Jsa Log Source User Guide

Juniper Secure Analytics
Log Sources Users Guide
Release
2014.1
Published: 2014-03-17
Copyright 2014, Juniper Networks, Inc.
Juniper Networks, Inc.

1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Copyright 2014, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Juniper Secure Analytics Log Sources Users Guide

All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (EULA) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of
that EULA.
ii
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Part 1
Juniper Secure Analytics Log Sources
Chapter 1
Managing Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Log Sources Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Viewing the Status of a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Adding a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Editing Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Enabling or Disabling a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Adding Bulk Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Editing Bulk Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Deleting a Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 2
Managing Protocol Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Protocol Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configuring the Syslog Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configuring the JDBC Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring the JDBC SiteProtector Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configuring the Sophos Enterprise Console JDBC Protocol . . . . . . . . . . . . . . . . . . 29
Configuring the Juniper Networks NSM Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Configuring the OPSEC/LEA Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Configuring the SDEE Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Configuring the SNMPv1 Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configuring the Sourcefire Defense Center Estreamer Protocol . . . . . . . . . . . . . . 49
Configuring the Log File Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Configuring the Microsoft Security Event Log Protocol . . . . . . . . . . . . . . . . . . . . . 57
Configuring the Microsoft Security Event Log Custom Protocol . . . . . . . . . . . . . . 60
Configuring the Microsoft DHCP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Configuring the Microsoft Exchange Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Configuring the Microsoft IIS protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Configuring the SMB Tail Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Configuring the EMC VMware Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
iii
Configuring the Oracle Database Listener Protocol . . . . . . . . . . . . . . . . . . . . . . . . 77

Configuring the Cisco NSEL Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Configuring the PCAP Syslog Combination Protocol . . . . . . . . . . . . . . . . . . . . . . . 82
Configuring the Forwarded Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Configuring the TLS Syslog Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Configuring the Juniper Security Binary Log Collector Protocol . . . . . . . . . . . . . . . 90
Configuring the UDP Multiline Syslog Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Configuring the TCP Multiline Syslog Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Configuring the VMware vCloud Director Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 98
Configuring the IBM Tivoli Endpoint Manager SOAP Protocol . . . . . . . . . . . . 100
Chapter 3
Grouping Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Grouping Log Source Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Viewing Log Source Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Assigning a Log Source to a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Creating a Log Source Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Editing a Log Source Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Copying a Log Source to Another Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Removing a Log Source From a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Chapter 4
Adding Log Source Parsing Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Log Source Parsing Order Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Adding a Log Source Parsing Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Chapter 5
Managing Log Source Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Log Source Extensions Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Viewing the Status of a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Adding a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Editing a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Copying a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Enabling or Disabling a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Deleting a Log Source Extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Part 2
Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
iv
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Part 1
Chapter 1
Managing Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Table 3: Console Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Table 4: Log Source Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Table 5: Bulk Log Source Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Table 6: Bulk Edit Log Source Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 2
Managing Protocol Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Table 7: Syslog Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Table 8: JDBC Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Table 9: JDBC - SiteProtector Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . 25
Table 10: Sophos Enterprise Console JDBC Protocol Parameters . . . . . . . . . . . . . 30
Table 11: Juniper Networks NSM Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . 34
Table 12: OPSEC/LEA Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Table 13: SDEE Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Table 14: SNMPv1 Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Table 17: Sourcefire Defense Center Estreamer Protocol Parameters . . . . . . . . . . 50
Table 18: Log File Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Table 19: Microsoft Security Event Log Protocol Parameters . . . . . . . . . . . . . . . . . 58
Table 20: Microsoft Security Event Log Protocol Parameters . . . . . . . . . . . . . . . . . 61
Table 21: Microsoft DHCP Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Table 22: Microsoft Exchange Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . 66
Table 23: Microsoft IIS Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Table 24: SMB Tail Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Table 25: EMC VMware Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Table 26: Oracle Database Listener Protocol Parameters . . . . . . . . . . . . . . . . . . . 77
Table 27: Cisco NSEL Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Table 28: PCAP Syslog Combination Protocol Parameters . . . . . . . . . . . . . . . . . . 82
Table 29: Forwarded Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Table 30: TLS Syslog Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Table 31: Juniper Security Binary Log Collector Protocol Parameters . . . . . . . . . . 90
Table 32: UDP Multiline Syslog Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . 92
Table 33: TCP Multiline Syslog Protocol Parameters . . . . . . . . . . . . . . . . . . . . . . . 95
Table 34: VMware vCloud Director Protocol Parameters . . . . . . . . . . . . . . . . . . . . 98
Table 35: IBM Tivoli Endpoint Manager SOAP Protocol Parameters . . . . . . . . . . 100
Chapter 5
Managing Log Source Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Table 36: Log Source Extension Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
vi
About the Documentation
Documentation and Release Notes on page vii
Documentation Conventions on page vii
Documentation Feedback on page ix
Requesting Technical Support on page x
Documentation and Release Notes
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Documentation Conventions
Table 1 on page viii defines notice icons used in this guide.
vii
Table 1: Notice Icons

Icon
Meaning
Description
Informational note
Indicates important features or instructions.
Caution
Indicates a situation that might result in loss of data or hardware damage.
Warning
Alerts you to the risk of personal injury or death.
Laser warning
Alerts you to the risk of personal injury from a laser.
Table 2 on page viii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions

Convention
Description
Examples
Bold text like this
Represents text that you type.
To enter configuration mode, type the

configure command:
user@host> configure
Fixed-width text like this
Italic text like this
Italic text like this
Text like this
< > (angle brackets)
viii
Represents output that appears on the

terminal screen.
user@host> show chassis alarms
Introduces or emphasizes important

new terms.
Identifies guide names.
A policy term is a named structure

that defines match conditions and
actions.
Identifies RFC and Internet draft titles.
Junos OS CLI User Guide
RFC 1997, BGP Communities Attribute
No alarms currently active
Represents variables (options for which

you substitute a value) in commands or
configuration statements.
Configure the machines domain name:
Represents names of configuration

statements, commands, files, and
directories; configuration hierarchy levels;
or labels on routing platform
components.
To configure a stub area, include the

stub statement at the [edit protocols
ospf area area-id] hierarchy level.
The console port is labeled CONSOLE.
Encloses optional keywords or variables.
stub <default-metric metric>;
[edit]
root@# set system domain-name
domain-name
About the Documentation
Table 2: Text and Syntax Conventions (continued)

Convention
Description
Examples
| (pipe symbol)
Indicates a choice between the mutually

exclusive keywords or variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
broadcast | multicast
# (pound sign)
Indicates a comment specified on the

same line as the configuration statement
to which it applies.
rsvp { # Required for dynamic MPLS only
[ ] (square brackets)
Encloses a variable for which you can

substitute one or more values.
community name members [

community-ids ]
Indention and braces ( { } )
Identifies a level in the configuration

hierarchy.
; (semicolon)
Identifies a leaf statement at a

configuration hierarchy level.
(string1 | string2 | string3)
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
GUI Conventions
Bold text like this
Represents graphical user interface (GUI)

items you click or select.
> (bold right angle bracket)
Separates levels in a hierarchy of menu

selections.
In the Logical Interfaces box, select

All Interfaces.
To cancel the configuration, click

Cancel.
In the configuration editor hierarchy,

select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
Online feedback rating systemOn any page at the Juniper Networks Technical
Documentation site at http://www.juniper.net/techpubs/index.html, simply click the
stars to rate the content, and use the pop-up form to provide us with information about
your experience. Alternately, you can use the online feedback form at
https://www.juniper.net/cgi-bin/docbugreport/.
E-mailSend your comments to techpubs-comments@juniper.net. Include the document

or topic name, URL or page number, and software version (if applicable).
ix
Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.
JTAC policiesFor a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
Product warrantiesFor product warranty information, visit

http://www.juniper.net/support/warranty/.
JTAC hours of operationThe JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
Find CSC offerings: http://www.juniper.net/customers/support/
Search for known bugs: http://www2.juniper.net/kb/
Find product documentation: http://www.juniper.net/techpubs/
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/
Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.
Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.
PART 1
Managing Log Sources on page 3
Managing Protocol Configuration on page 17
Grouping Log Sources on page 105
Adding Log Source Parsing Order on page 111
Managing Log Source Extensions on page 113
CHAPTER 1
Managing Log Sources

This chapter describes about the following sections:
Log Sources Overview on page 4
Viewing the Status of a Log Source on page 4
Adding a Log Source on page 5
Editing Log Source on page 7
Enabling or Disabling a Log Source on page 9
Adding Bulk Log Sources on page 10
Editing Bulk Log Sources on page 13
Deleting a Log Source on page 15
Log Sources Overview

Administrators can manage log sources from the Admin tab. Log sources are a list of
external appliances that provide events to Juniper Secure Analytics (JSA).
References to JSA apply to all products capable of collecting log source information.
Products that support log sources include Log Analytics.
Log sources provide JSA the ability to collect, understand, and properly categorize events
from external sources. A log source is a generic term for any external source that provides
event information to JSA. A log source can be any type of network appliances, operating
system, database, or security product that generates events for JSA. For example, a
firewall or intrusion detection systems might provide security-based events where
switches or routers might provide network-based events. JSA can read and interpret
events from more than 300 log sources. Each log source in JSA contains a device support
module (DSM). The DSM software contains the event patterns that are required to
identify and parse events for a log source. Updated event patterns to parse new events
and update your system are provided through weekly auto updates.
Log sources can be created manually by an administrator or automatically discovered
by JSA. Auto discovery means that JSA can detect and create a log source from events
without manual configuration. Many log sources can be automatically discovered by JSA.
Before you configure a log source, you must review and understand how the device,
appliance, or software sends events to JSA. To review step-by-step configuration
instructions for devices and the associated log source, see the Juniper Secure Analytics
Administration Guide.
To manage log sources in JSA, perform the following tasks:
Viewing the Status of a Log Source on page 4.
Adding a Log Source on page 5.
Editing Log Source on page 7.
Adding Bulk Log Sources on page 10.
Editing Bulk Log Sources on page 13.
Enabling or Disabling a Log Source on page 9.
Deleting a Log Source on page 15.
Viewing the Status of a Log Source

You can view the status of a log source to determine if your device is sending events to
Juniper Secure Analytics (JSA).
To view the status of a log source:
1.
Click the Admin tab.
Chapter 1: Managing Log Sources
2. Click the Log Sources icon.

3. Review the Status column to determine the status of your log sources.
For example, log sources that do not send an event within 720 minutes display an error
in the Status column. Log sources that display N/A are log sources that have been bulk
added.
Related
Documentation
Adding a Log Source

Administrators can add a log source to receive event from your network devices or
appliances. Before a log source is manually added, the administrator can determine if
the device supports automatic discovery.
Table 3 on page 5 describes the parameters of the log source fields.
Table 3: Console Settings

Parameter
Description
Log Source Name
Type a unique name of the log source.
Log Source Description
Optional. Type a description for the log source.
Log Source Type
From the list, select the type of log source to add.
Protocol Configuration
From the list, select the protocol configuration for the log source.
The protocol defines how Juniper Secure Analytics (JSA) attempts to communicate with the log
source. Protocols can either listen for events or they can initiate communication to a log source to
collect events. The protocol options that are available for each log source is determined by the Log
Source Type.
The JSA provides step-by-step instructions to configure each log source.
Log Source Identifier
Type an IPv4 address or hostname to identify the log source that created the events.
If your network contains multiple devices that are attached to a management console, you should
specify the IP address of the individual device that created the event. A unique identifier for each,
such as an IP address, prevents event searches from identifying the management console as the
source for all of the events.
Table 3: Console Settings (continued)

Parameter
Description
Enabled
Select this check box to enable the log source.

When this check box is clear, the log source does not collect events and the log source is not counted
in the license limit.
Credibility
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility
is 5.
Credibility is a representation of the integrity or validity of events that are created by a log source.
The credibility value that is assigned to a log source can increase or decrease based on incoming
events or adjusted as a response to user created event rules. The credibility of events from log sources
contributes to the calculation of the offense magnitude and can increase or decrease the magnitude
value of an offense.
Target Event Collector
Select the target for the log source. When a log source actively collects events from a remote source,
this field defines which appliance polls for the events.
The target event collector enables administrators to poll and process events on the target event
collector, instead of the console appliance. Distributing event across target event collectors can
improve performance in distributed deployments.
Coalescing Events
Select this check box to enable the log source to coalesce (bundle) events.
Coalescing events increase the event count when the same event occurs multiple times within a
short time interval. Coalesced events provide administrators a way to view and determine the
frequency with which a single event type occurs on the Log Activity tab.
When this check box is clear, events are viewed individually and events are not bundled.
New and automatically discovered log sources inherit the value of this check box from the System
Settings configuration on the Admin tab. Administrators can use this check box to override the default
behavior of the system settings for an individual log source.
Store Event Payload
Select this check box to enable the log source to store the payload information from an event.
Log Source Language
Select the language of the events that are generated by the log source.
The log source language helps the system parse events from external appliances or operating systems
that can create events in multiple languages.
Log Source Extension
Optional. Select the name of the extension to apply to the log source.
This parameter is available after a log source extension is uploaded. Log source extensions are XML
files that contain regular expressions, which can override or repair the event parsing of a device
support module (DSM).
Extension Use Condition
From the list box, select the use condition for the log source extension. The options include:
Parsing enhancementSelect this option when most fields parse correctly for the log source.
Parsing overrideSelect this option when the log source is unable to correctly parse events.
Table 3: Console Settings (continued)

Parameter
Description
Groups
Select one or more groups for the log source.
To add a log source:

1.

3. Click Add.
4. Configure the parameters for your log source. The JSA provides step-by-step
instructions to configure each log source.

