Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Juniper Networks Junos OS

 

The Juniper Junos OS Platform DSM for JSA accepts events that use syslog, structured-data syslog, or PCAP (SRX Series only). JSA records all valid syslog or structured-data syslog events.

The Juniper Junos OS Platform DSM supports the following Juniper devices that are running Junos OS:

  • Juniper M Series Multiservice Edge Routing

  • Juniper MX Series Ethernet Services Router

  • Juniper T Series Core Platform

  • Juniper SRX Series Services Gateway

For information on configuring PCAP data that uses a Juniper Networks SRX Series appliance, see Configure the PCAP ProtocolThe Juniper SRX Series appliance supports forwarding of packet capture (PCAP) and syslog data to JSA..

Note

For more information about structured-data syslog, see RFC 5424 at the Internet Engineering Task Force: http://www.ietf.org/

Before you configure JSA to integrate with a Juniper device, you must forward data to JSA using syslog or structured-data syslog.

  1. Log in to your Juniper platform command-line interface (CLI).
  2. Include the following syslog statements at the set system hierarchy level:

    [set system] syslog {host (hostname) {facility <severity>; explicit-priority; any any; authorization any; firewall any;

    } source-address source-address; structured-data {brief;} }

    The following table lists and describes the configuration setting variables to be entered in the syslog statement.

    Parameter

    Description

    host

    Type the IP address or the fully qualified host name of your JSA.

    Facility

    Define the severity of the messages that belong to the named facility with which it is paired. Valid severity levels are:

    • Any

    • None

    • Emergency

    • Alert

    • Critical

    • Error

    • Warning

    • Notice

    • Info

    Messages with the specified severity level and higher are logged. The levels from emergency through info are in order from highest severity to lowest.

    Source-address

    Type a valid IP address configured on one of the router interfaces for system logging purposes.

    The source-address is recorded as the source of the syslog message send to JSA. This IP address is specified in the host host name statement set system syslog hierarchy level; however, this is not for messages directed to the other routing engine, or to the TX Matrix platform in a routing matrix.

    structured-data

    Inserts structured-data syslog into the data.

    You can now configure the log source in JSA.

    The following devices are auto discovered by JSA as a Juniper Junos OS Platform devices:

    • Juniper M Series Multiservice Edge Routing

    • Juniper MX Series Ethernet Services Router

    • Juniper SRX Series

    • Juniper EX Series Ethernet Switch

    • Juniper T Series Core Platform

    Note

    Due to logging similarities for various devices in the Junos OS family, expected events might not be received by the correct log source type when your device is automatically discovered. Review the automatically created log source for your device and then adjust the configuration manually. You can add any missed log source type or remove any incorrectly added log source type.

Configuring JSA to Receive Events from a Juniper Junos OS Platform Device

You can manually configure JSA to receive events from a Juniper Junos OS Platform device

  1. From the Log Source Type list, select one of the following options:

    • Juniper JunOS Platform

    • Juniper M-Series Multiservice Edge Routing

    • Juniper MX-Series Ethernet Services Router

    • Juniper SRX-series

    • Juniper T-Series Core Platform

    For more information about your Juniper device, see your vendor documentation.

Configure the PCAP Protocol

The Juniper SRX Series appliance supports forwarding of packet capture (PCAP) and syslog data to JSA.

Syslog data is forwarded to JSA on port 514. The IP address and outgoing PCAP port number are configured on the Juniper Networks SRX Series appliance interface. The Juniper Networks SRX Series appliance must be configured in the following format to forward PCAP data:

<IP Address>:<Port>

Where,

  • <IP Address> is the IP address of JSA.

  • <Port> is the outgoing port address for the PCAP data.

For more information about Configuring Packet Capture, see your Juniper Networks Junos OS documentation.

You are now ready to configure the new Juniper Networks SRX Log Source with PCAP protocol in JSA.

