Protocol Configuration Options

Protocols in JSA provide the capability of collecting a set of data files by using various connection options. These connections pull the data back or passively receive data into the event pipeline in JSA. Then, the corresponding Device Support Module (DSM) parses and normalizes the data.

The following standard connection options pull data into the event pipeline:

JDBC
FTP
SFTP
SCP

The following standard connection options receive data into the event pipeline:

Syslog
HTTP Receiver
SNMP

JSA also supports proprietary vendor-specific protocol API calls, such as Amazon Web Services.

Blue Coat Web Security Service REST API Protocol Configuration Options

To receive events from Blue Coat Web Security Service, configure a log source to use the Blue Coat Web Security Service REST API protocol.

The following table describes the protocol-specific parameters for the Blue Coat Web Security Service REST API protocol:

Table 1: Blue Coat Web Security Service REST API Protocol Parameters

Parameter	Description
API Username	The API user name that is used for authenticating with the Blue Coat Web Security Service. The API user name is configured through the Blue Coat Threat Pulse Portal.
Password	The password that is used for authenticating with the Blue Coat Web Security Service.
Confirm Password	Confirmation of the Password field.
Use Proxy	When you configure a proxy, all traffic for the log source travels through the proxy for JSA to access the Blue Coat Web Security Service. Configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.
Automatically Acquire Server Certificate(s)	If you select Yes from the list, JSA downloads the certificate and begins trusting the target server.
Recurrence	You can specify when the log collects data. The format is M/H/D for Months/Hours/Days. The default is 5 M.
EPS Throttle	The upper limit for the maximum number of events per second (EPS). The default is 5000.

Cisco Firepower EStreamer Protocol Configuration Options

To receive events from a Cisco Firepower eStreamer (Event Streamer) service, configure a log source to use the Cisco Firepower eStreamer protocol.

Cisco Firepower eStreamer protocol is formerly known as Sourcefire Defense Center eStreamer protocol.

Event files are streamed to JSA to be processed after the Cisco Firepower Management Center DSM is configured.

The following table describes the protocol-specific parameters for the Cisco Firepower eStreamer protocol:

Table 2: Cisco Firepower EStreamer Protocol Parameters

Parameter	Description
Protocol Configuration	Cisco Firepower eStreamer
Server Port	The port number that the Cisco Firepower eStreamer services is configured to accept connection requests on. The default port that JSA uses for Cisco Firepower eStreamer is 8302.
Keystore Filename	The directory path and file name for the keystore private key and associated certificate. By default, the import script creates the keystore file in the following directory: `/opt/qradar/conf/estreamer.keystore`.
Truststore Filename	The directory path and file name for the truststore files. The truststore file contains the certificates that are trusted by the client. By default, the import script creates the truststore file in the following directory: `/opt/qradar/conf/estreamer.truststore`.
Request Extra Data	Select this option to request extra data from Cisco Firepower eStreamer, for example, extra data includes the original IP address of an event.
Domain	Note: Domain Streaming Requests are supported only for eStreamer version 6.x. Leave the Domain field blank for eStreamer version5.x. The domain where the events are streamed from. The value in the Domain field must be a fully qualified domain. This means that all ancestors of the desired domain must be listed starting with the top-level domain and ending with the leaf domain that you want to request events from. Example: Global is the top level domain, B is a second level domain that is a subdomain of Global, and C is a third-level domain and a leaf domain that is a subdomain of B. To request events from C, type the following value for the Domain parameter: Global \ B \ C

Cisco NSEL Protocol Configuration Options

To monitor NetFlow packet flows from a Cisco Adaptive Security Appliance (ASA), configure the Cisco Network Security Event Logging (NSEL) protocol source.

To integrate Cisco NSEL with JSA, you must manually create a log source to receive NetFlow events. JSA does not automatically discover or create log sources for syslog events from Cisco NSEL.

The following table describes the protocol-specific parameters for the Cisco NSEL protocol:

Table 3: Cisco NSEL Protocol Parameters

Parameter	Description
Protocol Configuration	Cisco NSEL
Log Source Identifier	If the network contains devices that are attached to a management console, you can specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents event searches from identifying the management console as the source for all of the events.
Collector Port	The UDP port number that Cisco ASA uses to forward NSEL events. JSA uses port 2055 for flow data on JSA Flow Processors. You must assign a different UDP port on the Cisco Adaptive Security Appliance for NetFlow.

EMC VMware Protocol Configuration Options

To receive event data from the VMWare web service for virtual environments, configure a log source to use the EMC VMWare protocol.

JSA supports the following event types for the EMC VMware protocol:

The following table describes the protocol-specific parameters for the EMC VMware protocol:

Table 4: EMC VMware Protocol Parameters

Parameter	Description
Protocol Configuration	EMC VMware
Log Source Identifier	The value for this parameter must match the VMware IP parameter.
VMware IP	The IP address of the VMWare ESXi server, for example, `1.1.1.1`. The VMware protocol appends the IP address of your VMware ESXi server with HTTPS before the protocol requests event data.

Forwarded Protocol Configuration Options

To receive events from another Console in your deployment, configure a log source to use the Forwarded protocol.

The Forwarded protocol is typically used to forward events to another JSA Console. For example, Console A has Console B configured as an off-site target. Data from automatically discovered log sources is forwarded to Console B. Manually created log sources on Console A must also be added as a log source to Console B with the forwarded protocol.

HTTP Receiver Protocol Configuration Options

To collect events from devices that forward HTTP or HTTPS requests, configure a log source to use the HTTP Receiver protocol.

The HTTP Receiver acts as an HTTP server on the configured listening port and converts the request body of any received POST requests into events. It supports both HTTPS and HTTP requests.

The following table describes the protocol-specific parameters for the HTTP Receiver protocol:

Table 5: HTTP Receiver Protocol Parameters

Parameter	Description
Protocol Configuration	From the list, select HTTP Receiver.
Log Source Identifier	The IP address, host name, or any name to identify the device. Must be unique for the log source type.
Communication Type	Select HTTP, or HTTPs, or HTTPs and Client Authentication.
Client Certificate Path	If you select HTTPs and Client Authentication as the communication type, you must set the absolute path to the client certificate. You must copy the client certificate to the JSA console or the Event Collector for the log source.
Listen Port	The port that is used by JSA to accept incoming HTTP Receiver events. The default port is 12469.
Message Pattern	Denotes the start of each event.
EPS Throttle	The maximum number of events per second (EPS) that you do not want this protocol to exceed. The default is 5000.

JDBC Protocol Configuration Options

JSA uses the JDBC protocol to collect information from tables or views that contain event data from several database types.

JSA does not include a MySQL driver for JDBC. If you are using a DSM or protocol that requires a MySQL JDBC driver, you must download and install the platform independent MySQL Connector/J from http://dev.mysql.com/downloads/connector/j/.