5. Click Save.
6. On the Admin tab, click Deploy Changes.
Related
Documentation
Editing Log Source

You can edit a log source to update the configuration parameters for a network device,
appliance, or software. The Log Source Type and Protocol Configuration parameters
cannot be edited.
Table 4 on page 7 describes the editable parameters of the log source fields:
Table 4: Log Source Parameters

Parameter
Description
Log Source Name
Table 4: Log Source Parameters (continued)

Parameter
Description
If your network contains multiple devices that are attached to a management console, you should
Enabled

Credibility
is 5.
Coalescing Events
Store Event Payload
Log Source Language
Table 4: Log Source Parameters (continued)

Parameter
Description
Extension Use
Condition
Groups
To edit a log source:

1.

3. Select a log source.
4. Click Edit.

6. Click Save to update your log source configuration.
The log source is updated. Deploy changes is not required to edit a log source.
Related
Documentation
Enabling or Disabling a Log Source

Administrators can enable or disable log source to start or stop event collection. Bulk
log sources cannot be enabled or disabled.
You can enable or disable a log source.
To enable or disable a log source

1.

3. Select the log source to enable or disable.
4. Click Enable/Disable.
When a log source is enabled, the Enabled column indicates true or the column indicates
false when disabled. Disabled log sources do not count against the log source limit
assigned to the license. If an administrator cannot enable a log source, the system might
have exceeded the log source license limit. Administrators can review the system
notifications to determine if the number of log sources exceeds the license limit. When
this occurs, administrators can disable low priority log sources. If extra log source capacity
is required, contact your sales representative.
Related
Documentation
Adding Bulk Log Sources

Juniper Secure Analytics (JSA) supports the ability to add up to 500 Windows-based or
Universal DSM log sources in bulk. Bulk log sources share a common configuration and
only differ by the IP address.
Table 5 on page 10 describes the default parameters of the log source configuration.
These parameters might differ based on the Log Source Type selected:
Table 5: Bulk Log Source Parameters

Parameter
Description
Bulk Log Source

Name

When you add a bulk log source, a log source group is created with the name you input into this field.
Log Source Type
10
From the list, select a log source type for your Windows based log source or Universal DSM log source.
Table 5: Bulk Log Source Parameters (continued)

Parameter
Description
Protocol
Configuration
From the list, select the protocol configuration for the log source.
The protocol defines how the system attempts to communicate with the log source. Protocols can
either listen for events or they can initiate communication to a log source to collect events. The protocol
options that are available for each log source is determined by the Log Source Type.
Enabled

Credibility
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is
5.
Credibility is a representation of the integrity or validity of events that are created by a log source. The
credibility value that is assigned to a log source can increase or decrease based on incoming events or
adjusted as a response to user created event rules. The credibility of events from log sources contributes
to the calculation of the offense magnitude and can increase or decrease the magnitude value of an
offense.
Target Event
Collector
collector, instead of the console appliance. Distributing event across target event collectors can improve
performance in distributed deployments.
Coalescing Events
Coalescing events increase the event count when the same event occurs multiple times within a short
time interval. Coalesced events provide administrators a way to view and determine the frequency
with which a single event type occurs on the Log Activity tab.
Store Event Payload
Log Source Language
11
Table 5: Bulk Log Source Parameters (continued)

Parameter
Description
files that contain regular expressions, which can override or repair the event parsing of a device support
module (DSM).
Extension Use
Condition
File Upload
Select this option to specify the location of a text file that contains a list of IP addresses or host names
to bulk add.
The text file must contain one IP address or host name per line. Extra characters after an IP address
or host names longer than 255 characters can result in a value being bypassed from the text file. The
file upload lists a summary of all IP address or host names that were added as the bulk log source.
Domain Query
Select this option to search a domain for hosts to add as bulk log sources. To search a domain you
must add the domain, username, and password before polling the domain for hosts to add. Click Query
Domain to search for IP addresses or host name to the list.
Domain ControllerType the IP address of the domain controller.
Full Domain NameType a valid domain name for your network.
Manual
Select this option to manually add an individual IP address or host names to the host list. Click Add
Host to add an IP address or host name to the list.
Add
Clear any values from the Add check box to exclude host names or IP addresses from the list of bulk
log sources.
To add a bulk log source:

1.

3. From the Actions list, select Bulk Add.
4. Configure the parameters for the log source. The JSA provides step-by-step instructions
to configure each log source.

5. Click Save.
6. Click Continue to add the log sources.
The log sources are bulk added and a group is created for your bulk log sources.
Related
Documentation
12
Editing Bulk Log Sources

Administrators can edit a log source in bulk to update the configuration parameters for
Windows-based log sources or Universal DSM log sources that were bulk added. The
Log Source Type and Protocol Configuration parameters cannot be edited in bulk.
Table 6 on page 13 describes the default parameters of the log source configuration.
These parameters might differ based on the Log Source Type selected:
Table 6: Bulk Edit Log Source Parameters

Parameter
Description
Bulk Log Source

Name

When you add a bulk log source, a log source group is created with the name you input into this field.
Enabled

Credibility
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is
5.
Credibility is a representation of the integrity or validity of events that are created by a log source. The
credibility value that is assigned to a log source can increase or decrease based on incoming events or
adjusted as a response to user created event rules. The credibility of events from log sources contributes
to the calculation of the offense magnitude and can increase or decrease the magnitude value of an
offense.
Target Event
Collector
collector, instead of the console appliance. Distributing event across target event collectors can improve
performance in distributed deployments.
13
Table 6: Bulk Edit Log Source Parameters (continued)

Parameter
Description
Coalescing Events
time interval. Coalesced events provide administrators a way to view and determine the frequency with
which a single event type occurs on the Log Activity tab.
Store Event Payload
Log Source Language
files that contain regular expressions, which can override or repair the event parsing of a device support
module (DSM).
Extension Use
Condition
File Upload
Select this option to specify the location of a text file that contains a list of IP addresses or host names
to bulk add.
The text file must contain one IP address or host name per line. Extra characters after an IP address or
host names longer than 255 characters can result in a value being bypassed from the text file. The file
upload lists a summary of all IP address or host names that were added as the bulk log source.
Domain Query
Select this option to search a domain for hosts to add as bulk log sources. To search a domain you
must add the domain, username, and password before polling the domain for hosts to add. Click Query
Domain to search for IP addresses or host name to the list.
Domain ControllerType the IP address of the domain controller.
Full Domain NameType a valid domain name for your network.
Manual
Select this option to manually add an individual IP address or host names to the host list. Click Add
Host to add an IP address or host name to the list.
Add
Clear any values from the Add check box to exclude host names or IP addresses from the list of bulk
log sources.
14
To edit a bulk log source:

1.

3. Select a log source.
4. From the Actions list, select Bulk Edit.

6. Click Save to update your log source configuration.
7. Click Continue to add the log sources.
8. Optional. On the Admin tab, click Deploy Changes if you added a new IP address or
host name to your bulk log source.

The bulk log source is updated.
Related
Documentation
Deleting a Log Source

Administrators can delete a log source. Bulk log sources cannot be enabled or disabled.
Administrators can delete unwanted log sources to stop event collection for an external
device.
To delete a log source:
1.

3. Select the log source to enable or disable.
4. Click Delete.
The log source is enabled or disabled.

The event data for log sources is still available on your system. However, the data can
be more difficult to locate when you attempt to search as the indexes to the log source
is deleted. If you want to retain the log source index reference, you can disable a log
15
source instead of deleting the log source from your system. This enables you to continue
to search for events by log source or log source group.
Related
Documentation
16
CHAPTER 2
Managing Protocol Configuration

Protocol Configuration Overview on page 18
Configuring the Syslog Protocol on page 18
Configuring the JDBC Protocol on page 21
Configuring the JDBC SiteProtector Protocol on page 25
Configuring the Sophos Enterprise Console JDBC Protocol on page 29
Configuring the Juniper Networks NSM Protocol on page 34
Configuring the OPSEC/LEA Protocol on page 36
Configuring the SDEE Protocol on page 39
Configuring the SNMPv1 Protocol on page 42
Configuring the Sourcefire Defense Center Estreamer Protocol on page 49
Configuring the Log File Protocol on page 52
Configuring the Microsoft Security Event Log Protocol on page 57
Configuring the Microsoft Security Event Log Custom Protocol on page 60
Configuring the Microsoft DHCP Protocol on page 63
Configuring the Microsoft Exchange Protocol on page 66
Configuring the Microsoft IIS protocol on page 69
Configuring the SMB Tail Protocol on page 72
Configuring the EMC VMware Protocol on page 75
Configuring the Oracle Database Listener Protocol on page 77
Configuring the Cisco NSEL Protocol on page 80
Configuring the PCAP Syslog Combination Protocol on page 82
Configuring the Forwarded Protocol on page 84
Configuring the TLS Syslog Protocol on page 87
Configuring the Juniper Security Binary Log Collector Protocol on page 90
Configuring the UDP Multiline Syslog Protocol on page 92
17
Configuring the TCP Multiline Syslog Protocol on page 95
Configuring the VMware vCloud Director Protocol on page 98
Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 100
Protocol Configuration Overview

Log source protocols provide Juniper Secure Analytics (JSA) the ability to receive or
actively collect log source events from external sources. Passive protocols actively listen
for events on specific ports and active protocols leverage APIs or other communication
methods to reach out to external systems to poll and retrieve events.
Before you configure a log source, you must review and understand how the device,
appliance, or software sends events to JSA. For detailed protocol information and
step-by-step configuration instructions for many devices, see the Juniper Secure Analytics
Administartion Guide.
To review protocol configuration parameters for your log source, select the protocol for
the device:
Related
Documentation
Configuring the Syslog Protocol on page 18.
Configuring the JDBC Protocol on page 21.
Configuring the JDBC SiteProtector Protocol on page 25.
Configuring the Sophos Enterprise Console JDBC Protocol on page 29.
Configuring the Juniper Networks NSM Protocol on page 34.
Configuring the OPSEC/LEA Protocol on page 36.
Configuring the Syslog Protocol

The Syslog protocol is the most common form of event collection. Juniper Secure Analytics
(JSA) can passively listen for Syslog events on TCP or UDP port 514.
Table 7 on page 18 describes the parameters of the Syslog protocol.
Table 7: Syslog Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
18
Chapter 2: Managing Protocol Configuration
Table 7: Syslog Protocol Parameters (continued)

Parameter
Description
From the list, select Syslog.

The protocol defines how JSA attempts to communicate with the log source. Protocols can either
listen for events or they can initiate communication to a log source to collect events. The protocol
options that are available for each log source is determined by the Log Source Type.
Type an IPv4 address or host name to identify the log source that created the events.
If the network contains multiple devices that are attached to a management console, administrators
can specify the IP address of the individual device that created the event. A unique identifier for each,
Enabled

Credibility
is 5.
Coalescing Events
Store Event Payload
19
Table 7: Syslog Protocol Parameters (continued)

Parameter
Description
Log Source Language
Groups
To configure the syslog protocol:

1.

3. Click Add.

5. Click Save.
Related
Documentation
20
Protocol Configuration Overview on page 18.
Configuring the SDEE Protocol on page 39.
Configuring the SNMPv1 Protocol on page 42.
Configuring the JDBC Protocol

Log sources configured with the Java Database Connectivity (JDBC) protocol can remotely
poll databases for events.
The JDBC protocol enables Juniper Secure Analytics (JSA) to collect information from
tables or views that contain event data from several database types.
Table 8 on page 21 describes the parameters of the JDBC protocol.
Table 8: JDBC Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select JDBC.
Type the log source identifer in one of the following formats:
database@hostname
table name|database@hostname
The databasename must match the value of the Database Name parameter. The database name
is a required parameter.
The hostname is the hostname or IP address for the device that hosts the database. Thehostname
must match the parameter in the IP or Hostnamefield. The hostname is a required parameter.
Optional. The table name is the name of the table or view on the database which contains the
event records. If you define the name of a table or view, you must include a pipe ( | ) character as a
separator. The name of the view or table must match the Table Name field.
Database Type
From the list box, select the type of database that contains the events.
Database Name
Type the name of the database to which the protocol can connect. The database name must match
the database name specified in the Log Source Identifier field.
IP or Hostname
Type the IP address or hostname of the database server.
21
Table 8: JDBC Protocol Parameters (continued)

Parameter
Description
Port
Type the port number used by the database server. The default displayed depends on the selected
Database Type. The valid range is 0 to 65536. The defaults include:
MSDE1433
Postgres5432
MySQL3306
Sybase1521
Oracle1521
Informix9088
The JDBC port must match the listen port configured on the remote database. The database must
permit incoming TCP connections.
If a Database Instance is used with the MSDE database type, administrators must leave the Port
parameter blank in the log source configuration.
Username
Type the database username. The username can be up to 255 alphanumeric characters in length
and can include underscore (_) characters.
To track access to database access for audit purposes, administrators can create a create a specific
user on the database for JSA.
Password
Type the database password. The password can be up to 255 characters in length.
Confirm Password
Confirm the password to access the database.
Authentication Domain
Type a domain for the database.

A domain must be configured for MSDE databases that are within a Windows domain. If your network
does not use a domain, leave this field blank.
Database Instance
Type the database instance, if required. MSDE databases can include multiple SQL server instances
on one server.
When a non-standard port is used for the database or administrators have blocked access to port
1434 for SQL database resolution, the Database Instance parameter must be blank in the log source
configuration.
Predefined Query
Optional. Select a predefined database query for the log source. If a predefined query is not available
for the log source type, administrators can select none.
Table Name
Type the name of the table or view that includes the event records.
The table name can include the following special characters: dollar sign ( $ ), number sign ( # ),
underscore ( _ ), en dash ( - ), and period( . ).
Select List
Type the list of fields to include when the table is polled for events. Administrators can use a comma
separated list or type * to select all fields from the table or view.
If a comma-separated list is defined, the list must contain the field defined in the Compare Field.
22

Parameter
Description
Compare Field
Type a numeric value or timestamp field from the table or view that can identify new events added
between queries to the table.
This field enables the protocol to identify events that were previously polled by the protocol to ensure
that duplicate events are not created.
Use Prepared
Statements
Select this check box to use prepared statements.

