After you have created your text file, see Adding a Log Source.



Similar documents
TECHNICAL NOTE SETTING UP A STRM UPDATE SERVER. Configuring your Update Server

This technical note provides information on how to customize your notifications. This section includes the following topics:

Migrating Log Manager to JSA

Unless otherwise noted, all references to STRM refer to STRM, STRM Log Manager, and STRM Network Anomaly Detection.

By default, STRM provides an untrusted SSL certificate. You can replace the untrusted SSL certificate with a self-signed or trusted certificate.

Unless otherwise noted, all references to STRM refer to STRM, STRM Log Manager, and STRM Network Anomaly Detection.

STRM Log Manager Administration Guide

Adaptive Log Exporter Users Guide

Unless otherwise noted, all references to STRM refer to STRM, STRM Log Manager, and STRM Network Anomaly Detection.

Log Sources Users Guide

TECHNICAL NOTE INSTALLING AND CONFIGURING ALE USING A CLI. Installing the Adaptive Log Exporter

Managing Vulnerability Assessment

Juniper Secure Analytics

Juniper Secure Analytics

Identity-Based Traffic Logging and Reporting

Identity-Based Application and Network Profiling

NSM Plug-In Users Guide

WinCollect User Guide

Juniper Secure Analytics Release Notes

Juniper Secure Analytics

Juniper Networks Management Pack Documentation

IBM Security QRadar SIEM Version MR1. Log Sources User Guide

Using the Content Management Tool

Junos Pulse. Windows In-Box Junos Pulse Client Quick Start Guide. Published: Copyright 2013, Juniper Networks, Inc.

Juniper Secure Analytics

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Juniper Secure Analytics

Adaptive Log Exporter Service Update

LifeSize Control Installation Guide

Juniper Secure Analytics

Quadro Configuration Console User's Guide. Table of Contents. Table of Contents

Introduction to Junos Space Network Director

Tuning Guide. Release Juniper Secure Analytics. Juniper Networks, Inc.

STRM Log Manager Users Guide

Juniper Secure Analytics

REPLACING THE SSL CERTIFICATE

Juniper Secure Analytics

IBM Security QRadar Version WinCollect User Guide V7.2.2

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

Adaptive Log Exporter Users Guide

Managing the System Event Log

Juniper Secure Analytics

Upgrading Redwood Engine Software. Version 2.0.x to 3.1.0

Access Instructions for United Stationers ECDB (ecommerce Database) 2.0

Using Internet or Windows Explorer to Upload Your Site

Junos Space. Network Director Quick Start Guide. Release 2.0. Published: Copyright 2015, Juniper Networks, Inc.

IIS, FTP Server and Windows

WatchDox Administrator's Guide. Application Version 3.7.5

IBM Security QRadar SIEM Version MR1. Vulnerability Assessment Configuration Guide

Active Directory integration with CloudByte ElastiStor

NAS 109 Using NAS with Linux

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Creating a Web Site with Publisher 2010

RSA Authentication Manager

MATLAB on EC2 Instructions Guide

Application Note. ShoreTel 9: Active Directory Integration. Integration checklist. AN June 2009

IF-MAP FEDERATION WITH JUNIPER NETWORKS UNIFIED ACCESS CONTROL

Avaya Network Configuration Manager User Guide

Cloud Server powered by Mac OS X. Getting Started Guide. Cloud Server. powered by Mac OS X. AKJZNAzsqknsxxkjnsjx Getting Started Guide Page 1

Installing JSA Using a Bootable USB Flash Drive

Integrating with IBM Tivoli TSOM

Setting up an icap Server for ISG- 1000/2000 AV Support

Management, Logging and Troubleshooting

Setting up Citrix XenServer for 2X VirtualDesktopServer Manual

IBM Security QRadar Vulnerability Manager Version User Guide

Installing and Configuring vcloud Connector

Configuring Single Sign-on from the VMware Identity Manager Service to Amazon Web Services

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Integrating Juniper Netscreen (ScreenOS)

IBM Security QRadar Version (MR1) WinCollect User Guide

Junos Space Security Director

McAfee Enterprise Security Manager 9.3.2

IBM Security QRadar Version Vulnerability Assessment Configuration Guide IBM

How To Load Data Into An Org Database Cloud Service - Multitenant Edition

Microsoft IAS Configuration for RADIUS Authorization

Managing the System Event Log

How to use FTP Commander

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

User's Guide. Product Version: Publication Date: 7/25/2011

Juniper Secure Analytics

RSA Security Analytics

Junos Space. Service Now User Guide. Release Published: Copyright 2013, Juniper Networks, Inc.