Copy the Java archive (JAR) file to /opt/qradar/jars.
If you are using JSA V7.3.1, you must also copy the JAR file to/opt/ibm/si/services/ecs-ecingress/ eventgnosis/lib/q1labs/.

The following table describes the protocol-specific parameters for the JDBC protocol:

Table 6: JDBC Protocol Parameters

Parameter	Description
Log Source Name	Type a unique name for the log source.
Log Source Description	Type a description for the log source.
Log Source Type	Select your Device Support Module (DSM) that uses the JDBC protocol from the Log Source Type list.
Protocol Configuration	JDBC
Log Source Identifier	The Log Source Identifier value must follow the `<database name>0<ip or hostname>` format. The `<database name>` must match the Database Name parameter value and `<ip or hostname>` must match the IP or Hostname parameter value. Note: If you have more than one JDBC log source of the same log source type that connects to the same database on the same host, the Log Source Identifier value must follow the `<table name>/<database name>0<ip or hostname>` format. The `<table name>` must match the Table Name parameter value
Database Type	Select the type of database that contains the events.
Database Name	The database name must match the database name that is specified in the Log Source Identifier field.
IP or Hostname	The IP address or host name of the database server.
Port	Enter the JDBC port. The JDBC port must match the listen port that is configured on the remote database. The database must permit incoming TCP connections. The database must permit incoming TCP connections. The valid range is 1 - 65535. The defaults are: MSDE - 1433 Postgres - 5432 MySQL - 3306 Sybase - 1521 Oracle - 1521 Informix® - 9088 DB2® - 50000 If a Database Instance is used with the MSDE database type, administrators must leave the Port parameter blank in the log source configuration.
Username	A user account for JSA in the database.
Password	The password that is required to connect to the database.
Confirm Password	The password that is required to connect to the database.
Authentication Domain (MSDE only)	The domain for MSDE databases that are a Windows domain. If your network does not use a domain, leave this field blank.
Database Instance (MSDE or Informix only)	The database instance, if required. MSDE databases can include multiple SQL server instances on one server. When a non-standard port is used for the database or access is blocked to port 1434 for SQL database resolution, the Database Instance parameter must be blank in the log source configuration.
Predefined Query	Select a predefined database query for the log source. If a predefined query is not available for the log source type, administrators can select none.
Table Name	The name of the table or view that includes the event records. The table name can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period (.).
Select List	The list of fields to include when the table is polled for events. You can use a comma-separated list or type an asterik () to select all fields from the table or view. If a comma-separated list is defined, the list must contain the field that is defined in the Compare Field*.
Compare Field	A numeric value or time stamp field from the table or view that identifies new events that are added to the table between queries. Enables the protocol to identify events that were previously polled by the protocol to ensure that duplicate events are not created.
Use Prepared Statements	Prepared statements enable the JDBC protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most JDBC protocol configurations can use prepared statements.
Start Date and Time	Type the start date and time for database polling in the following format: yyyy-MM-dd HH:mm with HH specified using a 24 hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.
Polling Interval	The amount of time between queries to the event table. The default polling interval is 10 seconds. To define a longer polling interval, append H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M poll in seconds.
EPS Throttle	The number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 20,000.
Security Mechanism (DB2 only)	From the list, select the security mechanism that is supported by your DB2 server. If you don't want to select a security mechanism, select None. The default is None. For more information about security mechanisms that are supported by DB2 environments, see the https://www.juniper.net/support/downloads/.
Use Named Pipe Communication (MSDE only)	MSDE databases require the user name and password field to use a Windows authentication user name and password and not the database user name and password. The log source configuration must use the default named pipe on the MSDE database.
Database Cluster Name (MSDE only)	This field appears if the Use Named Pipe Communication box is selected. If you are running your SQL server in a cluster environment, define the cluster name to ensure named pipe communication functions properly.
Use NTLMv2 (MSDE only)	Select this option if you want MSDE connections to use the NTLMv2 protocol when they are communicating with SQL servers that require NTLMv2 authentication. This option does not interrupt communications for MSDE connections that do not require NTLMv2 authentication. Does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.
Use SSL (MSDE only)	Select this option if your connection supports SSL. This option appears only for MSDE.
Use Oracle Encryption	Oracle Encryption and Data Integrity settings is also known as Oracle Advanced Security. If selected, Oracle JDBC connections require the server to support similar Oracle Data Encryption settings as the client.
Database Locale (Informix only)	For multilingual installations, use this field to specify the language to use.
Code-Set (Informix only)	For multilingual installations, use this field to specify the character set to use.
Enabled	Select this check box to enable the log source. By default, the check box is selected.
Credibility	From the list, select the Credibility of the log source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.
Target Event Collector	Select the Target Event Collector to use as the target for the log source.
Coalescing Events	Select the Coalescing Events check box to enable the log source to coalesce (bundle) events. By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.
Store Event Payload	Select the Store Event Payload check box to enable the log source to store event payload information. By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

JDBC SiteProtector Configuration Options

You can configure log sources to use the Java Database Connectivity (JDBC) SiteProtector protocol to remotely poll IBM Proventia® Management SiteProtector® databases for events.

The JDBC - SiteProtector protocol combines information from the SensorData1 and SensorDataAVP1 tables in the creation of the log source payload. The SensorData1 and SensorDataAVP1 tables are in the IBM Proventia® Management SiteProtector® database. The maximum number of rows that the JDBC - SiteProtector protocol can poll in a single query is 30,000 rows.

The following table describes the protocol-specific parameters for the JDBC - SiteProtector protocol:

Table 7: JDBC - SiteProtector Protocol Parameters

Parameter	Description
Protocol Configuration	JDBC - SiteProtector
Database Type	From the list, select MSDE as the type of database to use for the event source.
Database Name	Type `RealSecureDB` the name of the database to which the protocol can connect.
IP or Hostname	The IP address or host name of the database server.
Port	The port number that is used by the database server. The JDBC SiteProtector configuration port must match the listener port of the database. The database must have incoming TCP connections enabled. If you define a Database Instance when with MSDE as the database type, you must leave the Port parameter blank in your log source configuration.
Username	If you want to track access to a database by the JDBC protocol, you can create a specific user for your JSA system.
Authentication Domain	If you select MSDE and the database is configured for Windows, you must define a Windows domain. If your network does not use a domain, leave this field blank.
Database Instance	If you select MSDE and you have multiple SQL server instances on one server, define the instance to which you want to connect. If you use a non-standard port in your database configuration, or access is blocked to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration.
Predefined Query	The predefined database query for your log source. Predefined database queries are only available for special log source connections.
Table Name	`SensorData1`
AVP View Name	`SensorDataAVP`
Response View Name	`SensorDataResponse`
Select List	Type `*` to include all fields from the table or view.
Compare Field	`SensorDataRowID`
Use Prepared Statements	Prepared statements allow the JDBC protocol source to set up the SQL statement, and then execute the SQL statement numerous times with different parameters. For security and performance reasons, use prepared statements. You can clear this check box to use an alternative method of querying that does not use pre-compiled statements.
Include Audit Events	Specifies to collect audit events from IBM SiteProtector®.
Start Date and Time	Optional. A start date and time for when the protocol can start to poll the database.
Polling Interval	The amount of time between queries to the event table. You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. Numeric values without an H or M designator poll in seconds.
EPS Throttle	The number of Events Per Second (EPS) that you do not want this protocol to exceed.
Database Locale	For multilingual installations, use the Database Locale field to specify the language to use.
Database Codeset	For multilingual installations, use the Codeset field to specify the character set to use.
Use Named Pipe Communication	If you are using Windows authentication, enable this parameter to allow authentication to the AD server. If you are using SQL authentication, disable Named Pipe Communication.
Database Cluster Name	The cluster name to ensure that named pipe communications function properly.
Use NTLMv2	Forces MSDE connections to use the NTLMv2 protocol with SQL servers that require NTLMv2 authentication. The Use NTLMv2 check box does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.
Use SSL	Enables SSL encryption for the JDBC protocol.
Log Source Language	Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages.

Juniper Networks NSM Protocol Configuration Options

To receive Juniper Networks NSM and Juniper Networks Secure Service Gateway (SSG) logs events, configure a log source to use the Juniper Networks NSM protocol.

The following table describes the protocol-specific parameters for the Juniper Networks Network and Security Manager protocol:

Table 8: Juniper Networks NSM Protocol Parameters

Parameter	Description
Log Source Type	Juniper Networks Network and Security Manager
Protocol Configuration	Juniper NSM

Juniper Security Binary Log Collector Protocol Configuration Options

You can configure a log source to use the Security Binary Log Collector protocol. With this protocol, Juniper appliances can send audit, system, firewall, and intrusion prevention system (IPS) events in binary format to JSA.

The binary log format from Juniper SRX or J Series appliances are streamed by using the UDP protocol. You must specify a unique port for streaming binary formatted events. The standard syslog port 514 cannot be used for binary formatted events. The default port that is assigned to receive streaming binary events from Juniper appliances is port 40798.

The following table describes the protocol-specific parameters for the Juniper Security Binary Log Collector protocol:

Table 9: Juniper Security Binary Log Collector Protocol Parameters

Parameter	Description
Protocol Configuration	Security Binary Log Collector
XML Template File Location	The path to the XML file used to decode the binary stream from your Juniper SRX or Juniper J Series appliance. By default, the device support module (DSM) includes an XML file for decoding the binary stream. The XML file is in the following directory: `/opt/qradar/conf/security_log.xml`.

Parameter

Description

Protocol Configuration

Security Binary Log Collector

XML Template File Location

The path to the XML file used to decode the binary stream from your Juniper SRX or Juniper J Series appliance. By default, the device support module (DSM) includes an XML file for decoding the binary stream.

The XML file is in the following directory: /opt/qradar/conf/security_log.xml.

Log File Protocol Configuration Options

To receive events from remote hosts, configure a log source to use the Log File protocol.

The Log File protocol is intended for systems that write daily event logs. It is not appropriate to use the Log File protocol for devices that append information to their event files.

Log files are retrieved one at a time by using SFTP, FTP, SCP, or FTPS. The Log File protocol can manage plain text, compressed files, or file archives. Archives must contain plain-text files that can be processed one line at a time. When the Log File protocol downloads an event file, the information that is received in the file updates the Log Activity tab. If more information is written to the file after the download is complete, the appended information is not processed.

The following table describes the protocol-specific parameters for the Log File protocol:

Table 10: Log File Protocol Parameters

Parameter	Description
Protocol Configuration	Log File
Remote Port	If the remote host uses a non-standard port number, you must adjust the port value to retrieve events.
SSH Key File	The path to the SSH key, if the system is configured to use key authentication. When an SSH key file is used, the Remote Password field is ignored.
Remote Directory	For FTP, if the log files are in the remote user’s home directory, you can leave the remote directory blank. A blank remote directory field supports systems where a change in the working directory (CWD) command is restricted.
Recursive	Enable this check box to allow FTP or SFTP connections to recursively search sub folders of the remote directory for event data. Data that is collected from sub folders depends on matches to the regular expression in the FTP File Pattern. The Recursive option is not available for SCP connections.
FTP File Pattern	The regular expression (regex) required to identify the files to download from the remote host.
FTP Transfer Mode	For ASCII transfers over FTP, you must select `NONE` in the Processor field and `LINEBYLINE` in the Event Generator field.
Recurrence	The time interval to determine how frequently the remote directory is scanned for new event log files. The time interval can include values in hours (H), minutes (M), or days (D). For example, a recurrence of 2H scans the remote directory every 2 hours.
Run On Save	Starts the log file import immediately after you save the log source configuration. When selected, this check box clears the list of previously downloaded and processed files. After the first file import, the Log File protocol follows the start time and recurrence schedule that is defined by the administrator.
EPS Throttle	The number of Events Per Second (EPS) that the protocol cannot exceed.
Change Local Directory?	Changes the local directory on the Target Event Collector to store event logs before they are processed.
Local Directory	The local directory on the Target Event Collector. The directory must exist before the Log File protocol attempts to retrieve events.
File Encoding	The character encoding that is used by the events in your log file.
Folder Separator	The character that is used to separate folders for your operating system. Most configurations can use the default value in Folder Separator field. This field is intended for operating systems that use a different character to define separate folders. For example, periods that separate folders on mainframe systems.

Microsoft Azure Event Hubs Protocol Configuration Options

The Microsoft Azure Event Hubs protocol for JSA collects events from Microsoft Azure Event Hubs.