Prepared statements enable the JDBC protocol source to setup the SQL statement, and then execute
the SQL statement numerous times with different parameters. For security and performance reasons,
most JDBC protocol configurations can use prepared statements.
Clear this check box to use an alternative method of querying that do not use precompiled statements.
Start Date and Time
Optional. Configure a start date and time for when the protocol can start to poll the database.
If a start time is not defined, the protocol attempts to poll for events after the log source configuration
is saved and deployed.
Polling Interval
Type the polling interval, which is the amount of time between queries to the database. The default
polling interval is 10 seconds.
Administrators can define a longer polling interval by appending H for hours or M for minutes to the
numeric value. The maximum polling interval is 1 week in any time format. Numeric values without
an H or M designator poll in seconds.
EPS Throttle
Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The
default value is 20000 EPS.
Use Named Pipe

Communication
If MSDE is configured as the database type, administrators can select this check box to use an
alternative method to a TCP/IP port connection.
Named pipe connections for MSDE databases require the username and password field to use a
Windows authentication username and password and not the database username and password.
The log source configuration must use the default named pipe on the MSDE database.
Database Cluster Name
If the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed.
If you use your SQL server in a cluster environment, define the cluster name to ensure that named
pipe communications function properly.
Use NTLMv2
Select the Use NTLMv2 check box to force MSDE connections to use the NTLMv2 protocol when
communicating with SQL servers that require NTLMv2 authentication. The default value of the check
box is selected.
The Use NTLMv2 check box does not interrupt communications for MSDE connections that do not
require NTLMv2 authentication.
Use SSL
Select this check box to enable SSL encryption for the JDBC protocol.
Enabled
Select this check box to enable the log source

23

Parameter
Description
Credibility
Select the credibility of the log source. The range is 0 (lowest) 10 (highest). The default credibility
is 5.
Coalescing Events
Store Event Payload
Log Source Language
The log source language helps the system parse events from external appliances or operating
systems that can create events in multiple languages.
Groups
24
To configure the JDBC protocol:

1.

3. Click Add.

5. Click Save.
Related
Documentation
Configuring the JDBC SiteProtector Protocol

Log sources configured with the Java Database Connectivity (JDBC) SiteProtector protocol
can remotely poll IBM Proventia Management SiteProtector databases for events.
The JDBC - SiteProtector protocol combines information from the SensorData1 and
SensorDataAVP1 tables in the creation of the log source payload. The SensorData1 and
SensorDataAVP1 tables are located in the IBM Proventia Management SiteProtector
database. The maximum number of rows that the JDBC - SiteProtector protocol can poll
in a single query is 30,000 rows.
Table 9 on page 25 describes the parameters of the JDBC protocol.
Table 9: JDBC - SiteProtector Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select JDBC - SiteProtector.
25
Table 9: JDBC - SiteProtector Protocol Parameters (continued)

Parameter
Description
Type the log source identifer in one of the following formats:
database@hostname
The database name must match the value of the Database Name parameter. The database
name is a required parameter.
The hostname is the hostname or IP address for the device that hosts the database. The
hostname must match the parameter in theIP or Hostnamefield. The hostname is a required
parameter.
Optional. The table name is the name of the table or view on the database that contains the
event records. If you define the name of a table or view, you must include a pipe (|) character as
a separator. The name of the view or table must match the Table Name field.
Database Type
From the list box, select MSDE as the type of database to use for the event source.
Database Name
Type RealSecureDB the name of the database to which the protocol can connect.
IP or Hostname
Type the IP address or hostname of the database server.
Port
Type the port number used by the database server. The default displayed depends on the selected
Database Type. The valid range is 0 to 65536. The defaults include:
MSDE1433
Postgres5432
MySQL3306
Sybase1521
Oracle1521
Informix9088
The JDBC SiteProtector configuration port must match the listener port of the database. The
database must have incoming TCP connections enabled.
If you define a Database Instance when with MSDE as the database type, you must leave the Port
parameter blank in your log source configuration.
Username
Type the database username. The username can be up to 255 alphanumeric characters in length
and can include underscores (_).
If you want to track access to a database by the JDBC protocol, you can create a specific use for
your JSA system.
Password
Type the database password. The password can be up to 255 characters in length.
Confirm Password
If you select MSDE and the database is configured for Windows, you must define a Windows
domain.
If your network does not use a domain, leave this field blank.
26

Parameter
Description
Database Instance
If you select MSDE and you have multiple SQL server instances on one server, define the instance
to which you want to connect.
If you use a non-standard port in your database configuration, or have blocked access to port 1434
for SQL database resolution, you must leave the Database Instance parameter blank in your
configuration
Predefined Query
From the list, select a predefined database query for your log source. Predefined database queries
are only available for special log source connections.
Table Name
Type SensorData1.
AVP View Name
Type SensorDataAVP.
Response View Name
Type SensorDataResponse.
Select List
Type * to include all fields from the table or view.
Compare Field
TypeSensorDataRowID to identify new events added between queries to the table
Use Prepared Statements

Prepared statements allow the JDBC protocol source to setup the SQL statement, and then execute
the SQL statement numerous times with different parameters. For security and performance
reasons, we recommend that you use prepared statements.
Clear this check box to use an alternative method of querying that does not use pre-compiled
statements.
Include Audit Events
Select this check box to collect audit events from IBM SiteProtector.
By default, this check box is clear.
Start Date and Time
Polling Interval
Type the polling interval, which is the amount of time between queries to the event table. The
default polling interval is 10 seconds.
Administrators can define a longer polling interval by appending H for hours or M for minutes to
the numeric value. The maximum polling interval is 1 week in any time format. Numeric values
without an H or M designator poll in seconds.
EPS Throttle
Use Named Pipe

Communication
If you select MSDE as the database type, select the check box to use an alternative method to a
TCP/IP port connection.
When administrators use a Named Pipe connection, the username and password must be the
appropriate Windows authentication username and password and not the database username
and password. The log source configuration must use the default named pipe.
27

Parameter
Description
If the Use Named Pipe Communication check box is selected, the Database Cluster Name parameter
is displayed.
Type the cluster name to ensure that named pipe communications function properly.
Use NTLMv2
communicating with SQL servers that require NTLMv2 authentication. The default value of the
check box is selected.
Use SSL
Select this check box to enable SSL encryption for the JDBC protocol.
Enabled

When this check box is clear, the log source does not collect events and the log source is not
counted in the license limit.
Credibility
is 5.
events or adjusted as a response to user created event rules. The credibility of events from log
sources contributes to the calculation of the offense magnitude and can increase or decrease the
magnitude value of an offense.
Select the target for the log source. When a log source actively collects events from a remote
source, this field defines which appliance polls for the events.
Coalescing Events
Settings configuration on the Admin tab. Administrators can use this check box to override the
default behavior of the system settings for an individual log source.
Store Event Payload
28

Parameter
Description
Log Source Language
This parameter is available after a log source extension is uploaded. Log source extensions are
XML files that contain regular expressions, which can override or repair the event parsing of a device
Groups
To configure the JDBC siteprotector protocol:

1.

3. Click Add.

5. Click Save.
Related
Documentation
Configuring the Sophos Enterprise Console JDBC Protocol

Sophos Enterprise console JDBC protocol can poll Sophos Enterprise consoles for events.
The Sophos Enterprise console JDBC protocol combines payload information from
application control logs, device control logs, data control logs, tamper protection logs,
29
and firewall logs in the vEvents Common Data table to provide events to Juniper Secure
Analytics (JSA). If the Sophos Enterprise console does not have the Sophos Reporting
Interface, administrators can use the standard JDBC protocol to collect antivirus events.
Detailed configuration steps for Sophos Enterprise consoles are provided in the JSA.
Table 10 on page 30 describes the parameters of the Sophos Enterprise console JDBC
protocol.
Table 10: Sophos Enterprise Console JDBC Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select Sophos Enterprise console JDBC.
Type the log source identifier in one of the following formats:
database@hostname
The database name must match the value of the Database Name parameter. The database name
is a required parameter.
The hostname is the host name or IP address for the device that hosts the database. Thehostname
must match the parameter in the IP or Hostname field. The host name is a required parameter.
Optional. The table name is the name of the table or view on the database that contains the event
records. If you define the name of a table or view, you must include a pipe ( | ) character as a
separator. The name of the view or table must match the Table Name field.
Database Type
From the list box, select MSDE.
Database Name
Type the name of the Sophos database.

The database name must match the database name that is specified in the Log Source Identifier
field.
IP or Hostname
Type the IP address or host name of the database server.
Port
Type the port number that is used by the database server. The default port for MSDE in Sophos
Enterprise console is 1168. The JDBC configuration port must match the listener port of the Sophos
database. The Sophos database must have incoming TCP connections enabled to communicate
with JSA.
If a Database Instance is used with the MSDE database type, administrators must leave the Port
parameter blank in the log source configuration.
Username
30
Type the database user name. The user name can be up to 255 alphanumeric characters in length
and can include underscore (_) characters.
Table 10: Sophos Enterprise Console JDBC Protocol Parameters (continued)

Parameter
Description
Password
Type the database password that is required to access the database on the database.
Confirm Password
Type a domain for the database.

A domain must be configured for MSDE databases that are within a Windows domain. If your
network does not use a domain, leave this field blank.
Database Instance
Type the database instance, if required. MSDE databases can include multiple SQL server instances
on one server.
When a non-standard port is used for the database or administrators block access to port 1434 for
SQL database resolution, the Database Instance parameter must be blank.
Table Name
Type vEventsCommonData as the name of the table or view that includes the event records.
The table name can include the following special characters: dollar sign ( $ ), number sign ( # ),
underscore ( _ ), en dash ( - ), and period( . ).
Select List
Type * for all fields from the table or view.
Compare Field
Type InsertedAt to identify new events added between queries to the database table.
Use Prepared
Statements

Prepared statements enable the protocol source to setup the SQL statement, and then execute
the SQL statement numerous times with different parameters. For security and performance
reasons, most configurations can use prepared statements.
Clear this check box to use an alternative method of querying that do not use precompiled
statements.
Start Date and Time
If a start time is not defined, the protocol attempts to poll for events after the log source configuration
is saved and deployed.
Polling Interval
Type the polling interval, which is the amount of time between queries to the database. The default
polling interval is 10 seconds.
Administrators can define a longer polling interval by appending H for hours or M for minutes to the
numeric value. The maximum polling interval is 1 week in any time format. Numeric values without
an H or M designator poll in seconds.
EPS Throttle
31

Parameter
Description
Use Named Pipe

Communication
If MSDE is configured as the database type, administrators can select this check box to use an
alternative method to a TCP/IP port connection.
Named pipe connections for MSDE databases require the username and password field to use a
Windows authentication username and password and not the database username and password.
The log source configuration must use the default named pipe on the MSDE database.
If the Use Named Pipe Communication check box, the Database Cluster Name parameter is
displayed.
If you use your SQL server in a cluster environment, define the cluster name to ensure that named
pipe communications function properly.
Use NTLMv2
communicating with SQL servers that require NTLMv2 authentication. The default value of the
check box is selected.
Use SSL
Select this check box to enable SSL encryption for the protocol.
Enabled

Credibility
is 5.
Coalescing Events
32

Parameter
Description
Store Event Payload
Log Source Language
Groups
Parsing enhancementSelect this option when most fields parse correctly for your log source.
To configure the sophos enterprise console JDBC protocol:

1.

3. Click Add.

5. Click Save.
Related
Documentation
33
Configuring the Juniper Networks NSM Protocol

The Juniper Networks Network and Security Manager Protocol (NSM protocol) can poll
Sophos Enterprise consoles for events.
The Juniper Networks Network and Security Manager protocol can accept Juniper
Networks NSM and Juniper Networks Secure Service Gateway (SSG) logs. Detailed
configuration steps are provided in the Juniper Secure Analytics (JSA).
Table 11: Juniper Networks NSM Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select Juniper Networks Network and Security Manager.
From the list, select Juniper NSM.
Type an IP address, host name, or unique name to identify the log source.
IP
Type the IP address or host name of the Juniper Networks NSM server.
Inbound Port
Type the inbound port to which the Juniper Networks NSM sends events.
The valid range is 0 to 65536. The default is 514.
Redirect Listen Port
Type the port to which traffic is forwarded. The default is 516.
Use NSM Address for Log

Source
Select this check box to use the Juniper NSM management server IP address instead of the log
source IP address. By default, the check box is selected.
Enabled

Credibility
is 5.
sources contributes to the calculation of the offense magnitude and can increase or decrease
the magnitude value of an offense.
34
Table 11: Juniper Networks NSM Protocol Parameters (continued)

Parameter
Description
Coalescing Events
Coalescing events increase the event count when the same event occurs multiple times within
a short time interval. Coalesced events provide administrators a way to view and determine the
Store Event Payload
Log Source Language
XML files that contain regular expressions, which can override or repair the event parsing of a
device support module (DSM).
Groups
To configure the juniper networks NSM protocol:

1.

