Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Arbor Networks Peakflow SP

 

JSA can collect and categorize syslog events from Arbor Networks Peakflow SP appliances that are in your network.

Arbor Networks Peakflow SP appliances store the syslog events locally.

To collect local syslog events, you must configure your Peakflow SP appliance to forward the syslog events to a remote host. JSA automatically discovers and creates log sources for syslog events that are forwarded from Arbor Networks Peakflow SP appliances. JSA supports syslog events that are forwarded from Peakflow V5.8 to V8.1.2.

To configure Arbor Networks Peakflow SP, complete the following steps:

  1. On your Peakflow SP appliance, create a notification group for JSA.

  2. On your Peakflow SP appliance, configure the global notification settings.

  3. On your Peakflow SP appliance, configure your alert notification rules.

  4. If automatic updates are not enabled for JSA, RPMs are available for download from the Juniper Customer Support. Download and install the most recent version of the following RPMs on your JSA console.

    • DSMCommon RPM

    • Arbor Networks Peakflow SP DSM RPM

  5. Configure your Arbor Networks Peakflow SP appliance to send syslog or TLS syslog events to JSA.

  6. If JSA does not automatically detect the log source, add an Arbor Networks Peakflow SP log source on the JSA console. The following tables describe the parameters that require specific values to collect events from Arbor Networks Peakflow SP:

    Table 1: Arbor Networks Peakflow SP Log Source Parameters

    Parameter

    Value

    Log Source type

    Arbor Networks Peakflow SP

    Protocol Configuration

    Select Syslog or TLS Syslog

    Log Source Identifier

    Type a unique name for the log source.

Supported Event Types for Arbor Networks Peakflow SP

The Arbor Networks Peakflow DSM for JSA collects events from several categories.

Each event category contains low-level events that describe the action that is taken within the event category. For example, authentication events can have low-level categories of login successful or login failure.

The following list defines the event categories that are collected by JSA from Peakflow SP appliances:

  • Denial of Service (DoS) events

  • Authentication events

  • Exploit events

  • Suspicious activity events

  • System events

Configuring a Remote Syslog in Arbor Networks Peakflow SP

To collect events, you must configure a new notification group or edit existing groups to add JSA as a remote syslog destination.

  1. Log in to your Peakflow SP configuration interface as an administrator.
  2. In the navigation menu, select Administration >Notification >Groups.
  3. Click Add Notification Group.
  4. In the Destinations field, type the IP address of your JSA system.
  5. In the Port field, type 514 as the port for your syslog destination.
  6. From the Facility list, select a syslog facility.
  7. From the Severity list, select info.

    The informational severity collects all event messages at the informational event level and higher severity.

  8. Click Save.
  9. Click Configuration Commit.

Configuring Global Notifications Settings for Alerts in Arbor Networks Peakflow SP

Global notifications in Arbor Networks Peakflow SP provide system notifications that are not associated with rules.

This procedure defines how to add JSA as the default notification group and enable system notifications.

  1. Log in to the configuration interface for your Arbor Networks Peakflow SP appliance as an administrator.
  2. In the navigation menu, select Administration >Notification >Global Settings .
  3. In the Default Notification Group field, select the notification group that you created for JSA syslog events.
  4. Click Save.
  5. Click Configuration Commit to apply the configuration changes.
  6. Log in to the Arbor Networks Peakflow SP command-line interface as an administrator.
  7. Type the following command to list the current alert configuration:

    services sp alerts system_errors show

  8. Optional: Type the following command to list the fields names that can be configured:

    services sp alerts system_errors ?

  9. Type the following command to enable a notification for a system alert:

    services sp alerts system_errors <name> notifications enable

    Where <name> is the field name of the notification.

  10. Type the following command to commit the configuration changes:

    config write

Configuring Alert Notification Rules in Arbor Networks Peakflow SP

To generate events, you must edit or add rules to use the notification group that JSA uses as a remote syslog destination.

  1. Log in to your Arbor Networks Peakflow SP configuration interface as an administrator.
  2. In the navigation menu, select Administration >Notification >Rules.
  3. Select one of the following options:
    • Click a current rule to edit the rule.

    • Click Add Rule to create a new notification rule.

  4. Configure the following values:

    Table 2: Arbor Networks Peakflow SP Notification Rule Parameters

    Parameter

    Description

    Name

    Type the IP address or host name as an identifier for events from your Peakflow SP installation.

    The log source identifier must be a unique value.

    Resource

    Type a CIDR address or select a managed object from the list of Peakflow resources.

    Importance

    Select the Importance of the rule.

    Notification Group

    Select the Notification Group that you assigned to forward syslog events to JSA.

  5. Repeat these steps to configure any other rules that you want to create.
  6. Click Save.
  7. Click Configuration Commit to apply the configuration changes.

    JSA automatically discovers and creates a log source for Arbor Networks Peakflow SP appliances. Events that are forwarded to JSA are displayed on the Log Activity tab.

Configuring an Arbor Networks Peakflow SP Log Source

JSA automatically discovers and creates a log source for syslog events that are forwarded from Arbor Networks Peakflow SP. These configuration steps are optional.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. In the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for your log source.
  8. From the Log Source Type list, select Arbor Networks Peakflow.
  9. From the Protocol Configuration list, select Syslog.
  10. Configure the following values:

    Table 3: System Parameters

    Parameter

    Description

    Log Source Identifier

    The IP address or host name is used as an identifier for events from your Peakflow SP installation.

    The log source identifier must be a unique value.

    Credibility

    The credibility of the log source. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event.

    Target Event Collector

    The Event Collector to use as the target for the log source.

    Coalescing Events

    Enables the log source to coalesce (bundle) events. By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

    Incoming Event Payload

    The incoming payload encoder for parsing and storing the logs.

    Store Event Payload

    Enables the log source to store event payload information.

    By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.