The following parameters require specific values to collect events from Microsoft Azure Event Hubs appliances:

Table 11: Microsoft Azure Event Hubs Log Source Parameters

Parameter	Value
Log Source type	Microsoft Azure
Protocol Configuration	Microsoft Azure Event Hubs
Log Source Identifier	The Log Source Identifier can be any valid value, including the same value as the Log Source Name parameter, and doesn't need to reference a specific server. If you configured multiple Microsoft Azure Event Hub log sources, you might want to identify the first log source as EventHub-1, the second log source as EventHub-2, and the third log source as EventHub-3.
Use as a Gateway Log Source	Enable this check box to send all events through the JSA Traffic Analysis Engine and automatically detect one or more appropriate log sources.
Use Event Hub Connection String	Enable this check box to use an Event Hub Connection String. Clear this check box to manually enter the values for the Event Hub Namespace Name, Event Hub Name, SAS Key Name, and SAS Key parameters.
Event Hub Connection String	The Event Hub Connection String contains the Namespace Name, the path to the Event Hub within the namespace, and the Shared Access Signature (SAS) Authentication information.
Namespace Name	The Namespace Name value is the name of the top-level directory that contains the Event Hub entities in the Microsoft Azure Event Hubs user interface.
Event Hub Name	The Event Hub Name is the identifier for the Event Hub that you want to access. The Event Hub Name should match one of the Event Hub entities within the namespace.
SAS Key Name	The Shared Access Signature (SAS) Name identifies the event publisher.
SAS Key	The Shared Access Signature (SAS) Key authenticates the event publisher.
Consumer Group	A Consumer Group specifies the view that is used during the connection. Each Consumer Group maintains its own session tracking. Any connection that shares consumer groups and connection information shares session tracking information.
Use Storage Account Connection String	Enable this check box to use a Storage Account Connection String. Clear this check box to manually enter the Storage Account Name and Storage Account Key.
Storage Account Connection String	A Storage Account Connection String includes authentication for the Storage Account Name and Storage Account Key that is used to access the data in the Azure Storage Account.
Storage Account Name	The Storage Account Name is part of the authentication process that is required to access data in the Azure Storage Account.
Storage Account Key	The Storage Account Key is part of the authentication process that is required to access data in the Azure Storage Account.
Automatically Acquire Server Certificate(s)	Select Yes for JSA to automatically download the server certificate and begin trusting the target server.
EPS Throttle	The maximum number of events per second (EPS). The default is 5000.

Microsoft DHCP Protocol Configuration Options

To receive events from Microsoft DHCP servers, configure a log source to use the Microsoft DHCP protocol.

To read the log files, folder paths that contain an administrative share (C$), require NetBIOS privileges on the administrative share (C$). Local or domain administrators have sufficient privileges to access log files on administrative shares.

Fields for the Microsoft DHCP protocol that support file paths allow administrators to define a drive letter with the path information. For example, the field can contain the c$/LogFiles/ directory for an administrative share, or the LogFiles/ directory for a public share folder path, but cannot contain the c:/LogFiles directory.

Note

The Microsoft authentication protocol NTLMv2 is not supported by the Microsoft DHCP protocol.

The following table describes the protocol-specific parameters for the Microsoft DHCP protocol:

Table 12: Microsoft DHCP Protocol Parameters

Parameter	Description
Protocol Configuration	Microsoft DHCP
Log Source Identifier	Type a unique hostname or other identifier unique to the log source.
Server Address	The IP address or host name of your Microsoft DHCP server.
Domain	Type the domain for your Microsoft DHCP server. This parameter is optional if your server is not in a domain.
Username	Type the user name that is required to access the DHCP server.
Password	Type the password that is required to access the DHCP server.
Confirm Password	Confirm the password that is required to access the server.
Folder Path	The directory path to the DHCP log files. The default is `c$/WINDOWS/system32/dhcp/`
File Pattern	The regular expression (regex) that identifies event logs. The log files must contain a three-character abbreviation for a day of the week. Use one of the following file patterns: English: IPv4 file pattern: `DhcpSrvLog-(?:Sun\|Mon\|Tue\|Wed\|Thu\|Fri\|Sat) \.log`. IPv6 file pattern: `DhcpV6SrvLog-(?:Sun\|Mon\|Tue\|Wed\|Thu\|Fri\|Sat) \.log`. Mixed IPv4 and IPv6 file pattern: Dhcp.*SrvLog- (?:Sun\|Mon\|Tue\|Wed\|Thu\|Fri\|Sat)\.log. Polish: IPv4 file pattern: `DhcpSrvLog-(?:Pia\|Pon\|Sob\|Wto\|Sro\|Csw\|Nie) \.log`. IPv6 file pattern: `DhcpV6SrvLog-(?:Pt\|Pon\|So\|Wt\|Si\|Csw\|Nie) \.log`.
Recursive	Select this option if you want the file pattern to search the sub folders.
SMB Version	The version of SMB to use: AUTO - Auto-detects to the highest version that the client and server agree to use. SMB1 - Forces the use of SMB1. SMB2 - Forces the use of SMB2.
Polling Interval (in seconds)	The number of seconds between queries to the log files to check for new data. The minimum polling interval is 10 seconds. The maximum polling interval is 3,600 seconds.
Throttle events/sec	The maximum number of events the DHCP protocol can forward per second. The minimum value is 100 EPS. The maximum value is 20,000 EPS.
File Encoding	The character encoding that is used by the events in your log file.
Enabled	When this option is not enabled, the log source does not collect events and the log source is not counted in the license limit.
Credibility	Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user-created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.
Target Event Collector	Specifies the JSA Event Collector that polls the remote log source. Use this parameter in a distributed deployment to improve Console system performance by moving the polling task to an Event Collector.
Coalescing Events	Increases the event count when the same event occurs multiple times within a short time interval. Coalesced events provide a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, events are viewed individually and events are not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. You can use this check box to override the default behavior of the system settings for an individual log source.

Microsoft Exchange Protocol Configuration Options

To receive events from SMTP, OWA, and message tracking events from Microsoft Exchange 2007, 2010, 2013 and 2017 servers, configure a log source to use the Microsoft Windows Exchange protocol to support.

Fields for the Microsoft Exchange protocol that support file paths allow administrators to define a drive letter with the path information. For example, the field can contain the c$/LogFiles/ directory for an administrative share, or the LogFiles/ directory for a public share folder path, but cannot contain the c:/LogFiles directory.

Note

The Microsoft Exchange protocol does not support Microsoft Exchange 2003 or Microsoft authentication protocol NTLMv2 Session.

