Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring JIMS to Receive Remote Syslog Messages

 

Juniper Identity Management Service supports the ability to receive remote system log (also called syslog) event data and user information data from an event source such as a DHCP server. The number of syslog sources is limited to 200. You define the IP address and port of the remote syslog server that the JIMS server permits a connect from the remote server. You configure the JIMS server to collect syslog data whenever it detects the occurrence of begin session events, end session events, per session group mask events, create and begin session events, create user or device only events, modify user or device groups session events from the remote server session.

The JIMS server collects data from syslog messages containing username, device name, domain, groups, and/or IP address mappings, and turns those messages into entries in its cache. The JIMS server transmits this information to each SRX Series device for it to use in making policy decisions in the user firewall feature.

The JIMS server uses the following default ports to support the syslog server:

  • Syslog UDP: UDP 514

  • Syslog TCP: TCP 514

JIMS server do not open the windows firewall for UDP 514 and TCP 514 ports as they are commonly scanned ports. You must open the port manually to receive messages using the firewall mechanism that is currently installed. By default, windows firewall with Advanced Security is installed on windows.

If a port cannot be allocated on startup, the JIMS server writes errors to the log and sets the failure in the statistics status and continues to execute.

You can configure regular expressions (regex) to define a search pattern within one syslog message. After matching the source address, the JIMS server executes the regex associated with the particular connection, in the specified sequence order.

The JIMS server compares the trigger regex to an incoming syslog message. If the trigger regex matches to an incoming syslog message, JIMS attempts each attribute regex.

Before you begin, you need the hostname or IP address of the remote syslog server.

To configure JIMS to receive remote syslog messages:

  1. In the navigation pane, select Data Sources and then select the Syslog Sources tab.
  2. In the upper Syslog Configured Sources pane, click Add. The Syslog Server Configuration page appears.
  3. In the Syslog Server Configuration box, do the following:

    1. Type the remote syslog server IP address.
    2. Type a description of the remote syslog server.
  4. Click OK, and configure the remote syslog to send at least one type of (low-volume) syslog message. JIMS does not process these values until triggers are saved but lets you test your regex against incoming values. See step 6.
  5. To parse the received syslog messages by using a regex to define a search pattern, click Add. The Add Syslog Regular Expression Builder dialog appears.

    You can configure a regex to define required data to collect from syslog messages that contain username, domain, group, and/or IP address mappings. Regexes compiles the resulting object cached in the JIMS server cache for processing. Syslog events tie together IP address information with user or device information (similar to that of an Event Log), and ties the user to a group list.

    To modify an existing regex, click the expression in the list and then click Edit.

    1. Type a description of the regex to be used.
    2. Specify the type of the regex processing.
    3. Specify which actions the trigger match tells the JIMS server to do:
      • Begin Session—Use Begin Session when you have the user or device in a Active Directory domain, or (in combination with Create User/Device Only, below) the user or device is sourced from another syslog message. The message links the IP address to the existing user or device. This trigger requires IP address (IPv4 or IPv6) of the user, domain, and one of user name or device name. If the domain matches Active Directory domain, JIMS uses Active Directory domain user name or device name and return groups associated with it. If the domain matches a domain created by syslog Create User/Device Only trigger, JIMS begins that session and return the groups created by Create User/Device Only with it.

      • End Session—Logoff whichever user is on a particular IP address. This trigger requires you to specify IP address (IPv4 or IPv6) of the user. If you specify both IPv4 and IPv6 addressees, JIMS ends two sessions, the user with IPv4 and the user with IPv6 address. The user entry or device entry for the IP address on SRX Series device is removed once the logoff message strike the End Session trigger.

      • Per Session Group Mask—This trigger requires you to specify an IPv4 or IPv6 address of the session to update a set of user or device groups to be forced added or masked to/from the session. This trigger is typically used when you have usernames or devices in the Active Directory, but JIMS receive a message representing a transient state for the user.

        For modal groups security alerts – for example, if you receive a message that a device has an out of date antivirus, you should specify the triggers as:

        • First trigger: Uses forced to add the device into a group such as posture-unhealthy.

        • Second trigger: Detects that the problem is re-mediated and removes the device from group such as posture-unhealthy.

      • Create User/Device Only—This trigger requires to you specify a domain name, user and user group names, and the device and device group names. JIMS does not associate an IP address with the user. This trigger is used when the user or device group information are sourced from a different syslog stream than the session stream.

      • Modify Groups by name—This trigger requires you to specify a domain name, user with group names, and device with device group names to modify the groups for the named user or device. JIMS updates the groups for that user as appropriate if you specify domain and user, and user or device add groups, user or device remove groups.

      • Modify Groups by IP—This trigger requires you to specify an IP address (IPv4 or IPv6) of the user, user with group names, and device with device group names to modify the groups for the named user or device. JIMS looksup the current user or device associated with the session, and modifies their groups if you specify IP address.

      • Create and Begin—Use Create and Begin when the user or device data (that is groups) is sourced from the matched syslog message. This trigger requires user and user groups, device and device groups, or all of the four. This trigger creates a user or device, or updates an existing user or device with the specified groups. This trigger is mostly used when there is no Active Directory. Set the domain that matches either a device name or username. If a domain is created by syslog, JIMS marks this domain as not active. Users in domains created by syslog never results in an Active Directory query, even if an Active Directory is added subsequently. JIMS creates two sessions if both IPv4 and IPv6 address are set.

    4. Specify the regex that you want to use as a trigger to parse the received syslog messages. If the regex is marked as required and does not match, and there is no default, then the trigger fails. The regex processing continues to the next trigger. JIMS uses the default value if the attribute match of the regex is blank.