QuickStart Guide for Mobile Device Management

RSA Security Analytics

IBM Security QRadar SIEM Version MR1. Administration Guide

Cox Business Premium Online Backup USER'S GUIDE. Cox Business VERSION 1.0

Deploying the BIG-IP LTM system and Microsoft Windows Server 2003 Terminal Services

SSH Secure Client (Telnet & SFTP) Installing & Using SSH Secure Shell for Windows Operation Systems

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

MIGRATING IPS SECURITY POLICY TO JUNIPER NETWORKS SRX SERIES SERVICES GATEWAYS

Junos Pulse for Google Android

WinSCP for Windows: Using SFTP to upload files to a server

Georgia State Longitudinal Data System

Discovery Guide. Secret Server. Table of Contents

Security Correlation Server Quick Installation Guide

Managing the System Event Log

F-SECURE MESSAGING SECURITY GATEWAY

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

Installing and Configuring DB2 10, WebSphere Application Server v8 & Maximo Asset Management

Transcription:

TECHNICAL UPLOADING TEXT FILES INTO A REFERENCE SET MAY 2012 This technical note provides information on how to upload a text file into a STRM reference set. You need to be comfortable with writing regular expressions to correctly extract the data from the file. When a rule test matches an incoming event or flow, the rule generates a response that can include creating an offense, sending an e-mail notification, sending an SNMP trap, and other options. The rule can also create a reference set and contribute data from the event or flow into a reference set. This reference set is a subset of data that you can use in a rule test in other rules. You can also configure STRM to extract data from an external text file and add it to a reference set. This involves creating a log source to import the text file into STRM and then creating a custom event property to extract the data from the log source. For example, you can import a text file that contains such data as IP addresses, usernames, or ports associated with terminated employees. This enables you to configure rules that detect when a former employee is attempting to access your network resources. This technical note contains information on the following: Creating a Text File Adding a Log Source Creating a Custom Event Property Creating a Reference Set Creating a Text File Before you begin, you need to create a text file with the data you want to import. When creating the text file, adhere to the following guidelines: The text file must be stored on your desktop system in a known directory that is accessible by SSH and one of the following services: SFTP, SCP, or FTP. The preferred service is SFTP. Include a single column of data or multiple columns of delineated data.

2 After an external file is uploaded to STRM as a log source, the file can re-upload on an automatic schedule. This allows you update the text file externally and have the changes automatically update the reference set. If you plan to update more than one text file into multiple reference sets on a schedule, store the text files on different devices and provide each with a unique location ID. If you plan to upload multiple text files in a one-time reference set update, you can store the various text files in the same location, but modify the log source after each data set has been uploaded. Record the following information about the text file: - IP address or hostname of the device or location of the text file. - Username and password required for accessing the log source location. - Directory and the name of the text file. After you have created your text file, see Adding a Log Source. Adding a Log Source STRM collects data on events from log sources that are automatically detected and displayed on the Log Sources window. You can manually identify additional log sources and control how STRM interacts with them. In this procedure, you will add the text file you created in Creating a Text File as a log source. You must have administrative privileges to configure log sources in STRM. For more information on accessing the Admin tab, see the STRM Administration Guide. Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 To add a text file as a log source: Click the Admin tab. In the Data Sources pane, click the Log Sources icon. The Log Sources window is displayed. On the Log Sources toolbar, click Add. The Add a Log Source window is displayed. From the Log Source Type list box, select Universal DSM. From the Protocol Configuration list box, select Log File. The default protocol is Syslog. Configure the following parameters:

Adding a Log Source 3 Table 1-1 Add a Log Source Window Parameters Parameter Log Source Identifier Remote IP or Hostname Service Type Type the IP address or hostname of the host where the text file is stored. Type the IP address or hostname of the host where the text file is stored. This is the same IP address you enter in the Log Source Identifier field. From the list box, select the service type required to transfer the text file to the Console. The default and preferred service type is SFTP. Remote User If the host requires authentication, type the username. Remote Password If the host requires authentication, type the password. Confirm Password If the host requires authentication, confirm the username. FTP File Pattern Type the name of the text file you want to load. For example, import.txt. Remote Directory Type the directory name for the location of the log file. Make sure the file is accessible and has correct permissions. Example /root/ or /home/upload/. Processor From the list box, select the appropriate compression type if the file is compressed. If the file is not compressed, select NONE. Start Time Recurrence Run on Save Type the time of day for the upload to start. Type the frequency by which you want the file to upload. Select the check box if you want to import the text file immediately after you click Save. Coalescing Events Clear this check box. When event coalescing is enabled, data is prevented from transferring to your reference set. Store Event Payload Select any groups you would like this log source to be a member of: Select this check box to enable STRM to store event payloads. Select any groups that you want this log source to be a member of. For information on all parameters on the Add a Log Source window, see the Log Sources Users Guide. Step 7 Step 8 Click Save. Close the Log Sources window.