The following table describes the protocol-specific parameters for the Microsoft Exchange protocol:

Table 13: Microsoft Exchange Protocol Parameters

Parameter	Description
Protocol Configuration	Microsoft Exchange
Log Source Identifier	Type the IP address, host name, or name to identify your log source.
Server Address	The IP address or host name of your Microsoft Exchange server.
Domain	Type the domain for your Microsoft Exchange server. This parameter is optional if your server is not in a domain.
Username	Type the user name that is required to access your server.
Password	Type the password that is required to access your server.
Confirm Password	Confirm the password that is required to access the server.
SMTP Log Folder Path	When the folder path is clear, SMTP event collection is disabled.
OWA Log Folder Path	When the folder path is clear, OWA event collection is disabled.
MSGTRK Log Folder Path	Message tracking is available on Microsoft Exchange 2007 or 2010 servers assigned the Hub Transport, Mailbox, or Edge Transport server role.
Use Custom File Patterns	Select this check box to configure custom file patterns. Leave the check box clear to use the default file patterns.
MSGTRK File Pattern	The regular expression (regex) that is used to identify and download the MSTRK logs. All files that match the file pattern are processed. The default file pattern is `MSGTRK\d+-\d+\.(?:log\|LOG)$`
MSGTRKMD File Pattern	The regular expression (regex) that is used to identify and download the MSGTRKMD logs. All files that match the file pattern are processed. The default file pattern is `MSGTRKMD\d+-\d+\.(?:log\|LOG)$`
MSGTRKMS File Pattern	The regular expression (regex) that is used to identify and download the MSGTRKMS logs. All files that match the file pattern are processed. The default file pattern is `MSGTRKMS\d+-\d+\.(?:log\|LOG)$`
MSGTRKMA File Pattern	The regular expression (regex) that is used to identify and download the MSGTRKMA logs. All files that match the file pattern are processed. The default file pattern is `MSGTRKMA\d+-\d+\.(?:log\|`
SMTP File Pattern	The regular expression (regex) that is used to identify and download the SMTP logs. All files that match the file pattern are processed. The default file pattern is `.*\.(?:log\|LOG)$`
OWA File Pattern	The regular expression (regex) that is used to identify and download the OWA logs. All files that match the file pattern are processed. The default file pattern is `.*\.(?:log\|LOG)$`
Force File Read	If the check box is cleared, the log file is read only when JSA detects a change in the modified time or file size.
Recursive	If you want the file pattern to search sub folders, use this option. By default, the check box is selected.
SMB Version	The version of SMB to use: AUTO - Auto-detects to the highest version that the client and server agree to use. SMB1 - Forces the use of SMB1. SMB2 - Forces the use of SMB2.
Polling Interval (in seconds)	Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The default is 10 seconds.
Throttle Events/Second	The maximum number of events the Exchange protocol can forward per second.
File Encoding	The character encoding that is used by the events in your log file.

Microsoft IIS Protocol Configuration Options

You can configure a log source to use the Microsoft IIS protocol. This protocol supports a single point of collection for W3C format log files that are located on a Microsoft IIS web server.

Fields for the Microsoft IIS protocol that support file paths allow administrators to define a drive letter with the path information. For example, the field can contain the c$/LogFiles/ directory for an administrative share, or the LogFiles/directory for a public share folder path, but cannot contain the c:/LogFiles directory.

Note

The Microsoft authentication protocol NTLMv2 is not supported by the Microsoft IIS protocol.

The following table describes the protocol-specific parameters for the Microsoft IIS protocol:

Table 14: Microsoft IIS Protocol Parameters

Parameter	Description
Protocol Configuration	Microsoft IIS
Log Source Identifier	Type the IP address, host name, or name to identify your log source.
Server Address	The IP address or host name of your Microsoft IIS server.
Domain	Type the domain for your Microsoft IIS server. This parameter is optional if your server is not in a domain.
Username	Type the user name that is required to access your server.
Password	Type the password that is required to access your server.
Confirm Password	Confirm the password that is required to access the server.
Log Folder Path	The directory path to access the log files. For example, administrators can use the `c$/LogFiles/` directory for an administrative share, or the LogFiles/ directory for a public share folder path. However, the c:/LogFiles directory is not a supported log folder path. If a log folder path contains an administrative share (C$), users with NetBIOS access on the administrative share (C$) have the privileges that are required to read the log files. Local system or domain administrator privileges are also sufficient to access a log files that are on an administrative share.
File Pattern	The regular expression (regex) that identifies the event logs.
Recursive	If you want the file pattern to search sub folders, use this option. By default, the check box is selected.
SMB Version	The version of SMB to use: AUTO - Auto-detects to the highest version that the client and server agree to use. SMB1 - Forces the use of SMB1. SMB2 - Forces the use of SMB2.
Polling Interval (In seconds)	Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The default is 10 seconds.
Throttle Events/Second	The maximum number of events the IIS protocol can forward per second.
File Encoding	The character encoding that is used by the events in your log file.

Note

If you use Advanced IIS Logging, you need to create a new log definition. In the Log Definition window, ensure that the following fields are selected in the Selected Fields section:

Date-UTC
Time-UTC
URI-Stem
URI-Querystring
ContentPath
Status
Server Name
Referer
Win325Status
Bytes Sent

Microsoft Security Event Log Protocol Configuration Options

You can configure a log source to use the Microsoft Security Event Log protocol. You can use MicrosoftWindows Management Instrumentation (WMI) to collect customized event logs or agent less Windows Event Logs.

The WMI API requires that firewall configurations accept incoming external communications on port 135 and on any dynamic ports that are required for DCOM. The following list describes the log source limitations that you use the Microsoft Security Event Log Protocol:

Systems that exceed 50 events per second (eps) might exceed the capabilities of this protocol. Use WinCollect for systems that exceed 50 eps.
A JSA all-in-one installation can support up to 250 log sources with the Microsoft Security Event Log protocol.
Dedicated JSA Event Collectors can support up to 500 log sources by using the Microsoft Security Event Log protocol.

The Microsoft Security Event Log protocol is not suggested for remote servers that are accessed over network links, for example, systems that have high round-trip delay times, such as satellite or slow WAN networks. You can confirm round-trip delays by examining requests and response time that is between a server ping. Network delays that are created by slow connections decrease the EPS throughput available to those remote servers. Also, event collection from busy servers or domain controllers rely on low round-trip delay times to keep up with incoming events. If you cannot decrease your network round-trip delay time, you can use WinCollect to process Windows events.

The Microsoft Security Event Log supports the following software versions with the MicrosoftWindows Management Instrumentation (WMI) API:

Microsoft Windows 2000
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008R3
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7

The following table describes the protocol-specific parameters for the Microsoft Security Event Log protocol:

Table 15: Microsoft Security Event Log Protocol Parameters

Parameter	Description
Protocol Configuration	Windows Security Event Log

Microsoft Security Event Log Over MSRPC Protocol

The Microsoft Security Event Log over MSRPC protocol (MSRPC) collects Windows events without installing an agent on the Windows host.

The MSRPC protocol uses the Microsoft Distributed Computing Environment/Remote Procedure Call (DCE/RPC) specification to provide agentless, encrypted event collection. The MSRPC protocol provides higher event rates than the default MicrosoftWindows Security Event Log protocol, which uses WMI/DCOM for event collection.

The following table lists the supported features of the MSRPC protocol.