      To match all incoming syslog messages, create a regular expression with .*. You can use this regular expression temporarily, with Test button, to verify all matched syslog messages. You can pick source_name and set that to (.*). This regular expression says - match whole syslog messages and assign it to a source_name. Then, click the Test button. JIMS gives you the first 10 syslog messages by default of the whole syslog messages that matchs the trigger. You can modify the Return Count value from 1 to 200 to test those many syslog messages that matchs the trigger.

      If the source_name is configured and parsed, and it is from ClearPass, the syslog message in SRX Series device is displayed as ClearPass.

      If source_name is not configured, the sylog message in SRX Series device is displayed as JIMS - Syslog. JIMS use the default value if the source_name matching fails. The syslog message in SRX Series device is displayed as Unknown if the source_name matching fails and the default value is null.

      You can test the syslog messages that match the trigger from the current time to the required past time duration by:

      • Enabling the Start time check box.

      • Selecting the desired option from the drop-down list and enter the value mentioned below.

        Table 8 contains the options from the drop-down list with range and default values.

        Table 8: Start-Time-Duration-Range-Default-Values

        Duration

        Range

        Default

        mins—Duration in minutes from which JIMS extracts the syslog massages from the current time to last specified value to test.

        1 minute through 10,080 minutes

        120 minutes

        hours—Duration in hours from which JIMS extracts the syslog massages from the current time to last specified value to test.

        1 hour through 168 hours

        2 hours

        days—Duration in days from which JIMS extracts the syslog massages from the current time to last specified value to test.

        1 day through 30 days

        1 day

      • Enter the required number of minutes, hours or days in the last field.

      You can filter the trigger expressions of the syslog entries to test from the syslog server by enabling the Match Server IP check box. Enabling the Match Server IP check box ensures only syslog entries from the designated syslog server are tested against the trigger and regular expressions. You can test only one trigger at a time.

    5. Click Add to create a regex that defines how to extract a specific attribute from the string. The Regex Attribute Editor appears. After the trigger regex is met, the JIMS server attempts to match the attribute regexes.

      To modify an existing attribute expression, click the expression in the list and then click Edit.

      • Attribute—Select from the list of attributes: devicegroups, devicename, domain, groups, IP, IPv4, IPv6, mac_address, session_device_forced_groups, session_device_masked_groups, session_user_forced_groups, session_user_masked_groups, source_name, timestamp, and username.

        • Timestamp—The default timestamp value is specified as +/-<hours>, which is added to the timestamp before being sent to the cache. You must use the default timestamp value when the remote syslog server is sending messages that reflect the localtime instead of Zulu or GMT time.

          In addition to the regular expression, timestamps take a format string instead of a default.

          • If the first character of the format is + or -, JIMS interpret the string as adding or subtracting some number of hours from the matched time. This is used when the syslog message contains local time instead of Zulu or GMT time.

          • To facilitate processing other date or time formats, the default can have a format string as specified in https://en.cppreference.com/w/cpp/io/manip/get_time. You can also add to match the regular expression to get_time, along with the format string, and utilize the output of that regular expression.

            Below are the few examples:

          JIMS supports the following additional formatting.

          • .####—JIMS interpret this as deci-seconds, centi-seconds, milli-seconds, or micro-seconds, as appropriate (rounded to milli-seconds).

          • +/-<hours>—Represent a time offset, such as +2.5. Representing 2 and a half hours ahead of GMT.

          The above characters must match the above regular expression.

          The string representations of time zone such as EST, PST, or GMT are ignored. To match these, you can utilize multiple regular expressions with the prefix pattern referenced above.

          While replaying logs during JIMS server restart, the user firewall is transiently in a previous state before JIMS server reaches the end of the replay, by which time the current state is synchronized. Using the correct timestamp parsing in syslog session, creating and updating messages limits the practical effects, as older events are discarded.

          Session attributes should have an IPv4 or IPv6 address set in the message to overwrites the user or device groups regardless of source. Forced groups are always added unless they conflict with the global group filter. Masked groups are always removed. Following are the attributes that are used to modify Active Directories users:

          • session_user_forced_groups

          • session_user_masked_groups

          • session_device_forced_groups

          • session_device_masked_groups

          To match a list of groups, we support extending the regular expression used during group matching to include the following mechanism <originalRE>!!!<subRE>.

          For example:

          Regular expression: groups: ([^"]*)"!!!\|?([^|,]*)\|?\,?

          This mean to take the value after groups: between the quotes, then serially run the regular expression \|?([^|,]*)\|?\,?—means, ignore 0 or 1 vertical bars, match all characters up to a comma, ignore 0 or 1 vertical bars and ignore the comma, then continue to do the same for the rest of the string.

          This turn a list as group1,|group2|,|group three| into the following internal groups

          group1

          group2

          group three

          Group defaults are specified as comma separated. So, a default of groupa,groupb,groupc is handled as three separate groups.

          Following attributes modify the internal syslog generated users. You must not use these attributes to modify Active Directory users:

          • user_added_groups

          • user_removed_groups

          • device_added_groups

          • device_removed_groups

      • Required for Trigger Match—Click the check box if the selected attribute is required in the regular attribute expression. If the regex is marked as required and does not match, and there is no default, then the trigger fails. The regex processing continues to the next trigger. JIMS uses the default value if the attribute match of the regex is blank.

      • Expression—Enter the expression in the Regular Expression field.

      • Default—To modify the attribute value, enter a value in the Default text field.

      Do not add additional characters in the regrex while you copy-pasting the regrex. A common occurrence is an incorrect space character or tab character, at the beginning or at the end of the regrex. If the regrex is not matching properly, highlight the entire string and verify the content.

      Click OK to save the attribute expression as part of the regex.

    6. Click OK to save the syslog regex.
  6. Click OK to save the settings.