Juniper Secure Access SSL VPN Log Configuration Guide Document Release: March 2012 Part Number: LL600049-00ELS01000000 This manual supports LogLogic Juniper Secure Access SSL VPN Release 1.0 and later, and LogLogic Software Release 5.1 and later releases until replaced by a newer edition.
2012 LogLogic, Inc. Proprietary Information Trademarks Notice This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA 95134 Tel: +1 408 215 5900 Fax: +1 408 774 1752 U.S. Toll Free: 888 347 3883 http://www.loglogic.com
Contents Preface About This Guide.........................................................5 Technical Support........................................................5 Documentation Support.................................................... 6 Conventions............................................................. 6 Chapter 1 Configuring LogLogic s Juniper Secure Access SSL VPN Log Collection Introduction to Juniper Secure Access SSL VPN................................ 7 Prerequisites............................................................ 7 Configuring Juniper Secure Access SSL VPN.................................. 8 Adding a Juniper Secure Access SSL VPN Device........................... 13 Verifying the Configuration................................................ 15 Chapter 2 How LogLogic Supports Juniper Secure Access SSL VPN How LogLogic Captures Juniper Secure Access SSL VPN Data................... 16 LogLogic Real-Time Reports............................................... 17 Appendix A Event Reference LogLogic Support for Juniper Secure Access SSL VPN Events.................... 19 Juniper Secure Access SSL VPN Log Configuration Guide 3
4 Juniper Secure Access SSL VPN Log Configuration Guide
Preface About This Guide The LogLogic Appliance-based solution enables you to capture and manage log data from all types of sources in your enterprise. LogLogic support for Juniper Secure Access SSL VPN enables LogLogic Appliances to capture logs from machines running Juniper Secure Access SSL VPN. Once the logs are captured and parsed, you can generate reports and create alerts. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free, US 1 800 957 LOGS (5647) Toll 1 408 834 7480 Telephone: Toll Free, Canada 1 800 957 LOGS (5647) Toll 1 408 834 7480 Telephone: Toll Free, Mexico 1 800 957 LOGS (5647) Toll 1 408 834 7480 Telephone: Toll Free, United Kingdom 00 800 0330 4444 Toll 01480 479391 Telephone: Toll Free, Mainland Europe 00 800 0330 4444 Toll +44 1480 479391 Telephone: Toll Free, Japan IDC 0061 800 0330 4444 Toll Not Available Telephone: Toll Free, Japan KDD 0010 800 0330 4444 Toll Not Available Telephone: Toll Free, Brazil 0021 800 0330 4444 Toll Not Available Email: support@loglogic.com You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. When contacting Customer Support, be prepared to provide: Your name, email address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Juniper Secure Access SSL VPN Log Configuration Guide 5
Documentation Support Conventions Your feedback on LogLogic documentation is important to us. Send e-mail to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation. LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Juniper Secure Access SSL VPN Log Configuration Guide
Chapter 1 Configuring LogLogic s Juniper Secure Access SSL VPN Log Collection This chapter describes configuration steps that enable a LogLogic Appliance to capture Juniper Secure Access SSL VPN logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Juniper Secure Access SSL VPN-related log data. Introduction to Juniper Secure Access SSL VPN................................. 7 Prerequisites............................................................. 7 Configuring Juniper Secure Access SSL VPN.................................... 8 Enabling the LogLogic Appliance to Capture Log Data............................ 12 Verifying the Configuration.................................................. 