Table 16: Supported Features Of the MSRPC Protocol

Features	Microsoft Security Event Log over MSRPC protocol
Manufacturer	Microsoft
Connection test tool	The MSRPC test tool checks the connectivity between the JSA appliance and a Windows host. The MSRPC test tool is part of the MSRPC protocol RPM and can be found in `/opt/qradar/jars` after you install the protocol.
Protocol type	The operating system dependent type of the remote procedure protocol for collection of events. Select one of the following options from the Protocol Type list: MS-EVEN6 --The default protocol type for new log sources. The protocol type that is used by JSA to communicate with Windows Vista and Windows Server 2008 and later. MS-EVEN (for Windows XP/2003) --The protocol type that is used by JSA to communicate with Windows XP and Windows Server 2003. Windows XP and Windows Server 2003 are not supported by Microsoft. The use of this option might not be successful. auto-detect (for legacy configurations)--Previous log source configurations for the Microsoft Windows Security Event Log DSM use the auto-detect (for legacy configurations) protocol type. Upgrade to the MS_EVEN6 or the MS-EVEN (for Windows XP/2003) protocol type.
Maximum EPS rate	100 EPS / Windows host
Maximum overall EPS rate of MSRPC	8500 EPS / JSA 16xx or 18xx appliance
Maximum number of supported log sources	500 log sources / JSA 16xx or 18xx appliance
Bulk log source support	Yes
Encryption	Yes
Supported event types	Application System Security DNS Server File Replication Directory Service logs
Supported Windows Operating Systems	Windows Server 2012 (Including Core) Windows Server 2008 (Including Core) Windows 10 Windows 8 Windows 7 MSRPC is not supported on versions of MicrosoftWindows with end of life status such as Windows 2003 and Windows XP.
Required permissions	The log source user must be a member of the event log readers group. If this group is not configured, then domain admin privileges are required in most cases to poll a Windows event log across a domain. In some cases, the backup operators group can be used depending on how Microsoft Group Policy Objects are configured. Windows XP and 2003 operating system users require read access to the following registry keys: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ services\eventlog` `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Nls\Language` `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft Windows\ CurrentVersion` JSA provides no support for Windows 2003 integrations because this operating system as reached its end of life.
Required RPM files	`PROTOCOL-WindowsEventRPC- JSA_release-Build_number.noarch.rpm` `DSM-MicrosoftWindows-JSA_release-Build_number.noarch.rpm` `DSM-DSMCommon-JSA_release-Build_number.noarch.rpm`
Windows service requirements	For Windows Vista and later--Remote Procedure Call (RPC)RPC Endpoint Mapper For Windows 2003--Remote RegistryServer
Windows port requirements	For Windows Vista and later--TCP port 135TCP port 445TCP port that is dynamically allocated for RPC, above 49152 For Windows 2003--TCP port 445TCP port 139
Special features	Supports encrypted events by default.
Automatically discovered?	No
Includes identity?	Yes
Includes custom properties?	A security content pack with Windows custom event properties is available on Juniper Customer Support(https://www.juniper.net/support/downloads/).
Intended application	Agentless event collection for Windows operating systems that can support 100 EPS per log source.
Tuning support	MSRPC is limited to 100 EPS / Windows host. For higher event rate systems, see the JSA WinCollect User Guide.
Event filtering support	MSRPC does not support event filtering. See the JSA WinCollect User Guide for this feature.
More information	Microsoft support (http://support.microsoft.com/)

In contrast to WMI/DCOM, the MSRPC protocol provides twice the EPS. The event rates are shown in the following table.

Table 17: Contrast Between MSRPC and WMI/DCOM Event Rates

Name	Protocol type	Maximum event rate
Microsoft Security Event Log	WMI/DCOM	50EPS / Windows host
Microsoft Security Event Log over MSRPC	MSRPC	100EPS / Windows host

MQ Protocol Configuration Options

To receive messages from a message queue (MQ) service, configure a log source to use the MQ protocol. The protocol name appears in JSA as MQ JMS.

MQ is supported.

The MQ protocol can monitor multiple message queues, up to a maximum of 50 per log source.

The following table describes the protocol-specific parameters for the MQ protocol:

Table 18: MQ Protocol Parameters

Parameter	Description
Protocol Name	MQ JMS
IP or Hostname	The IP address or host name of the primary queue manager.
Port	The default port that is used for communicating with the primary queue manager is 1414.
Standby IP or Hostname	The IP address or host name of the standby queue manager.
Standby Port	The port that is used to communicate with the standby queue manager.
Queue Manager	The name of the queue manager.
Channel	The channel through which the queue manager sends messages. The default channel is `SYSTEM.DEF.SVRCONN`.
Queue	The queue or list of queues to monitor. A list of queues is specified with a comma-separated list.
Username	The user name that is used for authenticating with the MQ service.
Password	Optional: The password that is used to authenticate with the MQ service.
EPS Throttle	The upper limit for the maximum number of events per second (EPS).
Incoming Message Encoding	The character encoding that is used by incoming messages.
Process Computational Fields	Select this option if the retrieved messages contain computational data. The binary data in the messages will be processed according to the field definition found in the specified CopyBook file.
CopyBook File Name	The name of the CopyBook file to use for processing data. The CopyBook file must be placed in `/store/ec/mqjms/*`
Event Formatter	Select the event formatting to be applied for any events that are generated from processing data containing computational fields. By default, No Formatting is used.
Include JMS Message Header	Select this option to include a header in each generated event containing JMS message fields such as the `JMSMessageID` and `JMSTimestamp`.
EPS Throttle	The upper limit for the maximum number of events per second (EPS).

Okta REST API Protocol Configuration Options

To receive events from Okta, configure a log source to use the Okta REST API protocol.

The Okta REST API protocol queries the Okta Events and Users API endpoints to retrieve information about actions that are completed by users in an organization.

The following table describes the protocol-specific parameters for the Okta REST API protocol:

Table 19: Okta REST API Protocol Parameters

Parameter	Description
IP or Hostname	oktaprise.okta.com
Authentication Token	A single authentication token that is generated by the Okta console and must be used for all API transactions.
Use Proxy	When a proxy is configured, all traffic for the log source travels through the proxy for JSA to access Okta. Configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.
Automatically Acquire Server Certificate(s)	If you select Yes from the list, JSA downloads the certificate and begins trusting the target server.
Recurrence	You can specify when the log source collects data. The format is M/H/D for Months/Hours/Days. The default is 1 M.
EPS Throttle	The maximum limit for the number of events per second.

OPSEC/LEA Protocol Configuration Options

To receive events on port 18184, configure a log source to use the OPSEC/LEA protocol.