Configuring a New Juniper Networks SRX Log Source with PCAP

The Juniper Networks SRX Series appliance is automatically discovered by JSA as a Juniper Junos OS Platform.

Depending on your operating system, expected events might not be received when the log source is automatically detected. You can manually configure the log source.

JSA detects the syslog data and adds the log source automatically. The PCAP data can be added to JSA as Juniper SRX Series Services Gateway log source by using the PCAP Syslog combination protocol. Adding the PCAP Syslog Combination protocol after JSA auto discovers the Junos OS syslog data adds a log source to your existing log source limit. Deleting the existing syslog entry, then adding the PCAP Syslog Combination protocol adds both syslog and PCAP data as single log source.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. From the Log Source Type list, select Juniper SRX-series Services Gateway.
  7. From the Protocol Configuration list, select PCAP Syslog Combination.
  8. Type the Log Source Identifier.
  9. Type the Incoming PCAP Port.

    To configure the Incoming PCAP Port parameter in the log source, enter the outgoing port address for the PCAP data as configured on the Juniper Networks SRX Series appliance interface. .

  10. Click Save.
  11. Select the auto discovered syslog-only Junos OS log source for your Juniper Networks SRX Series appliance.
  12. Click Delete.

    A delete log source confirmation window is displayed.

  13. Click Yes.

    The Junos OS syslog log source is deleted from the Log Source list. The PCAP Syslog Combination protocol is now visible in your log source list.

  14. On the Admin tab, click Deploy Changes.

Juniper Networks Network and Security Manager

The Juniper Networks Network and Security Manager (NSM) DSM for JSA accepts Juniper Networks NSM and Juniper Networks Secure Service Gateway (SSG) logs. All Juniper SSG logs must be forwarded through Juniper NSM to JSA. All other Juniper devices logs can be forwarded directly to JSA.

For more information on advanced filtering of Juniper Networks NSM logs, see your Juniper Networks vendor documentation.

To integrate a Juniper Networks NSM device with JSA, you must complete the following tasks:

Configuring Juniper Networks NSM to Export Logs to Syslog

Juniper Networks NSM uses the syslog server to export qualified log entries to syslog.

Configuring the syslog settings for the management system defines only the syslog settings for the management system. It does not export logs from the individual devices. You can enable the management system to export logs to syslog.

  1. Log in to the Juniper Networks NSM user interface.
  2. From the Action Manager menu, select Action Parameters.
  3. Type the IP address for the syslog server that you want to send qualified logs.
  4. Type the syslog server facility for the syslog server to which you want to send qualified logs.
  5. From the Device Log Action Criteria node, select the Actions tab.
  6. Select Syslog Enable for Category, Severity, and Action.

    You are now ready to configure the log source in JSA.

Configuring a Log Source for Juniper Networks NSM

You can configure a log source in JSA for Juniper Networks NSM.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. From the Log Source Type list, select Juniper Networks Network and Security Manager.
  7. From the Protocol Configuration list, select Juniper NSM.
  8. Configure the following values for the Juniper NSM protocol:

    Table 1: Juniper NSM Protocol Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source.

    The Log Source Identifier must be unique for the log source type.

    IP

    Type the IP address or host name of the Juniper Networks NSM server.

    Inbound Port

    Type the Inbound Port to which the Juniper Networks NSM sends communications. The valid range is 0 - 65536. The default is 514.

    Redirection Listen Port

    Type the port to which traffic is forwarded. The valid range is 0 - 65,536. The default is 516.

    Use NSM Address for Log Source

    Select this check box to use the Juniper NSM management server IP address instead of the log source IP address. By default, the check box is selected.

    Note

    In the JSA interface, the Juniper NSM protocol configuration provides the option to use the Juniper Networks NSM IP address by selecting the Use NSM Address for Log Source check box. If you wish to change the configuration to use the originating IP address (clear the check box), you must log in to your JSA console, as a root user, and restart the Console (for an all-in-one system) or the Event Collector hosting the log sources (in a distributed environment) by using the shutdown -r now command.