3. Click Add.
35
5. Click Save.
Related
Documentation
Configuring the OPSEC/LEA Protocol

The OPSEC/LEA protocol is a protocol that continuously polls for event data on 18184.
Detailed configuration steps for each log source type is provided in the Juniper Secure
Analytics (JSA).
Table 12: OPSEC/LEA Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select a log source type.
From the list, select OPSEC/LEA.
Log
Type an IP address, host name, or unique name to identify

the log source.
Server IP
Type the IP address or host name of the Juniper Networks

NSM server.
Server Port
Type the port used for OPSEC/LEA communication. The

valid range is 0 to 65536.
Administrators must verify that JSA can communicate on
port 18184 to communicate with the OPSEC/LEA protocol.
Use Server IP for Log Source
Select this check box if you want to use the LEA servers IP
address instead of the managed devices IP address for a
log source.
By default, the check box is selected.
36
Table 12: OPSEC/LEA Protocol Parameters (continued)

Parameter
Description
Statistics Report Interval
Type the interval, in seconds, during which the number of

syslog events are recorded in the qradar.log file.
The valid range is 4 to 2,147,483,648.
Authentication Type
From the list box, select the authentication type you want
to use for this LEA configuration. The type selected must
match the authentication method used by the server. The
options include sslca, sslca_clear, or clear.
OPSEC Application Object SIC
Type the Secure Internal Communications (SIC) name of

the OPSEC
Attribute (SIC Name)
Application Object. The SIC name is the distinguished name

(DN) of the application, for example: CN=LEA,
o=fwconsole..7psasx. The name can be up to 255
characters in length and is case sensitive.
Log Source SIC Attribute (Entity SIC Name)
Type the SIC name of the server, for example:

cn=cp_mgmt,o=fwconsole..7psasx. The name can be up
to 255 characters in length and is case sensitive.
Specify Certificate
Select this check box to define a certificate for this LEA

configuration.
JSA attempts to retrieve the certificate with these parameters
when the certificate is required.
Certificate Filename
Type the directory path of the certificate you want to use for
this configuration. This option only appears if Specify
Certificate is selected.
Certificate Authority IP
Type the IP address of the server that contains the certificate.
Pull Certificate Password
Type the password to use to request the certificate.
OPSEC Application
Type the name of the application that makes the certificate

request.
Enabled

When this check box is clear, the log source does not collect
events and the log source does not count against the log
source limit in the license.
37

Parameter
Description
Credibility
Select the credibility of the log source. The range is 0 (lowest)

- 10 (highest). The default credibility is 5.
Credibility is a representation of the integrity or validity of
events created by a log source. The credibility value assigned
to a log source can increase or decrease based on incoming
events or adjusted as a response to user created event rules.
The credibility of events from log sources contributes to the
calculation of the offense magnitude and can increase or
decrease the magnitude value of an offense.
Select the target for the log source. When a log source
actively collects events from a remote source, this field
defines which appliance polls for the events.
The target event collector enables administrators to poll and
process events on the target event collector, instead of the
console appliance. Distributing event across target event
collectors can improve performance in distributed
deployments.
Coalescing Events
Select this check box to enable the log source to coalesce

(bundle) events.
Coalescing events increase the event count when the same
event occurs multiple times within a short time interval.
Coalesced events provide administrators a way to view and
determine the frequency with which a single event type
occurs on the Log Activity tab.
When this check box is clear, events are viewed individually
and events are not bundled.
New and automatically discovered log sources inherit the
value of this check box from the System Settings
configuration on the Admin tab. Administrators can use this
check box to override the default behavior of the system
settings for an individual log source.
Store Event Payload
Select this check box to enable the log source to store the
payload information from an event.
New and automatically discovered log sources inherit the
value of this check box from the System Settings
configuration on the Admin tab. Administrators can use this
check box to override the default behavior of the system
settings for an individual log source.
Log Source Language
Select the language of the events that are generated by the

log source.
The log source language helps the system parse events from
external appliances or operating systems that can create
events in multiple languages.
38

Parameter
Description
Optional. Select the name of the extension to apply to the

log source.
This parameter is available after a log source extension is
uploaded. Log source extensions are XML files that contain
regular expressions, which can override or repair the event
parsing of a device support module (DSM).
From the list box, select the use condition for the log source
extension. The options include:
Parsing enhancementSelect this option when most fields
parse correctly for the log source.
Parsing overrideSelect this option when the log source
is unable to correctly parse events.

Groups
To configure the OPSEC/LEA protocol:

1.

3. Click Add.

5. Click Save.
Related
Documentation
Configuring the SDEE Protocol

The Security Device Event Exchange (SDEE) protocol enables Juniper Secure Analytics
(JSA) to use subscriptions to collect events from appliances that use SDEE servers.
Detailed configuration steps for each log source type is provided in the JSA.
39
Table 13: SDEE Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select SDEE.
Type an IP address, host name, or name to identify the SDEE event source.
IP addresses or host names are suggested as they identify a unique value for the event source.
URL
Type an HTTP or HTTPS URL required to access the log source.

For example, https://www.mysdeeserver.com/cgi-bin/sdee-server. The options include:
Administrators with SDEE/CIDEE (Cisco IDS v5.x and above), the URL must end with
/cgi-bin/sdee-server.
Administrators with RDEP (Cisco IDS v4.x), the URL must end with /cgibin/ event-server.
Username
Type the username required to access the URL.
Password
Type the password required to access the URL.
Events / Query
Type the maximum number of events to retrieve per query.

The valid range is 0 to 501 and the default is 100.
Force Subscription
Select this check box to force a new SDEE subscription.

When the check box is selected, the protocol forces the server to drop the least active connection
and accept a new SDEE subscription connection for the log source.
Clearing the check box continues with any existing SDEE subscription.
Severity Filter
Event Filter
40
Select a check box for each severity level the log source can subscribe to and collect with the log
source.
Informational
Low
Medium
High
Select a check box for each severity level the log source can subscribe to and collect with the log
source.
Alerts
Status
Errors
Table 13: SDEE Protocol Parameters (continued)

Event Collection Interval
Type the time interval to indicate the frequency with which the subscription can collect events.
The time interval is defined in seconds.
Connection Retry On
Failure
Type a time interval to indicate how long the subscription must wait before another subscription
is attempted. The wait time interval is defined in seconds.
Maximum Wait To Block

For Events
Type the interval to indicate the length of the event block.

When a collection request is made and no new events are available, the protocol enables an event
block. The block prevents another event request from being made to a remote device that did not
have any new events. This timeout is intended to conserve system resources.
The time interval is defined in seconds.
Enabled

When this check box is clear, the log source does not collect events and the log source does not
count against the log source limit in the license.
Credibility
is 5.
Credibility is a representation of the integrity or validity of events created by a log source. The
credibility value assigned to a log source can increase or decrease based on incoming events or
adjusted as a response to user created event rules. The credibility of events from log sources
Coalescing Events
Store Event Payload
Log Source Language
41
Table 13: SDEE Protocol Parameters (continued)

Groups
To configure the SDEE protocol:

1.

3. Click Add.

5. Click Save.
Related
Documentation
Configuring the SNMPv1 Protocol

The SNMPv1 protocol provides log sources the ability to receive SNMPv1 events.
Table 14 on page 42 describes the parameters of the SNMPv1 protocol.
Table 14: SNMPv1 Protocol Parameters

Parameter
Description
Log Source Name
42
Table 14: SNMPv1 Protocol Parameters (continued)

Parameter
Description
Log Source Type
From the list, select SNMPv1.
If the network contains devices that are attached to a management console, administrators can
Enabled

Credibility
is 5.
Coalescing Events
Store Event Payload
Settings configuration on the Admin tab.
Administrators can use this check box to override the default behavior of the system settings for
an individual log source.
43

Parameter
Description
Log Source Language
Groups
To configure the SNMPv1 protocol:

1.

3. Click Add.

5. Click Save.
Related
Documentation

44

Parameter
Description
Log Source Name
Log Source Type
such as an IP address, prevents searches from identifying the management console as the source
for all of the events.
Community
Type the SNMP community name required to access the system containing SNMP events. The
default is Public.
Include OIDs in Event

Payload
This options allows the SNMP event payload to be constructed using namevalue pairs instead of
the standard event payload format.
Including OIDs in the event payload is required for processing SNMPv2 or SNMPv3 events when
you select specific log sources from the Log Source Types list. For more information, see the JSA.
Enabled

Credibility
is 5.
45

Parameter
Description
Coalescing Events
New and automatically discovered log sources inherit the value of this check box from the X
configuration on the Admin tab. Administrators can use this check box to override the default
Store Event Payload
New and automatically discovered log sources inherit the value of this check box from the X
configuration on the Admin tab.
Administrators can use this check box to override the default behavior of the system settings for
an individual log source.
Log Source Language
Groups

1.

3. Click Add.
4. Configure the parameters for your log source. The Juniper Secure Analytics Configuring
DSMs Guide provides step-by-step instructions to configure each log source.

5. Click Save.
46
Related
Documentation


Parameter
Description
Log Source Name
Log Source Type
Authentication Protocol
Authentication Password
From the list, select the algorithm you want to use to authenticate SNMP traps. The options
include:
MD5
SHA
Type the password you want to use to authenticate SNMP.

The password can be up to 64 characters in length.
NOTE: Your authentication password must include a minimum of 8 characters.
Decryption Protocol
From the list box, select the protocol you want to use to decrypt SNMP traps.The default is AES256.
Decryption Password
Type the password used to decrypt SNMP traps. The password can be up to 64 characters in
length.
47

Parameter
Description
User
Type the user access for this protocol. The default is AdminUser.
The username can be up to 255 characters in length.
Include OIDs in Event

Payload
This options allows the SNMP event payload to be constructed using namevalue pairs instead of
the standard event payload format.
Including OIDs in the event payload is required for processing SNMPv2 or SNMPv3 events when
you select specific log sources from the Log Source Types list. For more information, see the JSA.
Enabled

Credibility
is 5.
Coalescing Events
Store Event Payload
Log Source Language
48

Parameter
Description
Groups

1.

3. Click Add.

5. Click Save.
Related
Documentation
Configuring the Sourcefire Defense Center Estreamer Protocol

The Sourcefire Defense Center Estreamer protocol enables Juniper Secure Analytics
(JSA) to receive streaming event data from a Sourcefire Defense Center Estreamer (Event
Streamer) service.
Event files are streamed to JSA to be processed after the Sourcefire Defense Center DSM
is configured. Detailed configuration steps for Sourcefire Defense Center is provided in
the JSA.
49
Table 17: Sourcefire Defense Center Estreamer Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select Sourcefire Defense Center Estreamer.
Type an IP address, host name, or name to identify the Sourcefire Defense Center event source.
Server Address
Type the IP address or hostname of the Sourcefire Defense Center device.
Server Port
Type the port number JSA uses to receive Sourcefire Defense Center Estreamer events. The default
is 8302.
Keystore Filename
Type the directory path and file name for the keystore private key and associated certificate.
By default, the import script creates the keystore file in the following directory:
/opt/qradar/conf/estreamer.keystore.
Truststore Filename
Type the directory path and file name for the truststore files.
The truststore file contain the certificates trusted by the client.
By default, the import script creates the truststore file in the following directory:
/opt/qradar/conf/estreamer.truststore.
Enabled

Credibility
is 5.
50
Table 17: Sourcefire Defense Center Estreamer Protocol Parameters (continued)

Parameter
Description
Coalescing Events
Store Event Payload
Log Source Language
Groups
To configure the sourcefire defense center estreamer protocol:

1.

3. Click Add.

5. Click Save.
Related
Documentation
51
Configuring the Log File Protocol

The log file protocol retrieves event files that are stored from hosts to process events
stored in remote locations.
The log file protocol is intended for systems that write daily event logs. It is not appropriate
to use the log file protocol for devices that appended information to their event files.
Log files are retrieved one at a time to be processed. The log file protocol can manage
plain text, compressed files, or file archives. Archives must contain plain-text files that
can be processed one line at a time. When the log file protocol downloads an event file,
the information received in the file updates the Log Activity tab. If more information is
written to the file after the download is complete, the appended information is not
processed.
Table 18: Log File Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select Log File.
If the remote source contains multiple devices, such as a file repository, administrators must specify
the IP address of the device that created the event.
Unique identifiers ensure that events are associated to the correct device in the network, instead of
identifying the event for the management console or file repository.
52
Table 18: Log File Protocol Parameters (continued)

Parameter
Description
Service Type
From the list box, select the protocol to use when retrieving log files from a remove server. The options
include:
SFTPSecure file transfer protocol
FTPFile transfer protocol
SCPSecure copy protocol
The default is SFTP.