The following table describes the protocol-specific parameters for the OPSEC/LEA protocol:

Table 20: OPSEC/LEA Protocol Parameters

Parameter	Description
Protocol Configuration	OPSEC/LEA
Log Source Identifier	The IP address, host name, or any name to identify the device. Must be unique for the log source type.
Server IP	Type the IP address of the server.
Server Port	You must verify that JSA can communicate on port 18184 by using the OPSEC/LEA protocol. The port number that is used for OPSEC communication. The valid range is 0 - 65,536 and the default is 18184.
Use Server IP for Log Source	Select the Use Server IP for Log Source check box if you want to use the LEA server IP address instead of the managed device IP address for a log source. By default, the check box is selected.
Statistics Report Interval	The interval, in seconds, during which the number of syslog events are recorded in the `qradar.log` file. The valid range is 4 - 2,147,483,648 and the default interval is 600.
Authentication Type	From the list, select the Authentication Type that you want to use for this LEA configuration. The options are sslca (default), sslca_clear, or clear. This value must match the authentication method that is used by the server.
OPSEC Application Object SIC Attribute (SIC Name)	The Secure Internal Communications (SIC) name is the distinguished name (DN) of the application, for example: `CN=LEA, o=fwconsole..7psasx`.
Log Source SIC Attribute (Entity SIC Name)	The SIC name of the server, for example: `cn=cp_mgmt,o=fwconsole..7psasxz`.
Specify Certificate	Select this check box if you want to define a certificate for this LEA configuration. JSA attempts to retrieve the certificate by using these parameters when the certificate is needed.
Certificate Filename	This option appears only if Specify Certificate is selected. Type the file name of the certificate that you want to use for this configuration. The certificate file must be located in the/opt/qradar/conf/ trusted_certificates/lea directory.
Certificate Authority IP	Type the Check Point Manager Server IP address.
Pull Certificate Password	Type the activation key password.
OPSEC Application	The name of the application that makes the certificate request.
Enabled	Select this check box to enable the log source. By default, the check box is selected.
Credibility	From the list, select the Credibility of the log source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.
Target Event Collector	From the list, select the Target Event Collector to use as the target for the log source.
Coalescing Events	Select the Coalescing Events check box to enable the log source to coalesce (bundle) events. By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.
Store Event Payload	Select the Store Event Payload check box to enable the log source to store event payload information. By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Note

After an upgrade, if you receive the error message Unable to pull SSL certificate, follow these steps:

Clear the Specify Certificate check box.
Reenter the password for Pull Certificate Password.

Oracle Database Listener Protocol Configuration Options

To remotely collect log files that are generated from an Oracle database server, configure a log source to use the Oracle Database Listener protocol source.

Before you configure the Oracle Database Listener protocol to monitor log files for processing, you must obtain the directory path to the Oracle database log files.

The following table describes the protocol-specific parameters for the Oracle Database Listener protocol:

Table 21: Oracle Database Listener Protocol Parameters

Parameter	Description
Protocol Configuration	Oracle Database Listener
Log Source Identifier	Type the IP address, host name, or name to identify your log source.
Server Address	The IP address or host name of your Oracle Database Listener server.
Domain	Type the domain for your Oracle Database Learner server. This parameter is optional if your server is not in a domain.
Username	Type the user name that is required to access your server.
Password	Type the password that is required to access your server.
Confirm Password	Confirm the password that is required to access the server.
Log Folder Path	Type the directory path to access the Oracle Database Listener log files.
File Pattern	The regular expression (regex) that identifies the event logs.
Force File Read	Select this check box to force the protocol to read the log file when the timing of the polling interval specifies. When the check box is selected, the log file source is always examined when the polling interval specifies, regardless of the last modified time or file size attribute. When the check box is not selected, the log file source is examined at the polling interval if the last modified time or file size attributes changed.
Recursive	If you want the file pattern to search sub folders, use this option. By default, the check box is selected.
SMB Version	The version of SMB to use: AUTO - Auto-detects to the highest version that the client and server agree to use. SMB1 - Forces the use of SMB1. SMB2 - Forces the use of SMB2.
Polling Interval (in seconds)	Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The default is 10 seconds.
Throttle events/sec	The maximum number of events the Oracle Database Listener protocol forwards per second.
File Encoding	The character encoding that is used by the events in your log file.

PCAP Syslog Combination Protocol Configuration Options

To collect events from Juniper SRX Series Services Gateway or Juniper Junos OS Platform that forward packet capture (PCAP) data, configure a log source to use the PCAP Syslog Combination protocol.

Before you configure a log source that uses the PCAP Syslog Combination protocol, determine the outgoing PCAP port that is configured on the Juniper SRX Series Services Gateway or Juniper Junos OS Platform. PCAP data cannot be forwarded to port 514.

The following table describes the protocol-specific parameters for the PCAP Syslog Combination protocol:

Table 22: PCAP Syslog Combination Protocol Parameters

Parameter	Description
Log Source Name	Type a unique name of the log source.
Log Source Description	Optional. Type a description for the log source.
Log Source Type	From the list, you can select either Juniper SRX Series Services Gateway or Juniper Junos OS Platform.
Protocol Configuration	From the list, select PCAP Syslog Combination.
Log Source Identifier	Type an IP address, host name, or name to identify the Juniper SRX Series Services Gateway or Juniper Junos OS Platform appliance. The log source identifier must be unique for the log source type.
Incoming PCAP Port	If the outgoing PCAP port is edited on the Juniper SRX Series Services Gateway or Juniper Junos OS Platform appliance, you must edit the log source to update the incoming PCAP Port. To edit the Incoming PCAP Port number, complete the following steps: Type the new port number for receiving PCAP data Click Save. The port update is complete and event collection starts on the new port number.
Enabled	Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit.
Credibility	Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.
Target Event Collector	Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. This option enables administrators to poll and process events on the target event collector, instead of the Console appliance. This can improve performance in distributed deployments.
Coalescing Events	Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, the events are displayed individually and the information is not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source.
Store Event Payload	Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source.
Log Source Extension	Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns that are defined by a device support module (DSM).
Extension Use Condition	From the list box, select the use condition for the log source extension. The options include: Parsing enhancement Select this option when most fields parse correctly for your log source. Parsing override Select this option when the log source is unable to correctly parse events.
Groups	Select one or more groups for the log source.

SDEE Protocol Configuration Options

You can configure a log source to use the Security Device Event Exchange (SDEE) protocol. JSA uses the protocol to collect events from appliances that use SDEE servers.

The following table describes the protocol-specific parameters for the SDEE protocol:

Table 23: SDEE Protocol Parameters

Parameter	Description
Protocol Configuration	SDEE
URL	The HTTP or HTTPS URL that is required to access the log source, for example, https://www.mysdeeserver.com/cgi-bin/sdee-server. For SDEE/CIDEE (Cisco IDS v5.x and later), the URL must end with `/cgi-bin/sdee-server`. Administrators with RDEP (Cisco IDS v4.x), the URL must end with `/cgi-bin/event-server`.
Force Subscription	When the check box is selected, the protocol forces the server to drop the least active connection and accept a new SDEE subscription connection for the log source.
Maximum Wait To Block For Events	When a collection request is made and no new events are available, the protocol enables an event block. The block prevents another event request from being made to a remote device that did not have any new events. This timeout is intended to conserve system resources.