4 Step 9 Step 10 On the Admin tab, click Deploy Changes. Wait until the log source is completely added before proceeding. This can take an extended period of time. Verify that the log source was successfully added: a In the Data Sources pane, click the Log Sources icon. The Log Sources window is displayed. b Verify that the log source you created displays a status of Success. After the log source displays a status of Success, see Creating a Custom Event Property. Creating a Custom Event Property Using custom event properties, you can extract unnormalized data from event payloads. The Custom Event Properties functionality allows you to search, view, and report on information in logs that STRM does not typically normalize and display. In this procedure, you will create a custom event property to extract data from the log source you created in Adding a Log Source. To create custom event properties, you must have the User Defined Event Properties role permission. For more information on permissions, see the STRM Administration Guide. Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 To create a custom event property: Click the Log Activity tab. Select Search > New Search. Click Manage Custom Properties. The Custom Event Properties window is displayed. On the Custom Event Properties window, click Add. In the Property Type Selection pane, select Regex Based. Configure the following parameters: Table 1-2 Custom Event Properties Window Parameters Parameter Property Definition New Property Select this option, and then type a unique name for this custom event property. The new property name cannot be the name of a normalized event property, such as Username, Source IP, or Destination IP.

Creating a Custom Event Property 5 Table 1-2 Custom Event Properties Window Parameters (continued) Parameter Optimize parsing for rules, reports, and searches Field Type Select this check box to parse and store the property the first time STRM receives the event. This option must be selected for the property to populate the reference set. From the list box, select the field type used in the external text file. The field type determines how the custom event property is displayed in STRM and which options are available for aggregation. The field type options are: Alpha-Numeric Numeric IP Port The default is Alpha-Numeric. Type a description of this custom event property. Property Expression Definition Log Source Type From the list box, select Universal DSM. Log Source Category High Level Category Low Level Category RegEx Test Enabled From the list box, select the log source you created to import the text file. Select the Category option. From the list box, select the Unknown option. From the list box, select the Unknown option. Type the regular expression you want to use for extracting the data from your text file. Regular expressions are case-sensitive. For example, if the text file contains a single piece of information on each line, such as an IP address, you can use.* as the regular expression as it simply reads each line of the file considering it a single data point. Note: Capture groups must be enclosed in parenthesis. Click Text to test the regular expression against the payload. Select this check box to enable this custom event property. The default is Enabled. For information on all parameters on the Custom Event Properties window, see the STRM Users Guide. Step 7 Step 8 Click Save. Close the Custom Event Properties window.

6 After you create a Custom Event Property to extract data from the log source, see Creating a Reference Set. Creating a Reference Set In this procedure, you will configure a rule to create a reference set and contribute data that is extracted from the log source you created in Adding a Log Source. Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 To create a reference set: Click the Offenses tab. On the navigation menu, click Rules. From the Actions list box, select New Event Rule. The Custom Rule Wizard is displayed. Read the introductory text. Click Next. You are prompted to choose the source from which you want this rule to apply. Select Events and click Next. The Rules Stack Editor page is displayed. Click the + sign beside the when the event(s) were detected by one of more of these log sources test. In the enter rule name here field, type a unique name. Click these log sources. A new window is displayed with a list of log sources. Select the log source you created in Adding a Log Source and click Add. Click Submit. Click Next. The Rule Response page is displayed. In the Rule Response pane, select the Add to a Reference Set check box. From the Low Level Category list box, select the custom event property you created in Creating a Custom Event Property. From the Reference Set list box, select a pre-existing reference set or click New to create and a new reference set. Click Finish. Now that your reference set is configured, you can include this reference set in the when any of these properties are contained in any of these reference set(s) rule test of any rule, thus allowing you to run STRM rules against the data derived from your external text file.

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net Copyright Notice Copyright 2012 Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information