The server that is specified in the Remote IP or Hostname field must have the SFTP subsystem
enabled to retrieve log files with SCP or SFTP.
Remote IP or
Hostname
Type the IP address or host name of the device that contains the event log files.
Remote Port
Type the port that is used to communicate with the remote host. The valid range is 1 65535. The
options include:
FTP TCP Port 21
SFTP TCP Port 22
SCP TCP Port 22
If the remote host uses a non-standard port number, administrators must adjust the port value to
retrieve events.
Remote User
Type the user name necessary to log in to the host that contains the event files.
Remote Password
Type the password necessary to log in to the host.
Confirm Password
Confirm the password necessary to log in to the host.
SSH Key File
Type the path to the SSH key, if the system is configured to use key authentication.
When an SSH key file is used, the Remote Password field is ignored.
Remote Directory
Type the directory location on the remote host from which the files are retrieved. The directory path
is relative to the user account that is used to log in.
NOTE: For FTP only. If the log files are in the remote users home directory, you can leave the remote
directory blank. A blank remote directory field supports systems where a change in the working
directory (CWD) command is restricted.
Recursive
Select this check box to enable the file pattern to search sub folders. By default, the check box is
clear.
This option is ignored for SCP file transfers.
FTP File Pattern
Type the regular expression (regex) required to identify the files to download from the remote host.
All files that match the regular expression are included in the download.
This field applies to the SFTP or FTP file transfers.
SCP Remote File
For SCP file transfers, type the name of the file on the remote host.
53

Parameter
Description
FTP Transfer Mode
From the list box, select the transfer mode for the log source:
BinarySelect this option for log sources that require binary data files or compressed archive files.
ASCIISelect ASCII for log sources that require an ASCII FTP file transfer.
Administrators must select NONE in the Processor field and LINEBYLINE in the Event Generator
field for ASCII transfers over FTP.
Start Time
Type the time of day for the log source to start the file import.
This parameter functions with the Recurrence value to establish when and how often the Remote
Directory is scanned for files.
Recurrence
Type a time interval to determine how frequently the remote directory is scanned for new event log
files. The minimum value is 15 minutes.
The time interval can include values in hours (H), minutes (M), or days (D). For example, a recurrence
of 2H scans the remote directory every 2 hours.
Run On Save
Select this check box to start the log file import immediately after the administrators saves the log
source.
After the first file import, the log file protocol follows the start time and recurrence schedule that is
defined by the administrator.
When selected, this check box clears the list of previously downloaded and processed files.
EPS Throttle
Type the number of Events Per Second (EPS) that the protocol cannot exceed.
The valid range is 100 5000.
Processor
If the files on the remote host are stored in an archive format, select the processor that is required to
un-compress the event log.
Ignore Previously
Processed File(s)
Select this check box to track files that were processed by the log source.
This option prevents duplicate events from files that are processed a second time.
This check box applies to FTP and SFTP file transfers.
Change Local
Directory?
Select this check box to define the local directory on the Target Event Collector to store event logs
before they are processed.
Administrators can leave this check box clear for more configurations.
Local Directory
Type the local directory on the Target Event Collector. This option is used with the Change Local
Directory field.
The directory must exist before the log file protocol attempts to retrieve events.
54

Parameter
Description
Event Generator
From the Event Generator list box, select one of the following options:
LineByLineEach line of the file is processed as a single event. For example, if a file has 10 lines of
text, 10 separate events are created.
HPTandemThe file is processed as a HPTandem NonStop binary audit log. Each record in the
log file (whether primary or secondary) is converted into text and processed as a single event.
HPTandem audit logs use the following file name pattern: [aA]\d{7}.
WebSphere Application ServerProcesses event logs for WebSphere Application Server. The
remote directory must define the file path that is configured in the DSM.
W3CProcesses log files from sources that use the w3c format. The header of the log file identifies
the order and data that is contained in each line of the file.
Fair WarningProcesses log files from Fair Warning devices that protect patient identity and
medical information. The remote directory must define the file path to the event logs that are
generated by the Fair Warning device.
DPI Subscriber DataThe file is processed as a DPI statistic log produced by a Juniper Networks
MX router. The header of the file identifies the order and data that is contained in each line of the
file. Each line in the file after the header is formatted to a tab-delimited name=value pair event.
SAP Audit LogsProcess files for SAP Audit Logs to keep a record of security-related events in
SAP systems. Each line of the file is formatted to be processed.
Oracle BEA WebLogicProcesses files for Oracle BEA WebLogic application log files. Each line of
the file is formatted to be processed.
Juniper SBRProcesses event log files from Juniper Steel-belted RADIUS. Each line of the file is
formatted to be processed.
ID-Linked MultilineProcesses multiline event logs that contain a common value at the start of
each line in a multiline event message. This option uses regular expressions to identify and
reassemble the multiline event in to single event payload.
File Encoding
From the list box, select the character encoding that is used by the events in your log file.
Folder Separator
Type the character that is used to separate folders for your operating system. The default value is /.
Most configurations can use the default value in Folder Separator field.
This field is intended for operating systems that use a different character to define separate folders.
For example, periods that separate folders on mainframe systems.
Enabled

Credibility
is 5.
Credibility is a representation of the integrity or validity of events created by a log source. The credibility
value assigned to a log source can increase or decrease based on incoming events or adjusted as a
response to user created event rules. The credibility of events from log sources contributes to the
calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.
55

Parameter
Description
Select the Event Collector to use as the target for the log source. When a log source actively collects
events from a remote source, this field defines which appliance polls for the events.
This enables administrators to poll and process events on the target event collector, instead of the
console appliance. This can improve performance in distributed deployments.
When an administrator verifies firewall ports between JSA and the remote database, the firewall
must allow communication between the target event collector and the remote database.
Coalescing Events
time interval. Coalesced events provide administrators a way to view and determine the frequency
with which a single event type occurs on the Log Activity tab.
When this check box is clear, the events are displayed individually and the information is not bundled.
Store Event Payload
Log Source Language
Select the language of the events generated by the log source.

This parameter is only available after a log source extension is uploaded. Log source extensions are
XML files that contain regular expressions, which can override or repair the event parsing patterns
defined by a device support module (DSM).
Extension Use
Condition
Groups
To configure the log file protocol:

1.

3. Click Add.
56

5. Click Save.
Related
Documentation
Configuring the Microsoft Security Event Log Protocol

The Microsoft Security Event Log protocol provides remote agentless Windows event
log collection for Windows with the Microsoft Windows Management Instrumentation
(WMI) API.
The WMI API is a Microsoft technology that is used to communicate and exchange
information between operating systems. This API requires that firewall configurations
accept incoming external communications on port 135 and any dynamic ports that are
required for DCOM. The following log source limitations apply when administrators deploy
the Microsoft Security Event Log Protocol in your environment:
Systems that exceed 50 events per second (eps) can exceed the capabilities of this
protocol. WinCollect can be used for systems that exceed 50 eps.
A Juniper Secure Analytics (JSA) all-in-one installation can support up to 250 log
sources with the Microsoft Security Event Log protocol.
Dedicated Event Collectors can support up to 500 log sources with the Microsoft
Security Event Log protocol.
The Microsoft Security Event Log protocol is not suggested for remote servers that are
accessed over network links. For example, systems with high round-trip delay times, such
as satellite or slow WAN networks. Round-trip delay can be confirmed by examining
request and response time between a server ping. Network delays that are created by
slow connections decrease the EPS throughput available to those remote servers. In
addition, event collection from busy servers or Domain Controllers rely on low round-trip
delay times to keep up with incoming events. If it is not possible to decrease your network
round-trip delay time, administrators can use WinCollect to process Windows events.
The Microsoft Security Event Log supports the following software versions with the
Microsoft Windows Management Instrumentation (WMI) API:
57
Microsoft Windows 2000
Microsoft Windows Server 2003
Microsoft Windows Server 2008 (all versions)
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Table 19: Microsoft Security Event Log Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select Windows Security Event Log.
Type the IP address or host name of the Windows host

The log source identifier must be unique for the log source type.
Domain
Optional. Type the domain that is required for the server.
Username
Type the user name that is required to access the Windows host.
Password
Type the password that is required to access the Windows host
Confirm Password
Confirm the password that is required to access the server.
Standard Log Types
Select a check boxes for each log type to monitor. At least one check box must be selected.
Event Types
58
Security
System
Application
DNS Server
File Replication Service
Directory Service
Select a check boxes for each event type to monitor. At least one check box must be selected.
Informational
Warning
Error
Success Audit
Failure Audit
Table 19: Microsoft Security Event Log Protocol Parameters (continued)

Parameter
Description
Enabled

Credibility
is 5.
This enables administrators to poll and process events on the target event collector, instead of
the console appliance. This can improve performance in distributed deployments.
Coalescing Events
When this check box is clear, the events are displayed individually and the information is not
bundled.
Store Event Payload
Log Source Language

This parameter is only available after you upload a log source extension to JSA. Log source
extensions are XML files that contain regular expressions, which can override or repair the event
parsing patterns defined by a device support module (DSM).
59

Parameter
Description
Groups
To configure the microsoft security event log protocol:

1.

3. Click Add.
4. Configure the parameters for your log source.
5. Click Save.
Related
Documentation
Configuring the Microsoft Security Event Log Custom Protocol

The Microsoft Security Event Log protocol provides remote agentless Windows event
log collection for customized event logs with the Microsoft (WMI) API.
The WMI API is a Microsoft technology that is used to communicate and exchange
information between operating systems. This API requires that firewall configurations
accept incoming external communications on port 135 and any dynamic ports that are
required for DCOM. The following log source limitations apply when administrators deploy
the Microsoft Security Event Log Custom protocol in your environment:
Systems that exceed 50 events per second (eps) can exceed the capabilities of this
protocol. Win Collect can be used for systems that exceed 50 eps.
A Juniper Secure Analytics (JSA) all-in-one installation can support up to 250 log
sources with the Microsoft Security Event Log Custom protocol.
Dedicated Event Collectors can support up to 500 log sources with the Microsoft
Security Event Log Custom protocol.
The Microsoft Security Event Log protocol is not suggested for remote servers that are
accessed over network links. For example, systems with high round-trip delay times, such
60
as satellite or slow WAN networks. Round-trip delay can be confirmed by examining

request and response time between a server ping. Network delays that are created by
slow connections decrease the EPS throughput available to those remote servers. In
addition, event collection from busy servers or Domain Controllers rely on low round-trip
delay times to keep up with incoming events. If it is not possible to decrease your network
round-trip delay time, administrators can use Win Collect to process Windows events.
The Microsoft Security Event Log supports the following software versions with the
Microsoft Windows Management Instrumentation (WMI) API:
Microsoft Windows 2000
Microsoft Windows Server 2003
Microsoft Windows Server 2008 (all versions)
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Table 20: Microsoft Security Event Log Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select Windows Security Event Log.
Type the IP address or host name of the Windows host.

Domain
Optional. Type the domain that is required for the server.
Username
Type the user name that is required to access the Windows host.
Password
Type the password that is required to access the Windows host
Confirm Password
Confirm the password that is required to access the server.
Monitored Event Logs
Type the name of the custom event log.
61

Parameter
Description
Event Types
Select a check boxes for each event type to monitor. At least one check box must be selected:
Enabled
Informational
Warning
Error
Success Audit
Failure Audit

Credibility
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default
credibility is 5.
Credibility is a representation of the integrity or validity of events that are created by a log
source. The credibility value that is assigned to a log source can increase or decrease based on
incoming events or adjusted as a response to user created event rules. The credibility of events
from log sources contributes to the calculation of the offense magnitude and can increase or
decrease the magnitude value of an offense.
This option enables administrators to poll and process events on the target event collector,
instead of the console appliance. This can improve performance in distributed deployments.
Store Event Payload
New and automatically discovered log sources inherit the value of this check box from the
System Settings configuration on the Admin tab. Administrators can use this check box to
override the default behavior of the system settings for an individual log source.
Log Source Language

Groups
62
To configure the microsoft security event log custom protocol:

1.

3. Click Add.
5. Click Save.
Related
Documentation
Configuring the Microsoft DHCP Protocol

The Microsoft DHCP protocol supports a single connection to a Microsoft DHCP server
to remotely collect events.
The Microsoft authentication protocol NTLMv2 is not supported by the Microsoft DHCP
protocol.
Folder paths that contain an administrative share (C$), require NetBIOS privileges on
the administrative share (C$) to read the log files. Local or domain administrators have
sufficient privileges to access log files on administrative shares.
Fields for the Microsoft DHCP protocol that support file paths allow administrators to
define a drive letter with the path information. For example, the field can contain
c$\LogFiles\ for an administrative share, or LogFiles\ for a public share folder path, but
not c:\LogFiles.
Detailed configuration steps for Microsoft DHCP are provided in the Juniper Secure
Analytics (JSA).
Table 21: Microsoft DHCP Protocol Parameters

Parameter
Description
Log Source Name
63
Table 21: Microsoft DHCP Protocol Parameters (continued)

Parameter
Description
Log Source Type
From the list, select Microsoft DHCP.
Type an IP address, host name, or name to identify the Microsoft DHCP server.
Domain
Optional. Type the domain that is required to access the Microsoft DHCP server.
Username
Type the user name that is required to access the Microsoft DHCP server.
Password
Type the password that is required to access the Microsoft DHCP server.
Confirm Password
Confirm the password that is required to access Microsoft DHCP server.
Folder Path
Type the directory path to access the DHCP log files.

The default is \WINDOWS\system32\dhcp\.
File Pattern
Type the regular expression (regex) to identify and download the event logs.
The log files must contain a three-character abbreviation for a day of the week.
The available file patterns are:
IPv4 file pattern - DhcpSrvLog-(?:Sun|Mon|Tue|Wed|Thu| Fri| Sat)\.log.
IPv6 file pattern - DhcpV6SrvLog-(?:Sun|Mon|Tue|Wed|Thu| Fri|Sat) \.log.
Mixed IPv4 and IPv6 file pattern - Dhcp.*SrvLog-(?:Sun|Mon| Tue|Wed|Thu|Fri|Sat) \.log.
All files that match the file pattern are processed.

Recursive
Select this check box if you want the file pattern to search sub folders. By default, the check box
is selected.
Polling Interval (seconds)
Type the polling interval, which is the number of seconds between queries to the log files to check
for new data.
The minimum polling interval is 10 seconds, with a maximum polling interval of 3,600 seconds.
Throttle Events/Second
Type the maximum number of events the DHCP protocol can forward per second.
The minimum value is 100 EPS and the maximum value is 20,000 EPS.
Enabled

64
Table 21: Microsoft DHCP Protocol Parameters (continued)

Parameter
Description
Credibility
is 5.
This option enables administrators to poll and process events on the target event collector, instead
of the console appliance. This can improve performance in distributed deployments.
Coalescing Events
bundled.
Store Event Payload
Log Source Language

Groups
65
To configure the microsoft DHCP protocol:

1.