14 Introduction to Juniper Secure Access SSL VPN The Juniper Networks Secure Access SSL VPN device is suitable for large enterprises and service providers. It features best-in-class performance, scalability and redundancy for organizations with high-volume secure access and authorization requirements. The Juniper Secure Access SSL VPN hardware platforms are designed to scale to the largest enterprise deployments and to optimize application delivery, with redundant, hot-swappable hard disks and fans, optional second power supply, as well as multiple Ethernet ports for redundant or meshed configurations. Figure 1 Juniper Networks Secure Access SSL VPN device Prerequisites Prior to configuring Juniper Secure Access SSL VPN and the LogLogic Appliance, ensure that you meet the following prerequisites: Juniper Secure Access SSL VPN SA versions 5.5, 6.0 R3, 6.1 R1, 6.2, 6.5, 7.0 and 7.1 Proper access permissions to make configuration changes LogLogic Appliance running Release 5.1 or later with a Log Source Package that includes Juniper Secure Access SSL VPN support Administrative access on the LogLogic Appliance Juniper Secure Access SSL VPN Log Configuration Guide 7
Configuring Juniper Secure Access SSL VPN You must enable and configure Syslog on Juniper Secure Access SSL VPN prior to configuring the LogLogic Appliance. Note: This document does not describe all features and functionality within Juniper Secure Access SSL VPN regarding configuration and syslog. For more information on these areas, see Juniper Secure Access SSL VPN Product Documentation. Use options in the Settings tab to specify what the IVE writes to the log file, which syslog servers it uses to store the log files, and the maximum file size. To log in to the Appliance server. Note: You may also use the Archiving page to automatically save the logs to an FTP accessible location. For more information, see Archiving IVE Binary Configuration Files in the Juniper Networks Secure Access Administration Guide. Open Internet Explorer on your workstation and connect to the Appliance server by entering https://10.0.0.11 in the browser address line. To specify events log settings: 1. In the admin console, choose System > Log/Monitoring. Figure 2 Log Monitoring 2. Select the Events Log, User Access Log, Admin Access Log, or Sensors Log tab, and then choose Settings. 8 Juniper Secure Access SSL VPN Log Configuration Guide
Figure 3 User Access > Settings 3. In the Maximum Log Size field, specify the maximum file size for the local log file. (The limit is 500 MB.) The system log displays data up to the amount specified. Note: Maximum Log Size is an internal setting that most closely corresponds with the size of logs formatted with the Standard format. If you choose to use a more verbose format such as WELF, your log files may exceed the limit that you specify here. 4. Under Select Events to Log, select the checkbox for each type of event that you want to capture in the local log file: Login/Logout SAM/Java User Settings Secure Terminal Network Connect File Requests Note: If you disable the Statistics checkbox in the Events Log tab, the IVE does not write statistics to the log file, but continues to display them in the System > Log/Monitoring > Statistics tab. For more information, see Viewing system statistics. Juniper Secure Access SSL VPN Log Configuration Guide 9
Figure 4 User Access > Settings > Select Events to Log 5. Under Syslog Servers, enter information about the syslog servers where you want to store your log files (optional): a. Enter the name or IP address of the Syslog server. b. Enter a facility for the server. The IVE provides 8 facilities (LOCAL0-LOCAL7) which you can map to facilities on your Syslog server. c. (Central Manager only) Choose which filter you want to apply to the log file. d. Click Add. e. Repeat for multiple servers if desired, using different formats and filters for different servers and facilities. Note: Make sure your Syslog server accepts messages with the following settings: facility = LOG_USER and level = LOG_INFO. 10 Juniper Secure Access SSL VPN Log Configuration Guide
Figure 5 User Access > Settings > Syslog Servers 6. Click Save Changes. Juniper Secure Access SSL VPN Log Configuration Guide 11
Figure 6 User Access > Settings > Save Changes Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture the Juniper Secure Access SSL VPN device log data. Adding a Juniper Secure Access SSL VPN Device With the auto-identification feature, the LogLogic Appliance recognizes Juniper Secure Access SSL VPN log messages by default. As the log messages come into the Appliance, they are automatically identified and a new device type is added to the log source device list. Default values are used for certain properties, such as the device name. If you do not want to utilize the auto-identification feature, you can manually add a Juniper Secure Access SSL VPN device to the LogLogic Appliance before you redirect the logs. To add Juniper Secure Access SSL VPN as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 12 Juniper Secure Access SSL VPN Log Configuration Guide
