Juniper Networks Security Binary Log Collector
The Juniper Security Binary Log Collector DSM for JSA can accept audit, system, firewall, and intrusion prevention system (IPS) events in binary format from Juniper SRX or Juniper Networks J Series appliances.
The Juniper Networks binary log file format is intended to increase performance when large amounts of data are sent to an event log. To integrate your device with JSA, you must configure your Juniper appliance to stream binary formatted events, then configure a log source in JSA.
See the following topics:
Configuring the Juniper Networks Binary Log Format
The binary log format from Juniper SRX or J Series appliances are streamed to JSA by using the UDP protocol. You must specify a unique port for streaming binary formatted events, because the standard syslog port for JSA cannot understand binary formatted events.
The default port that is assigned to JSA for receiving streaming binary events from Juniper appliances is port 40798.
The Juniper Binary Log Collector DSM supports only events that are forwarded in Streaming mode. The Event mode is not supported.
- Log in to your Juniper SRX or J Series by using the command-line interface (CLI).
- Type the following command to edit your device configuration:
the following command to configure the IP address and port number
for streaming binary formatted events:
set security log stream <Name> host <IP address> port <Port>
<Name> is the name that is assigned to the stream.
<IP address> is the IP address of your JSA console or Event Collector.
<Port> is a unique port number that is assigned for streaming binary formatted events to JSA. By default, JSA listens for binary streaming data on port 40798. For a list of ports that are used by JSA , see the JSA Common Ports List technical note.
- Type the following command to set the security log format
set security log stream <Name> format binary
Where: <Name> is the name that you specified for your binary format stream in Step 3.
- Type the following command to enable security log streaming:
set security log mode stream
- Type the following command to set the source IP address
for the event stream:
set security log source-address <IP address>
Where: <IP address> is the IP address of your Juniper SRX Series or Juniper J Series appliance.
- Type the following command to save the configuration changes:
- Type the following command to exit the configuration mode:
The configuration of your Juniper SRX or J Series appliance is complete. You can now configure a log source in JSA.
Configuring a Log Source
JSA does not automatically discover incoming Juniper Security Binary Log Collector events from Juniper SRX or Juniper J Series appliances.
If your events are not automatically discovered, you must manually create a log source by using the Admin tab in JSA.
- Log in to JSA.
- Click the Admin tab.
- On the navigation menu, click Data Sources.
- Click the Log Sources icon.
- Click Add.
- In the Log Source Name field, type a name for your log source.
- In the Log Source Description field, type a description for the log source.
- From the Log Source Type list, select Juniper Security Binary Log Collector.
- Using the Protocol Configuration list, select Juniper Security Binary Log Collector.
- Configure the following values:
Table 1: Juniper Security Binary Log Collector Protocol Parameters
Log Source Identifier
Type an IP address or host name to identify the log source. The identifier address is the Juniper SRX or J Series appliance that generates the binary event stream.
Binary Collector Port
Specify the port number that is used by the Juniper Networks SRX or J Series appliance to forward incoming binary data to JSA. The UDP port number for binary data is the same port that is configured in Configuring the Juniper Networks Binary Log Format.
If you edit the outgoing port number for the binary event stream from your Juniper Networks SRX or J Series appliance, you must also edit your Juniper log source and update the Binary Collector Port parameter in JSA.
To edit the port:
In the Binary Collector Port field, type the new port number for receiving binary event data.
From the Admin tab, click Advanced >Deploy Full Configuration.
The port update is complete and event collection starts on the new port number.
Event collection is stopped for the log source until you fully deploy JSA.
When you click Deploy Full Configuration, JSA restarts all services, resulting in a gap in data collection for events and flows until the deployment completes.
XML Template File Location
Type the path to the XML file used to decode the binary stream from your Juniper SRX or Juniper J Series appliance.
By default, JSA includes an XML template file for decoding the binary stream in the following directory:
- Click Save.
- On the Admin tab, click Deploy Changes.
The configuration is complete. You can verify events that are forwarded to JSA by viewing events in the Log Activity tab.