3. Click Add.
5. Click Save.
Related
Documentation
Configuring the Microsoft Exchange Protocol

The Microsoft Windows Exchange protocol supports SMTP, OWA, and message tracking
logs for Microsoft Exchange 2007 and 2010.
The Microsoft Exchange protocol does not support Microsoft Exchange 2003 or Microsoft
authentication protocol NTLMv2 Session.
Fields for the Microsoft Exchange protocol that support file paths allow administrators
to define a drive letter with the path information. For example, the field can contain
c$\LogFiles\ for an administrative share, or LogFiles\for a public share folder path, but
not c:\LogFiles.
Detailed configuration steps for Microsoft Exchange is provided in the Juniper Secure
Analytics (JSA).
Table 22: Microsoft Exchange Protocol Parameters

Parameter
Description
Log Source Name
66
Table 22: Microsoft Exchange Protocol Parameters (continued)

Parameter
Description
Log Source Type
From the list, select Microsoft Exchange.
Type an IP address, host name, or name to identify the Windows Exchange event source.
Domain
Optional. Type the domain that is required to access the Microsoft Exchange server.
Username
Type the user name that is required to access the Microsoft Exchange server.
Password
Type the password that is required to access the Microsoft Exchange server.
Confirm Password
Confirm the password that is required to access Microsoft Exchange server.
SMTP Log Folder Path
Type the directory path to access the SMTP log files.

The default is Program Files\Microsoft\Exchange Server \TransportRoles\Logs\ProtocolLog\.
When the folder path is clear, SMTP event collection is disabled.
OWA Log Folder Path
Type the directory path to access the OWA log files.

The default is Windows\system32\LogFiles\W3SVC1.
When the folder path is clear, OWA event collection is disabled.
MSGTRK Log Folder Path
Type the directory path to access message tracking log files.

The default is Program Files\Microsoft\Exchange Server
\TransportRoles\Logs\MessageTracking/.
Message tracking is available on Microsoft Exchange 2007 or 2010 servers assigned the Hub
Transport, Mailbox, or Edge Transport server role.
File Pattern
Type the regular expression (regex) to identify and download the event logs. The default is
.*\.(?:log|LOG).
All files that match the regex pattern are processed.
Force File Read
Select this check box to force the protocol to read the log file. By default, the check box is selected.
If the check box is clear, the log file is read only when JSA detects a change in the modified time
or file size.
Recursive
is selected.
for new data.
67

Parameter
Description
Type the maximum number of events the Exchange protocol can forward per second.
Enabled

Credibility
is 5.
Coalescing Events
bundled.
Store Event Payload
Log Source Language

68

Parameter
Description
Groups
To configure the microsoft windows exchange protocol:

1.

3. Click Add.
5. Click Save.
Related
Documentation
Configuring the Microsoft IIS protocol

The Microsoft IIS protocol supports a single point of collection for w3c format log files
that are located on a Microsoft IIS web servers.
The Microsoft authentication protocol NTLMv2 is not supported by the Microsoft IIS
protocol.
Fields for the Microsoft IIS protocol that support file paths allow administrators to define
a drive letter with the path information. For example, the field can contain c$\LogFiles\
for an administrative share, or LogFiles\ for a public share folder path, but not c:\LogFiles.
69
Detailed configuration steps for Microsoft IIS are provided in the Juniper Secure Analytics
(JSA).
Table 23: Microsoft IIS Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select Microsoft IIS.
Type an IP address, host name, or name to identify the Microsoft IIS server.
Domain
Optional. Type the domain that is required to access the Microsoft IIS server.
Username
Type the user name that is required to access the Microsoft IIS server.
Password
Type the password that is required to access the Microsoft IIS server.
Confirm Password
Confirm the password that is required to access Microsoft IIS server.
Folder Path
Type the directory path to access the IIS log files.

The default is \WINDOWS\system32\LogFiles\W3SVC1\.
File Pattern
The default file pattern is (?:u_)?ex.*\.(?:log|LOG).
Recursive
is selected.
for new data.
Type the maximum number of events the IIS protocol can forward per second.
Enabled

70
Table 23: Microsoft IIS Protocol Parameters (continued)

Parameter
Description
Credibility
is 5.
contributes to the calculation of the offense magnitude and can increase or decrease the
Coalescing Events
Store Event Payload
Log Source Language
Groups
71
To configure the microsoft IIS protocol:

1.

3. Click Add.
5. Click Save.
Related
Documentation
Configuring the SMB Tail Protocol

The SMB Tail protocol enables administrators to remotely watch event a file in a remote
directory on a Samba share to determine when new lines are added to an event log to
retrieve the remote events.
Table 24: SMB Tail Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select SMB Tail.
Type an IP address, hostname, or name to identify the SMB Tail event source.
Server Address
Type the IP address or hostname of the samba server.
Domain
Optional. Type the domain required for the SMB (samba) server.
Username
Type the username required to access the remote server.
72
Table 24: SMB Tail Protocol Parameters (continued)

Parameter
Description
Password
Type the password required to access the remote server.
Confirm Password
Confirm the password required to access the server.
Log Folder Path
Type the directory path to access the log files.

For example, administrators can use c$\LogFiles\ for an administrative share, or LogFiles\ for a
public share folder path. However, c:\LogFiles is not a supported log folder path.
If a log folder path contains an administrative share (C$), users with NetBIOS access on the
administrative share (C$) have the privileges required to read the log files.
Local system or domain administrator privileges are also sufficient to access a log files that reside
on an administrative share.
File Pattern
All matching files are included in the processing.
Force File Read
Select this check box to force the protocol to read the log file. By default, the check box is selected.
If the check box is clear, the log file is read only when JSA detects a change in the modified time
or file size.
Recursive
is selected.
for new data.
Type the maximum number of events the SMB Tail protocol forwards per second.
Enabled

Credibility
is 5.
73
Table 24: SMB Tail Protocol Parameters (continued)

Parameter
Description
Select the Event Collector to use as the target for the log source. When a log source actively
collects events from a remote source, this field defines which appliance polls for the events.
When an administrator verifies firewall ports between JSA and the remote database, the firewall
must allow communication between the target event collector and the remote database.
Coalescing Events
bundled.
Store Event Payload
Log Source Language

Groups
To configure the SMB tail protocol:

1.

3. Click Add.
74

5. Click Save.
Related
Documentation
Configuring the EMC VMware Protocol

The EMC VMware protocol provides log sources the ability to receive event data from
the VMware web service for virtual environments.
Table 25 on page 75 describes the parameters of the EMC VMware protocol.
Table 25: EMC VMware Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select EMC VMware.
Type the IP address or hostname for the log source. The value for this parameter must match the
VMware IP.
VMware IP
Type the IP address of the VMware ESXi server.

For example, 1.1.1.1.
The VMware protocol appends the IP address of your VMware ESXi server with HTTPS before the
protocol requests event data.
User Name
Type the username required to access the VMware server.

If you want to configure a read-only account to use with the VMware protocol, you can create a
user on your VMware with read-only permission.
Password
Confirm the password that is required to remotely access the VMware Server.
75
Table 25: EMC VMware Protocol Parameters (continued)

Enabled

Credibility
is 5.
Coalescing Events
Store Event Payload
Log Source Language
Groups
76
To confiugre the EMC VMware protocol:

1.

3. Click Add.

5. Click Save.
Related
Documentation
Configuring the Oracle Database Listener Protocol

The Oracle Database Listener protocol source enables administrators to remotely collect
log files generated from an Oracle database server.
Before you configure the Oracle Database Listener protocol to monitor log files for
processing, you must obtain the directory path to the Oracle database log files.
Detailed configuration steps for Oracle are provided in the Juniper Secure Analytics (JSA).
Table 26: Oracle Database Listener Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select Oracle Database Listener.
Type an IP address, host name, or name to identify the Oracle database server.
77
Table 26: Oracle Database Listener Protocol Parameters (continued)

Parameter
Description
Domain
Optional. Type the domain that is required to access the Oracle database server.
Username
Type the user name that is required to access the Oracle database server.
Password
Type the password that is required to access the Oracle database server.
Confirm Password
Confirm the password that is required to access Oracle database server.
Log Folder Path
Type the directory path to access the Oracle database log files.
File Pattern
The default file pattern is listener\.log.
Recursive
is selected.
for new data.
Type the maximum number of events the protocol can forward per second.
Enabled

Credibility
is 5.
This option enables administrators to poll and process events on the target event collector,
instead of the console appliance. This can improve performance in distributed deployments.
78
Table 26: Oracle Database Listener Protocol Parameters (continued)

Parameter
Description
Coalescing Events
bundled.
Store Event Payload
Log Source Language
Groups
To configure the oracle database listener protocol:

1.

3. Click Add.
4. Configure the parameters for the log source.
5. Click Save.
Related
Documentation
79
Configuring the Cisco NSEL Protocol

The Cisco Network Security Event Logging (NSEL) protocol source allows Juniper Secure
Analytics (JSA) to monitor NetFlow packet flows from a Cisco Adaptive Security Appliance
(ASA).
To integrate Cisco ASA using NetFlow with JSA, you must manually create a log source
to receive NetFlow events. JSA does not automatically discover or create log sources for
syslog events from Cisco ASA using NetFlow and NSEL. For more information, see the
JSA.
Table 27 on page 80 describes the parameters of the Cisco NSEL protocol.
Table 27: Cisco NSEL Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select Cisco NSEL.
Collector Port
Type the UDP port number used by Cisco ASA to forward NSEL events. The valid range of the
Collector Port parameter is 1 65535.
JSA uses port 2055 for flow data on QFlow Collectors. Administrators must assign a different UDP
port on the Cisco Adaptive Security Appliance for NetFlow using NSEL.
Enabled

80
Table 27: Cisco NSEL Protocol Parameters (continued)

Parameter
Description
Credibility
is 5.
Coalescing Events
Store Event Payload
Log Source Language
Groups
81
To configure the cisco NSEL protocol:

1.

3. Click Add.

5. Click Save.
Related
Documentation
Configuring the TCP Multiline Syslog Protocol on page 95.
Configuring the VMware vCloud Director Protocol on page 98.
Configuring the IBM Tivoli Endpoint Manager SOAP Protocol on page 100.
Configuring the PCAP Syslog Combination Protocol

The PCAP Syslog Combination protocol enables events to be collected from Juniper
Networks SRX Series appliances that forward packet capture (PCAP) data.
Administrators must determine the outgoing PCAP port configured on the Juniper
Networks SRX appliance before the log source can be configured. PCAP data cannot be
forwarded to port 514.
Detailed configuration steps are provided in the Juniper Secure Analytics (JSA).
Table 28: PCAP Syslog Combination Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select PCAP Syslog Combination.
Type an IP address, host name, or name to identify the Juniper Networks SRX Series appliance.
82
Table 28: PCAP Syslog Combination Protocol Parameters (continued)

Parameter
Description
Incoming PCAP Port
Specify the port number used by the Juniper Networks SRX Series appliance to forward incoming
PCAP data.
The PCAP UDP port number must be configured from your Juniper SRX Series appliance.
If the outgoing PCAP port is edited on the Juniper Networks SRX Series appliance, the administrator
must edit the log source.
To edit the Incoming PCAP Port number, complete the following steps:
1.
Type the new port number for receiving PCAP data
2. Click Save.
3. On the Admin tab, select Advanced > Deploy Full Configuration.
Attention: When administrators click Deploy Full Configuration, the system restarts all services,
resulting in a gap in data collection for events and flows until the deployment completes.
Enabled

Credibility
is 5.
This option enables administrators to poll and process events on the target event collector, instead
of the console appliance. This can improve performance in distributed deployments.
Coalescing Events
Store Event Payload
83
Table 28: PCAP Syslog Combination Protocol Parameters (continued)

Parameter
Description
Log Source Language

files that contain regular expressions, which can override or repair the event parsing patterns defined
by a device support module (DSM).
Groups
To configure the PCAP syslog combination protocol:

1.

3. Click Add.
5. Click Save.
Related
Documentation
Configuring the TLS Syslog Protocol on page 87.
Configuring the Juniper Security Binary Log Collector Protocol on page 90.
Configuring the UDP Multiline Syslog Protocol on page 92.
Configuring the Forwarded Protocol

The forwarded protocol enables administrators to receive events from another console
in your deployment.
The forwarded protocol is typically used in a scenario where administrators want to
forward events to another Juniper Secure Analytics (JSA) console. In this scenario, console
84
A is configured with an off-site target in the deployment editor, which points to console
B. Log sources that are automatically discovered are automatically added to console B.
Any log sources from console A that is not automatically discovered must be added to
console B as a log source with the forwarded protocol.
Table 29: Forwarded Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select Forwarded.
Type an IP address or host name for the originating log source.

For example, the identifier is the IP address or host name of the log source in Network A.
Enabled

85
Table 29: Forwarded Protocol Parameters (continued)

Parameter
Description
Credibility
is 5.
collector, instead of the console appliance. This can improve performance in distributed
deployments.
Coalescing Events
Store Event Payload
Log Source Language

Groups
86
To configure the forwarded protocol:

1.