3. Click Add New. The Add Device tab appears. 4. Type in the following information for the device: Name Name for the Juniper Secure Access SSL VPN device Description (optional) Description of the Juniper Secure Access SSL VPN device Device Type Select Juniper Secure Access SSL VPN from the drop-down menu Host IP IP address of the Juniper Secure Access SSL VPN appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. Figure 7 LogLogic Appliance Add Devices Tab 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Juniper Secure Access SSL VPN device, the LogLogic Appliance uses the device you just added if the hostname or IP match. Juniper Secure Access SSL VPN Log Configuration Guide 13
Verifying the Configuration The section describes how to verify that the configuration changes made to Juniper Secure Access SSL VPN device and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP address for each Juniper SAccessecure Access SSL VPN device. If the device name (Juniper Secure Access SSL VPN) appears in the list of devices (see Figure 8 on page 14), then the configuration is correct. Figure 8 Verification of the Juniper Secure Access SSL VPN Configuration If the device does not appear in the Log Source Status tab, check the Juniper Secure Access SSL VPN logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Juniper Secure Access SSL VPN configuration and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from the Juniper Secure Access SSL VPN device by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time Reports on page 16. 14 Juniper Secure Access SSL VPN Log Configuration Guide
Chapter 2 How LogLogic Supports Juniper Secure Access SSL VPN This chapter describes LogLogic's support for Juniper Secure Access SSL VPN. LogLogic enables you to capture Juniper Secure Access SSL VPN log data to monitor events. LogLogic supports Juniper Secure Access SSL VPN device logs. How LogLogic Captures Juniper Secure Access SSL VPN Data.................... 16 LogLogic Real-Time Reports................................................ 16 How LogLogic Captures Juniper Secure Access SSL VPN Data The Juniper Secure Access SSL VPN device supports various streamed event formats through Syslog (for example, Standard (Juniper's Standard Syslog format), WebTrends Extended Logging Format (WELF), W3C Extended Logging Format (HTTP), and so on). Regardless of the Juniper Secure Access SSL VPN version, the LogLogic Appliance supports only Juniper Secure Access SSL VPN events in Standard format. The Juniper Secure Access SSL VPN device generates Syslog messages in Standard format; then messages are sent via UDP or TCP to the Syslog Listener on the LogLogic Appliance. Figure 9 Juniper Secure Access SSL VPN with LogLogic Appliance as the Syslog Server Once the data is captured and parsed, you can generate reports or create alerts. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Table 1 on page 18 lists the Juniper Secure Access SSL VPN Syslog messages that are supported by the LogLogic Appliance. Note: The LogLogic Appliance captures all messages from the Juniper Secure Access SSL VPN logs, but includes only specific messages for report/alert generation. For more information, see, Appendix A Event Reference for sample log messages for each event and event to category mapping. Juniper Secure Access SSL VPN Log Configuration Guide 15
LogLogic Real-Time Reports LogLogic provides pre-configured Real-Time Reports for Juniper Secure Access SSL VPN log data. The following Real-Time Reports are available: User Access Displays data access and changes done to data during a specified time interval User Authentication Displays identity and access related events during a specified time interval User Displays user specific details; used to track user activity during a specified time interval To access LMI 5 Real-Time Reports: 1. In the top navigation pane, click Reports. 2. Select Access Control. The following Real-Time Reports are available: User Access User Authentication User You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. 16 Juniper Secure Access SSL VPN Log Configuration Guide
