deleting a Log Source Extension on page 121. Enabling or Disabling a Log Source Extension Administrators can enable or disable a log source extensions. Enabled log source extensions are listed in the Status column as True. Disabled log source extension are listed in the Status column as False. To enable or disable a log source extension: 1. Click the Admin tab. 2. Click the Log Source Extensions icon. 3. From the list of log source extensions, select the log source extension that you want to delete. 4. Click Enable/Disable. The status column is updated with the current status of the log source extension. Any change to the status of an extension is applied immediately to the log source and managed hosts or consoles enforce the new event parsing parameters in the log source extension. Related Documentation Log Source Extensions Overview on page 115 Viewing the Status of a Log Source Extension on page 116. Adding a Log Source Extension on page 117. Editing a Log Source Extension on page 118. Copying a Log Source Extension on page 119. Deleting a Log Source Extension on page 121. Deleting a Log Source Extension Administrators can delete a log source extension to remove any event parsing enhancements or overrides for a log source. If an administrator deletes a log source extension, the parsing changes are applied immediately to the incoming events for the log source. 121

134 Juniper Secure Analytics Log Sources Users Guide To delete a log source extension: 1. Click the Admin tab. 2. Click the Log Source Extensions icon. 3. From the list of log source extensions, select the log source extension that you want to delete. 4. Click Delete. 5. Click Yes to confirm the deletion of the extension. New events are written to disk based on the default patterns of the device support module (DSM) or another extension that might be applied to the log source. Related Documentation Log Source Extensions Overview on page 115 Viewing the Status of a Log Source Extension on page 116. Adding a Log Source Extension on page 117. Editing a Log Source Extension on page 118. Copying a Log Source Extension on page 119. Enabling or Disabling a Log Source Extension on page

135 PART 2 Index Index on page

136 Juniper Secure Analytics Log Sources Users Guide 124

137 T technical support contacting JTAC...x Index Symbols #, comments in configuration statements...ix ( ), in syntax descriptions...ix < >, in syntax descriptions...ix [ ], in configuration statements...ix { }, in configuration statements...ix (pipe), in syntax descriptions...ix B braces, in configuration statements...ix brackets angle, in syntax descriptions...ix square, in configuration statements...ix C comments, in configuration statements...ix conventions text and syntax...viii curly braces, in configuration statements...ix customer support...x contacting JTAC...x D documentation comments on...ix F font conventions...viii M manuals comments on...ix P parentheses, in syntax descriptions...ix S support, technical See technical support syntax conventions...viii 125