3. Click Add.
5. Click Save.
Related
Documentation
Configuring the TLS Syslog Protocol

TLS Syslog protocol enables log sources to receive encrypted syslog events from up to
50 network devices that support TLS Syslog event forwarding.
The log source creates a listen port for incoming TLS Syslog events and generate a
certificate file for the network devices. Up to 50 network appliances can forward events
to the port created for the log source.
Table 30: TLS Syslog Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select TLS Syslog.
Type the IP address or host name of the network device forwarding encrypted syslog.
87
Table 30: TLS Syslog Protocol Parameters (continued)

Parameter
Description
TLS Listen Port
Type the port number to accept incoming TLS Syslog events.

The default TLS listen port is 6514.
The port number that is specified as the listen port for TLS events can be used by up to 50 log
sources. If multiple network devices are forwarding TLS syslog events, they can also use 6514 as
their default TLS syslog port.
To edit the port number, complete the following steps:
1.
Type the new port number for the TLS syslog protocol.
2. Click Save.
Enabled

Credibility
is 5.
Coalescing Events
88
Table 30: TLS Syslog Protocol Parameters (continued)

Parameter
Description
Store Event Payload
Log Source Language

Groups
To configure the TLS syslog protocol:

1.

3. Click Add.
5. Click Save.
After the log source is saved, a syslog-tls certificate is created for log source device. The
certificate must be copied to any device on your network that is capable of forwarding
encrypted syslog. Additional network devices with a syslogtls certificate file and the TLS
listen port number can be automatically discovered as a TLS syslog log source in JSA.
Related
Documentation
89
Configuring the Juniper Security Binary Log Collector Protocol

The Juniper Binary Log Collector protocol can accept audit, system, firewall, and intrusion
prevention system (IPS) events in binary format.
Administrators must configure their Juniper appliances to stream binary formatted events.
The port number that is used by Juniper to stream binary events is required before an
administrator can configure the log source.
The binary log format from Juniper SRX or J Series appliances are streamed with the UDP
protocol. You must specify a unique port for streaming binary formatted events, the
standard syslog port (514) cannot be used for binary formatted events. The default port
that is assigned to receive streaming binary events from Juniper appliances is port 40798.
Table 31: Juniper Security Binary Log Collector Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select Security Binary Log Collector.
Type an IP address or host name to identify the log source.

The identifier address must be the Juniper SRX or J Series appliance that generates the binary event
stream.
Binary Collector Port
Type the port number to accept incoming binary events.

The default listen port is 40798.
1.
Type the new port number for the protocol.
2. Click Save.
XML Template File
Location
Type the path to the XML file used to decode the binary stream from your Juniper SRX or Juniper
J-Series appliance.
By default, the device support module (DSM) includes an XML file for decoding the binary stream.
The XML file is in the following directory: /opt/qradar/conf/ security_log.xml.
90
Table 31: Juniper Security Binary Log Collector Protocol Parameters (continued)
Parameter
Description
Enabled

Credibility
is 5.
Coalescing Events
Store Event Payload
Log Source Language

XML files that contain regular expressions, which can override or repair the event parsing patterns
defined by a device support module (DSM).
91
Table 31: Juniper Security Binary Log Collector Protocol Parameters (continued)
Parameter
Description
Groups
To configure the juniper security binary log collector protocol:

1.

3. Click Add.
5. Click Save.
Related
Documentation
Configuring the UDP Multiline Syslog Protocol

The UDP multiline syslog protocol uses a regular expression to identify and reassemble
the multiline syslog messages in to single event payload.
The UDP multiline protocol enables administrators to add a log source that creates a
single-line syslog event from a multiline event. The original event must contain a value
that repeats that a regular expression can use identify and reassemble the multiline
event. An example event that contains a repeated value is provided as an example.
15:08:56 1.1.1.1 slapd[517]: conn=2467222 op=2 SEARCH RESULT tag=101
15:08:56 1.1.1.1 slapd[517]: conn=2467222 op=2 SRCH base="dc=iso-n,dc=com"
15:08:56 1.1.1.1 slapd[517]: conn=2467222 op=2 SRCH attr=gidNumber
15:08:56 1.1.1.1 slapd[517]: conn=2467222 op=1 SRCH base="dc=iso-n,dc=com
Table 32: UDP Multiline Syslog Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
92
Table 32: UDP Multiline Syslog Protocol Parameters (continued)

Parameter
Description
From the list, select UDP Multiline Syslog.
Listen Port
Type the port number to accept incoming UDP multiline Syslog events.
1.
2. Click Save.
Message ID Pattern
Type the regular expression (regex) required to filter the event payload messages.
The UDP multiline event messages must contain a common identifying value that repeats on each
line of the event message.
Enabled

Credibility
is 5.
93
Table 32: UDP Multiline Syslog Protocol Parameters (continued)

Parameter
Description
Coalescing Events
When this check box is clear, the events are listed individually and the information is not bundled.
Store Event Payload
Log Source Language
files that contain regular expressions, which can override or repair the event parsing patterns that
are defined by a device support module (DSM).
Groups
To configure the UDP multiline syslog protocol:

1.

3. Click Add.
5. Click Save.
After the log source is saved, a syslog-tls certificate is created for log source device. The
certificate must be copied to any device on your network configured to forward encrypted
syslog. Additional network devices with a syslog-tls certificate file and the TLS listen port
number can be automatically discovered as a TLS syslog log source.
94
Related
Documentation
Configuring the TCP Multiline Syslog Protocol

The TCP multiline syslog protocol uses regular expressions to identify the start and end
pattern of multiline events to create a single-line event.
The TCP multiline protocol enables administrators to add a log source that creates a
single-line syslog event from a multiline event. An example multiline event is provided
as an example.
06/13/2012 08:15:15 PM
Log Name=Security
Source Name=Microsoft Windows security auditing.
Event Code=5156
Event Type=0
Task Category=Filtering Platform Connection
Keywords=Audit Success
Message=The Windows Filtering Platform permitted a connection.
Process ID: 4
Application Name: System
Direction: Inbound
Source Address: 1.1.1.1
Source Port: 80
Destination Address: 1.1.1.12
Destination Port:444
Table 33: TCP Multiline Syslog Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select TCP Multiline Syslog.
95
Table 33: TCP Multiline Syslog Protocol Parameters (continued)

Parameter
Description
Listen Port
Type the port number to accept incoming TCP multiline syslog events.
1.
2. Click Save.
Event Formatter
Event Start Pattern
From the list, select one of the following options:
No FormattingSelect this option when no extra formatting is required for the multiline events.
Windows MultilineSelect this option for multiline events are formatted specifically for Windows.
Type the regular expression (regex) required to identify the start of a TCP multiline event payload.
Syslog headers typically begin with a date or time stamp.
The protocol can create a single-line event that are based on solely an event start pattern, such as
a time stamp.
When a start pattern is all that is available, the protocol captures all the information between each
start value to create a valid event.
Event End Pattern
Type the regular expression (regex) required to identify the last field of a TCP multiline event payload.
If the syslog event ends with the same value, administrators can use a regular expression to determine
the end of an event.
The protocol can capture events based on solely on an event end pattern.
When an end pattern is all that is available, the protocol captures all the information between end
start value to create a valid event.
Enabled

Credibility
is 5.
96
Table 33: TCP Multiline Syslog Protocol Parameters (continued)

Parameter
Description
Coalescing Events
Store Event Payload
Log Source Language

Groups
To configure the TCP multiline syslog protocol:

1.

3. Click Add.
97
5. Click Save.
Related
Documentation
Configuring the VMware vCloud Director Protocol

The VMware vCloud Director protocol provides log sources the ability to use the VMware
API to collect events from the VMware vCloud Director virtual environments.
Table 34 on page 98 describes the parameters of the VMware vCloud Director protocol.
Table 34: VMware vCloud Director Protocol Parameters

Parameter
Description
Log Source Name
Log Source Type
From the list, select VMware vCloud Director.
vCloud URL
Type the URL configured on the VMware vCloud appliance to access the REST API.
The URL must match the address that is configured as the VCD public REST API base URL on the
vCloud Server.
For example, https://1.1.1.1.
User Name
Type the user name that is required to remotely access the vCloud Server.
For example, console/user@organization.
To configure a read-only account to use with the vCloud Director protocol, administrators can
create a user in the organization with console Access Only permission.
Password
98
Confirm the password that is required to remotely access the vCloud Server.
Table 34: VMware vCloud Director Protocol Parameters (continued)

Parameter
Description
Polling Interval
Type a polling interval, which is the amount of time between queries to the vCloud Server for new
events.
The default polling interval is 10 seconds.
Enabled

Credibility
is 5.
Coalescing Events
Store Event Payload
Log Source Language
99
Table 34: VMware vCloud Director Protocol Parameters (continued)

Parameter
Description
Groups
To configure the VMware vCloud director protocol:

1.

3. Click Add.

5. Click Save.
Related
Documentation
Configuring the IBM Tivoli Endpoint Manager SOAP Protocol

The IBM Tivoli Endpoint Manager SOAP protocol retrieves Log Extended Event Format
(LEEF) formatted events from IBM Tivoli Endpoint Manager appliances.

This protocol requires IBM Tivoli Endpoint Manager versions V8.2.x or above and the Web
Reports application for Tivoli Endpoint Manager.
The Tivoli Endpoint Manager SOAP protocol retrieves events in 30-second intervals over
HTTP or HTTPS. As events are retrieved the IBM Tivoli Endpoint Manager DSM parses
and categorizes the events.
Table 35: IBM Tivoli Endpoint Manager SOAP Protocol Parameters

Parameter
Description
Log Source Name
100
Table 35: IBM Tivoli Endpoint Manager SOAP Protocol Parameters (continued)
Parameter
Description
Log Source Type
From the list, select IBM Tivoli Endpoint Manager SOAP.
Use HTTPS
Select this check box to connect to your IBM Tivoli Endpoint Manager with HTTPS.
If a certificate is required to connect with HTTPS, administrators must copy any certificates that
are required to the following directory: /opt/qradar/conf/ trusted_certificates.
Certificates with the following file extensions: .crt, .cert, or.der are supported.
Administrators must copy certificates to the trusted certificates directory before the log source is
saved and deployed.
SOAP Port
Type the port number used to connect to the IBM Tivoli Endpoint Manager using the SOAP API.
By default, port 80 is the port number for communicating with IBM Tivoli Endpoint Manager.
If administrators use HTTPS, the port field must be updated appropriately.
Most configurations use port 443 for HTTPS communications.
Username
Type the username required to access IBM Tivoli Endpoint Manager.
Password
Type the password required to access IBM Tivoli Endpoint Manager.
Confirm Password
Confirm the password to access IBM Tivoli Endpoint Manager.
Enabled

Credibility
is 5.
101
Table 35: IBM Tivoli Endpoint Manager SOAP Protocol Parameters (continued)
Parameter
Description
Coalescing Events
Store Event Payload
Log Source Language
Groups
To configure the IBM tivoli endpoint manager SOAP protocol:

1.

3. Click Add.
4. Configure the parameters for the log source.
Administrators should copy certificates to the trusted certificates directory before the
log source is saved and deployed.
5. Click Save.
102
Related
Documentation
103
104
CHAPTER 3
Grouping Log Sources

Grouping Log Source Overview on page 105
Viewing Log Source Groups on page 106
Assigning a Log Source to a Group on page 106
Creating a Log Source Group on page 107
Editing a Log Source Group on page 107
Copying a Log Source to Another Group on page 108
Removing a Log Source From a Group on page 108
Grouping Log Source Overview

Administrators can create log source groups to categorize their log sources by type,
location, or functionality.
Administrators can create and manage multiple levels of log source groups to help users
efficiently search for events. Log source groups are name associations to log sources
that administrators can create to categorize log sources. Each group can contain a
maximum of 1,000 log sources. Auto discovered log sources are assigned to a generic
log source group. Log source groups for bulk log sources are automatically created when
administrators add bulk log sources.
Related
Documentation
Viewing Log Source Groups on page 106.
Assigning a Log Source to a Group on page 106.
Creating a Log Source Group on page 107.
Editing a Log Source Group on page 107 .
Copying a Log Source to Another Group on page 108.
Removing a Log Source From a Group on page 108 .
105
Viewing Log Source Groups

Administrators can sort the list of log sources to view log sources that are assigned to a
group.
To view the log source groups:
1.

3. From the Search For list, select the log source group.
4. Click Go.
The log source list refreshes to show log sources associated to the group.
Related
Documentation
Assigning a Log Source to a Group

Administrators can use the assign feature to move one or more log sources from one
group to another. The assign feature can also be used to quickly assign a log source to
multiple groups. Auto discovered log sources often require a new log source assignments
because all auto discovered log sources are categorized to a generic group.
To assign a log source to a group:
1.
2. Click the Log Source icon.

3. Select one or more log sources to assign to a group.
4. Click Assign.
5. Select a group for the log source.
6. Click Assign Groups.
The log sources are reassigned to the group selected by the administrator.
Related
Documentation
106
Chapter 3: Grouping Log Sources
Creating a Log Source Group

Administrators can create log source groups for users to organize the list of log sources
for users. A log source can belong to multiple groups at the same time and administrators
can create multiple levels of log source groups.
To create a log source group:
1.
2. Click the Log Source Groups icon.

3. Click New Group.
4. Click Go.
The log source list refreshes with a list of log sources based on the group you selected.
Related
Documentation
Editing a Log Source Group

Administrators can sort the list of log sources to view log sources that are assigned to a
group.
To edit a log source group:
1.

3. From the Search For list, select the log source group.
4. Click Go.
The log source list refreshes to show log sources associated to the group.
Related
Documentation
107
Creating a Log Source Group on page 107 .
Copying a Log Source to Another Group

Administrators can copy log source groups to move log sources between groups.
To copy a log source to another group:
1.