Appendix A Event Reference This appendix lists the LogLogic-supported Juniper Secure Access SSL VPN events. The LogLogic Juniper Secure Access SSL VPN event table identifies events which can be analyzed through the LogLogic Agile Reports, as well as a sample log message. All sample log messages were captured by the LogLogic file pull utility. LogLogic Support for Juniper Secure Access SSL VPN Events The following list describes the contents of each of the columns in the tables below. Event ID Not Applicable (N/A) Agile Reports/Search Defines if the Juniper Secure Access SSL VPN event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. Operating System Operating System (OS) where the event can be triggered. In some instances, duplicate Event IDs exist for different OSs. Title/Comments Not Applicable (N/A) Event Category Not Applicable (N/A) Event Type Type of event such as Type of event such as Cache Cleaner or File Rewrite Reports Appears In LogLogic-provided reports that the event appears in Sample Log Message Sample Juniper Secure Access SSL VPN log messages Juniper Secure Access SSL VPN Log Configuration Guide 17
Table 1 Juniper Secure Access SSL VPN Events Event ID Agile Reports/ Search Title Event Category Event Type Reports Appears In Sample Log Message 1 N/A Agile N/A N/A Cache Cleaner User Access/User 2 N/A Agile N/A N/A Cache Cleaner User Access/User 3 N/A Agile N/A N/A File Rewrite User Access/User 4 N/A Agile N/A N/A File Rewrite User Access/User 5 N/A Agile N/A N/A File Rewrite User Access/User 6 N/A Agile N/A N/A File Rewrite User Access/User 7 N/A Agile N/A N/A File Rewrite User Access/User 8 N/A Agile N/A7 N/A File Rewrite User Access/User 9 N/A Agile N/A N/A File Rewrite User Access/User 10 N/A Agile N/A N/A File Rewrite User Access/User <134>Juniper: 2008-07-09 08:04:31 - connect2a - [8192.168.0.1] ABCD::connect2.acme.com(Users)[] - Cache Cleaner is running on host 99.202.123.40 for user 'jsmith'. <134>Juniper: 2008-07-09 08:04:31 - connect2a - [192.168.0.1] ABCD::bnelson(Users)[] - System process detected a Cache Cleaner time out on host 169.15.2.1 for user 'bnelson' (last update at 2008-07-11 07.00.19-0700 PDT). <134>Juniper: 2008-07-11 10:52:59 - connect2a - [5.5.6.4] WX-Demo::mnichols(Users)[Users] - Connected to SHAREPOINT port 445 <134>Juniper: 2008-07-10 08:07:51 - connect2a - [2.3.4.5] Root::apawl002(Intranet)[Employee] - NFS server intranet: Permission denied to /home/ NFSshare. <134>Juniper: 2008-08-20 00:33:45 - connect2a - [192.16.0.1] Root::jsmith(Managed)[Common, Office] - NFS directory intranet.acme.com: / home/nfsshare 8 items listed. Downloaded file(s) ARROWD.GIF ARROWR.GIF pj%20jump-09-23-04-07-27.jpg from \\GIZMOFILESERVER\public as Zip file aaa.zip. NFS server intranet.acme.com: Uploaded NFS file Phone_Ent.pdf to intranet.acme.com: /home/ NFSshare. NFS server intranet.acme.com: Downloaded file / home/nfsshare///1jack1new.jpg. Downloaded Windows file \\GIZMOFILESERVER\public\andrey\Adj_Junipe r.xls. Uploaded Windows file \\GIZMOFILESERVER\public\\AAA_HU\ldapbro wser\lib\ldap.jar. 18 Juniper Secure Access SSL VPN Log Configuration Guide
Event ID Agile Reports/ Search Title Event Category Event Type Reports Appears In Sample Log Message 11 N/A Agile N/A N/A File Rewrite User Access/User 12 N/A Agile N/A N/A File Rewrite User Access/User 13 N/A Agile N/A N/A File Rewrite User Access/User 14 N/A Agile N/A N/A File Rewrite User Access/User 15 N/A Agile N/A N/A File Rewrite User Access/User 16 N/A Agile N/A N/A Host Checker User Access/User 17 N/A Agile N/A N/A Host Checker User Access/User 18 N/A Agile N/A N/A Host Checker User Access/User 19 N/A Agile N/A N/A Host Checker User Access/User 20 N/A Agile N/A N/A Host Checker User Access/User Created new folder Case Studies on \\LOGLOGIC-SBS\documents and information\3.2 Reseller disk. Access denied to Windows directory \\\\3.2.1\V321_Supplement. Cannot write Windows file Loglogic\reseller's disk\evaluation Forms\Evaluation Implementation formv1 5 to \\LOGLOGIC-SBS\documents and information\3.2 Reseller disk\evaluation Forms with error 13. Failed to list Windows share \\LOGLOGIC-SBS\ClientApps in wrkgrp/domain loglogic.com for user amorris with error 13. Failed to read Windows directory \\LOGLOGIC\LOGLOGIC-SBS\Users\%usernam e% with error 2. Host Checker policy 'JP Demo' passed on host 172.16.26.11. Host Checker policy 'Demo' passed on host 10.1.2.3 for user 'mmcguirl'. Host Checker policy 'Demo' failed on host 10.4.5.6. Reason: 'found notepad.exe'. Host Checker policy 'JP Demo' failed on host 172.16.2.3 for user 'apawl002'. Reason: ''. System process detected a Host Checker time out on host 172.16.2.5 for user 'bnelson' (last update at 2008-07-11 07.04.49-0700 PDT). Juniper Secure Access SSL VPN Log Configuration Guide 19