3. Select the name of a group to view a list of log sources.
4. Select the log source to copy to a new group.
5. Click Copy.
6. Select the new group for the log source. This selection can include multiple groups.
7. Click Assign Groups.
The log source is reassigned to the groups selected by the administrator.

Related
Documentation
Editing a Log Source Group on page 107.
Removing a Log Source From a Group

Administrators can remove log sources from groups when a group is no longer required.
To remove a log source from a group:
1.

3. Select the name of a group to view a list of log sources.
4. Select the log source to remove from the group.
108
Chapter 3: Grouping Log Sources
5. Click Remove.
6. Click OK.
The log source is removed from the group.

Related
Documentation
Editing a Log Source Group on page 107.
Copying a Log Source to Another Group on page 108 .
109
110
CHAPTER 4
Adding Log Source Parsing Order

Log Source Parsing Order Overview on page 111
Adding a Log Source Parsing Order on page 111
Log Source Parsing Order Overview

Administrators can assign an order to prioritize the events parsed by the target event
collector assigned to the log source.
Administrators can order the importance of the log sources by defining the parsing order
for log sources that share a common IP address or host name. Defining the parsing order
for log sources ensures that certain log sources are parsed in a specific order, regardless
of changes to the log source configuration. The parsing order ensures system performance
is not affected by changes to log source configuration by preventing unnecessary parsing.
The parsing order ensures that low level event sources are not parsed for events above
more important log source.
Related
Documentation
Adding a Log Source Parsing Order on page 111
Adding a Log Source Parsing Order

Administrators can assign an order to prioritize the events parsed by the target event
collector assigned to the log source.
To add a log source parsing order:
1.
2. Click the Log Source Parsing Ordering icon.

3. Select a log source based on the IP address or host name.
4. Optional. From the Selected Event Collector list, select the Event Collector to define
the log source parsing order.

5. Optional. From the Log Source Host list, select a log source.
111
6. Prioritize the log source parsing order.

7. Click Save.
Related
Documentation
112
Log Source Parsing Order Overview on page 111
CHAPTER 5
Managing Log Source Extensions

Log Source Extensions Overview on page 113
Viewing the Status of a Log Source Extension on page 114
Adding a Log Source Extension on page 115
Editing a Log Source Extension on page 116
Copying a Log Source Extension on page 117
Enabling or Disabling a Log Source Extension on page 119
Deleting a Log Source Extension on page 119
Log Source Extensions Overview

Log source extensions can be created by administrators to extend or modify the parsing
routines of specific devices.
A log source extension is an XML file that includes all of the regular expression patterns
required to identify and categorize events from the event payload. Extension files can be
used to parse all events when a device support module (DSM) does not exist or an
administrator needs to correct a parsing issue for or override the default parsing for an
event from a DSM. An extension can provide event support when a DSM does not exist
to parse events for an appliance or security device in your network. The Log Activity tab
identifies log source events in three basic types:
To log the source extensions:
1.
Log sources that properly parse the event. Events that a properly parse by the system
are assigned to the proper log source type and categorized correctly. In this case, no
intervention or extension is required.
2. Log sources that parse events, but include Unknown events. Unknown events are log
source events where the log source type is identified, but the payload information
cannot be understood by the DSM. The system is unable to determine an event
identifier from the available information to properly categorize the event. In this case,
the event can be mapped to a category from the Log Activity tab or a log source
extension can be written to repair the event parsing for unknown events.
113
3. Log sources that cannot identify the log source type and mark the event as a Stored
event. Stored events require administrators to update their DSM files or write a log
source extension to properly parse the event. After the event parses, the administrator
can then map the events in the Log Activity tab.
Before a log source extension is added, the administrator must create the extension
document. The extension document is an XML document that can be created with any
common word processing or text editing application. Multiple extension documents can
be created, uploaded, and associated to various log source types. The format of the
extension document must conform to a standard XML schema document (XSD). To
develop an extension document, knowledge of and experience with XML coding is required.
Related
Documentation
Viewing the Status of a Log Source Extension on page 114.
Adding a Log Source Extension on page 115.
Editing a Log Source Extension on page 116.
Copying a Log Source Extension on page 117.
Enabling or Disabling a Log Source Extension on page 119.
Deleting a Log Source Extension on page 119.
Viewing the Status of a Log Source Extension

Administrators can view a list of log source extensions, the description, status, and log
sources assigned to an extension.
Log Source Extension Parameters describes parameters in the user interface when an
administrator views the status of a log source extension:
Table 36: Log Source Extension Parameters

Parameter
Description
Extension Name
The name of the log source.

Administrators can click the name of the extension to download the xml file for the log source
extension.
Description
The description for the log source extension. The description must not exceed 255 characters.
Enabled
A value of True indicates that the extension is enabled and the parsing patterns are active for
the log source. False indicates that the log source extension is currently disabled.
Defaults for Log Source Type
The log source extension applies parsing from the extension XML file to all Log Source Types
listed in this column. This includes auto discovered log sources that match the Log Source Type
specified.
A value of None indicates that the extension is uploaded, but not associated to a log source.
114
Chapter 5: Managing Log Source Extensions
To view the status of a log source extension:

1.
2. Click the Log Source Extensions icon.

3. Review the status of your log source extensions.
Related
Documentation
Adding a Log Source Extension

Administrators can enable or disable a log source extensions. Enabled log source
extensions are listed in the Status column as True. Disabled log source extension are
listed in the Status column as False.
Table 6 on page 13 describes the parameters in a log source fields:
To add a log source extension:
1.

3. Click Add.
4. Type a name for the log source extension.
5. Optional. Type a description for the log source extension.
6. From the Use Condition list, select one of the following options:
Option
Description
Parsing Enhancement
Select this option when the device support module (DSM) correctly parses most fields for the
log source.
The incorrectly parsed field values are enhanced with the new XML values. This is the default
setting.
Parsing Override
Select this option when the device support module (DSM) is unable to parse correctly.
The log source extension completely overrides the failed parsing by the DSM and substitutes
the parsing with the new XML values.
115
7. From the Log Source Types list, select one of the following options:
Option
Description
Available
Select this option when the device support module (DSM) correctly parses most fields for the log
source.
The incorrectly parsed field values are enhanced with the new XML values. This is the default setting.
Set to default for
Select log sources to add or remove from the extension parsing. Administrators can add or remove
extensions from a log source.
When a log source extension is Set to default for a log source, this indicates that any new log sources
of the same Log Source Type use the assigned log source extension. This includes auto discovered
log sources.
8. Click Browse to locate your log source extension XML document.

9. Click Upload. The contents of the log source extension is displayed to ensure the
proper extension file is uploaded. The extension file is evaluated against the XSD for
errors when the file is uploaded.
10. Click Save.
If the extension file does not contain any errors, the new log source extension is created
and enabled. It is possible to upload a log source extension without applying the extension
to a log source. Any change to the status of an extension is applied immediately and
managed hosts or consoles enforce the new event parsing parameters in the log source
extension.
On the Log Activity tab, the parsing patterns for events should be verified to ensure that
the parsing is applied correctly to your events. If the log source categorizes events as
Stored, then this indicates that the parsing pattern in the log source extension requires
adjustment. The administrator can review the extension file against log source events
to locate any event parsing issues.
Related
Documentation
Editing a Log Source Extension

Log source extension files must be edited in an external editor. Administrators can edit
a log source extension to modify the name or upload a new extension file to replace an
existing log source extensions.
116
To edit a log source extension:

1.

3. Click Edit.
4. Edit the name or any other configuration parameters.
6. Click Upload. The log source extension is uploaded and the contents are displayed.
Administrators can review or replace the extension before they save the changes.
7. Click Save.
The new log source extension is created and enabled. It is possible to upload a log source
extension without applying the extension to a log source. Any change to the status of an
extension is applied immediately to the log source and managed hosts or consoles
enforce the new event parsing parameters in the log source extension.
Related
Documentation
Copying a Log Source Extension

Administrators can copy a log source extensions. Enabled log source extensions are listed
in the Status column as True. Disabled log source extension are listed in the Status
column as False.
Table 6 on page 13 describes the parameters in a log source fields:
To copy a log source extension:
1.

3. Select a log source extension.
4. Click Copy.
117
5. Type a name for the log source extension.

6. Optional. Type a description for the log source extension.
7. From the Use Condition list, select one of the following options:
Option
Description
Parsing Enhancement
Select this option when the device support module (DSM) correctly parses most fields for the
log source.
The incorrectly parsed field values are enhanced with the new XML values. This is the default
setting.
Parsing Override
Select this option when the device support module (DSM) is unable to parse correctly.
The log source extension completely overrides the failed parsing by the DSM and substitutes
the parsing with the new XML values.
8. From the Log Source Types list, select one of the following options:
Option
Description
Available
Select this option when the device support module (DSM) correctly parses most fields for the log
source.
The incorrectly parsed field values are enhanced with the new XML values. This is the default setting.
Set to default for
Select log sources to add or remove from the extension parsing. Administrators can add or remove
extensions from a log source.
When a log source extension is Set to default for a log source, this indicates that any new log sources
of the same Log Source Type use the assigned log source extension. This includes auto discovered
log sources.

10. Click Upload. The contents of the log source extension is displayed to ensure the
proper extension file is uploaded. The extension file is evaluated against the XSD for
errors when the file is uploaded.
11. Click Save.
If the extension file does not contain any errors, the log source extension is copied to
another log source and enabled. Any change to the status of an extension is applied
immediately and managed hosts or consoles enforce the new event parsing parameters
in the log source extension.
118
Related
Documentation
Enabling or Disabling a Log Source Extension

Administrators can enable or disable a log source extensions. Enabled log source
extensions are listed in the Status column as True. Disabled log source extension are
listed in the Status column as False.
To enable or disable a log source extension:
1.

3. From the list of log source extensions, select the log source extension that you want
to delete.
4. Click Enable/Disable.
The status column is updated with the current status of the log source extension. Any
change to the status of an extension is applied immediately to the log source and
managed hosts or consoles enforce the new event parsing parameters in the log source
extension.
Related
Documentation
Deleting a Log Source Extension

Administrators can delete a log source extension to remove any event parsing
enhancements or overrides for a log source. If an administrator deletes a log source
extension, the parsing changes are applied immediately to the incoming events for the
log source.
119
To delete a log source extension:

1.

3. From the list of log source extensions, select the log source extension that you want
to delete.
4. Click Delete.
5. Click Yes to confirm the deletion of the extension.
New events are written to disk based on the default patterns of the device support module
(DSM) or another extension that might be applied to the log source.
Related
Documentation
120
PART 2
Index
Index on page 123
121
122
T
technical support
contacting JTAC.................................................................x
Index
Symbols
#, comments in configuration statements.....................ix
( ), in syntax descriptions.......................................................ix
< >, in syntax descriptions...................................................viii
[ ], in configuration statements...........................................ix
{ }, in configuration statements..........................................ix
| (pipe), in syntax descriptions............................................ix
B
braces, in configuration statements..................................ix
brackets
angle, in syntax descriptions......................................viii
square, in configuration statements.........................ix
C
comments, in configuration statements.........................ix
conventions
text and syntax................................................................viii
curly braces, in configuration statements.......................ix
customer support......................................................................x
contacting JTAC.................................................................x
D
documentation
comments on....................................................................ix
F
font conventions.....................................................................viii
M
manuals
comments on....................................................................ix
P
parentheses, in syntax descriptions..................................ix
S
support, technical See technical support
syntax conventions................................................................viii
123

Jsa Log Source User Guide

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Jsa Log Source User Guide

Hochgeladen von

Copyright:

Verfügbare Formate

Juniper Secure Analytics

Log Sources Users Guide

Copyright 2014, Juniper Networks, Inc.

Juniper Networks, Inc.

Juniper Secure Analytics Log Sources Users Guide

END USER LICENSE AGREEMENT

Copyright 2014, Juniper Networks, Inc.

Juniper Secure Analytics Log Sources

Managing Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Managing Protocol Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Copyright 2014, Juniper Networks, Inc.

Juniper Secure Analytics Log Sources Users Guide

Configuring the Oracle Database Listener Protocol . . . . . . . . . . . . . . . . . . . . . . . . 77

Grouping Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Adding Log Source Parsing Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Managing Log Source Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Copyright 2014, Juniper Networks, Inc.

Juniper Secure Analytics Log Sources

Managing Log Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Managing Protocol Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Copyright 2014, Juniper Networks, Inc.

Juniper Secure Analytics Log Sources Users Guide

Managing Log Source Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Copyright 2014, Juniper Networks, Inc.

About the Documentation

Documentation and Release Notes on page vii

Documentation Conventions on page vii

Documentation Feedback on page ix

Requesting Technical Support on page x

Documentation and Release Notes

Copyright 2014, Juniper Networks, Inc.

Juniper Secure Analytics Log Sources Users Guide

Table 1: Notice Icons

Indicates important features or instructions.

Indicates a situation that might result in loss of data or hardware damage.

Alerts you to the risk of personal injury or death.

Alerts you to the risk of personal injury from a laser.

Table 2: Text and Syntax Conventions

Bold text like this

Represents text that you type.

To enter configuration mode, type the

Fixed-width text like this

Italic text like this

Italic text like this

Text like this

< > (angle brackets)

Represents output that appears on the

user@host> show chassis alarms

Introduces or emphasizes important

Identifies guide names.

A policy term is a named structure

Identifies RFC and Internet draft titles.

Junos OS CLI User Guide

RFC 1997, BGP Communities Attribute

No alarms currently active

Represents variables (options for which

Configure the machines domain name:

Represents names of configuration

To configure a stub area, include the

The console port is labeled CONSOLE.

Encloses optional keywords or variables.

stub <default-metric metric>;

Copyright 2014, Juniper Networks, Inc.