Event ID Agile Reports/ Search Title Event Category Event Type Reports Appears In Sample Log Message 21 N/A Agile N/A N/A Info User Access/User 22 N/A Agile N/A N/A Login User Authentication/ User Access/User 23 N/A Agile N/A N/A Login User Authentication/ User Access/User 24 N/A Agile N/A N/A Login User Authentication/ User Access/User 25 N/A Agile N/A N/A Login User Authentication/ User Access/User 26 N/A Agile N/A N/A Login User Authentication/ User Access/User 27 N/A Agile N/A N/A Login User Authentication/ User Access/User 28 N/A Agile N/A N/A Login User Authentication/ User Access/User 29 N/A Agile N/A N/A Login User Authentication/ User Access/User 30 N/A Agile N/A N/A Logoff User Access/User 31 N/A Agile N/A N/A Logoff User Access/User 32 N/A Agile N/A N/A Logoff User Access/User 33 N/A Agile N/A N/A Logoff User Access/User Max session timeout for mnichols/users. Primary authentication successful for mstest2/ LOCAL-IVE from 10.2.6.15 Primary authentication failed for mpanko@juniper.net/acme AD from 172.5.6.87 Login succeeded for mstest2/mstest from 10.2.3.56. Login failed using auth server Loglogic Domain. Reason: Failed Login failed using auth server acme AD (LDAP Server). Reason: Failed Login failed using auth server System Local (Local Authentication). Reason: ShortPasswd Connected to TUN-VPN port 443 Connected to 172.20.1.17 port 1494 Closed connection to TUN-VPN port 443 after 29 seconds, with 325 bytes read (in 1 chunks) and 419 bytes written (in 6 chunks) Closed connection to 172.20.1.17 port 1494 after 241 seconds, with 11680 bytes read (in 40 chunks) and 4793 bytes written (in 156 chunks) Logout from 172.16.2.6 Session for user pjeffers on host 192.168.1.2 has been terminated. 20 Juniper Secure Access SSL VPN Log Configuration Guide
Event ID Agile Reports/ Search Title Event Category Event Type Reports Appears In Sample Log Message 34 N/A Agile N/A N/A Network Connect User Access/User 35 N/A Agile N/A N/A Network Connect User Access/User 36 N/A Agile N/A N/A Telnet/SSH User Access/User 37 N/A Agile N/A N/A Telnet/SSH User Access/User 38 N/A Agile N/A N/A Login User Authentication/ User Access/User 39 N/A Agile N/A N/A Network Connect User Access/User 40 N/A Agile N/A N/A Logout User Access/User 41 N/A Agile N/A N/A File Rewrite User Access/User 42 N/A Agile N/A N/A Host Checker User Access/User 43 N/A Agile N/A N/A Host Checker User Access/User 44 N/A Agile N/A N/A Host Checker User Access/User 45 N/A Agile N/A N/A Host Checker User Access/User Network Connect: Session started for user with IP 172.20.1.224 Network Connect: Session ended for user with IP 172.20.1.224 Connected to intranet.acme.net port 23 Request to connect to 10.60.0.9 port 22 permission denied 2011-01-25 18:26:50 - ive - [10.40.1.31] afong(users)[users] - Login succeeded for af/ Users (session:00000000) from 10.40.1.31. 2011-01-20 17:53:48 - ive - [172.16.1.55] afong(users)[users] - Network Connect: Session started for user with IP 10.60.0.220, hostname AdamDesktop 2011-01-25 15:17:00 - ive - [172.16.1.55] afo(users)[users] - Logout from 172.16.1.55 (session:00000000) 2011-01-25 15:04:18 - ive - [172.16.1.55] afon(users)[users] - Fail to list shares \\LOGLABS\10.60.0.22 for user with error 13. Juniper: 2011-01-24 14:45:20 - ive - [10.40.1.31] cotto(users)[users] - Host Checker policy 'Advanced Endpoint Defense: Malware Protection' passed on host 10.40.1.31 for user 'cotto'. <134>Juniper: 2011-01-21 19:00:34 - ive - [172.16.1.55] afong(users)[users] - Host Checker realm restrictions successfully passed for afon/users <134>Juniper: 2011-01-24 14:11:13 - ive - [10.40.1.31] cott(users)[users] - Cache Cleaner realm restrictions successfully passed for cott/ Users 2011-01-25 15:40:31 - ive - [172.16.1.55] System()[] - Host Checker running on host 172.16.1.55 will exit as the user login timed out. Juniper Secure Access SSL VPN Log Configuration Guide 21