SMB Tail Protocol Configuration Options

You can configure a log source to use the SMB Tail protocol. Use this protocol to watch events on a remote Samba share and receive events from the Samba share when new lines are added to the event log.

The following table describes the protocol-specific parameters for the SMB Tail protocol:

Table 24: SMB Tail Protocol Parameters

Parameter	Description
Protocol Configuration	SMB Tail
Server Address	The IP address or host name of your SMB Tail server.
Domain	Type the domain for your SMB Tail server. This parameter is optional if your server is not in a domain.
Username	Type the user name that is required to access your server.
Password	Type the password that is required to access your server.
Confirm Password	Confirm the password that is required to access the server.
Log Folder Path	The directory path to access the log files. For example, administrators can use the `c$/LogFiles/` directory for an administrative share, or the `LogFiles/` directory for a public share folder path. However, the `c:/LogFiles` directory is not a supported log folder path. If a log folder path contains an administrative share (C$), users with NetBIOS access on the administrative share (C$) have the privileges that are required to read the log files. Local system or domain administrator privileges are also sufficient to access a log files that are on an administrative share.
File Pattern	The regular expression (regex) that identifies the event logs.
SMB Version	The version of SMB to use: AUTO - Auto-detects to the highest version that the client and server agree to use. SMB1 - Forces the use of SMB1. SMB2 - Forces the use of SMB2.
Force File Read	If the check box is cleared, the log file is read only when JSA detects a change in the modified time or file size.
Recursive	If you want the file pattern to search sub folders, use this option. By default, the check box is selected.
Polling Interval (In seconds)	Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The default is 10 seconds.
Throttle Events/Second	The maximum number of events the SMB Tail protocol forwards per second.
File Encoding	The character encoding that is used by the events in your log file.

SNMPv2 Protocol Configuration Options

You can configure a log source to use the SNMPv2 protocol to receive SNMPv2 events.

The following table describes the protocol-specific parameters for the SNMPv2 protocol:

Table 25: SNMPv2 Protocol Parameters

Parameter

Description

Protocol Configuration

SNMPv3

Community

The SNMP community name that is required to access the system that contains SNMP events.

Include OIDs in Event Payload

Specifies that the SNMP event payload is constructed by using name-value pairs instead of the event payload format.

When you select specific log sources from the Log Source Types list, OIDs in the event payload are required for processing SNMPv2 or SNMPv3 events.

SNMPv3 Protocol Configuration Options

You can configure a log source to use the SNMPv3 protocol to receive SNMPv3 events.

The following table describes the protocol-specific parameters for the SNMPv3 protocol:

Table 26: SNMPv3 Protocol Parameters

Parameter	Description
Protocol Configuration	SNMPv3
Authentication Protocol	The algorithms to use to authenticate SNMP traps:
Include OIDs in Event Payload	Specifies that the SNMP event payload is constructed by using name-value pairs instead of the standard event payload format. When you select specific log sources from the Log Source Types list, OIDs in the event payload are required for processing SNMPv2 or SNMPv3 events.

Seculert Protection REST API Protocol Configuration Options

To receive events from Seculert, configure a log source to use the Seculert Protection REST API protocol.

Seculert Protection provides alerts on confirmed incidents of malware that are actively communicating or exfiltrating information.

Before you can configure a log source for Seculert, you must obtain your API key from the Seculert web portal.

Log in to the Seculert web portal.
On the dashboard, click the API tab.
Copy the value for Your API Key.

The following table describes the protocol-specific parameters for the Seculert Protection REST API protocol:

Table 27: Seculert Protection REST API Protocol Parameters

Parameter	Description
Log Source Type	Seculert
Protocol Configuration	Seculert Protection REST API
Log Source Identifier	Type the IP address or host name for the log source as an identifier for events from Seculert. Each additional log source that you create when you have multiple installations ideally includes a unique identifier, such as an IP address or host name.
API Key	The API key that is used for authenticating with the Seculert Protection REST API. The API key value is obtained from the Seculert web portal.
Use Proxy	When you configure a proxy, all traffic for the log source travels through the proxy for JSA to access the Seculert Protection REST API. Configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.
Automatically Acquire Server Certificate(s)	If you select Yes form the list, JSA downloads the certificate and begins trusting the target server.
Recurrence	Specify when the log collects data. The format is M/H/D for Months/Hours/Days. The default is 1 M.
EPS Throttle	The upper limit for the maximum number of events per second (eps) for events that are received from the API.
Enabled	Select this check box to enable the log source. By default, the check box is selected.
Credibility	Select the Credibility of the log source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.
Target Event Collector	Select the Target Event Collector to use as the target for the log source.
Coalescing Events	Select this check box to enable the log source to coalesce (bundle) events. By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.
Store Event Payload	Select this check box to enable the log source to store event payload information. By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Sophos Enterprise Console JDBC Protocol Configuration Options

To receive events from Sophos Enterprise Consoles, configure a log source to use the Sophos Enterprise Console JDBC protocol.

The Sophos Enterprise Console JDBC protocol combines payload information from application control logs, device control logs, data control logs, tamper protection logs, and firewall logs in the vEventsCommonData table. If the Sophos Enterprise Console does not have the Sophos Reporting Interface, you can use the standard JDBC protocol to collect antivirus events.

The following table describes the parameters for the Sophos Enterprise Console JDBC protocol:

Table 28: Sophos Enterprise Console JDBC Protocol Parameters

Parameter	Description
Protocol Configuration	Sophos Enterprise Console JDBC
Database Type	MSDE
Database Name	The database name must match the database name that is specified in the Log Source Identifier field.
Port	The default port for MSDE in Sophos Enterprise Console is 1168. The JDBC configuration port must match the listener port of the Sophos database to communicate with JSA. The Sophos database must have incoming TCP connections enabled. If a Database Instance is used with the MSDE database type, you must leave the Port parameter blank.
Authentication Domain	If your network does not use a domain, leave this field blank.
Database Instance	The database instance, if required. MSDE databases can include multiple SQL server instances on one server. When a non-standard port is used for the database or administrators block access to port 1434 for SQL database resolution, the Database Instance parameter must be blank.
Table Name	`vEventsCommonData`
Select List	`*`
Compare Field	`InsertedAt`
Use Prepared Statements	Prepared statements enable the protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most configurations can use prepared statements. Clear this check box to use an alternative method of querying that do not use pre-compiled statements.
Start Date and Time	Optional. A start date and time for when the protocol can start to poll the database. If a start time is not defined, the protocol attempts to poll for events after the log source configuration is saved and deployed.
Polling Interval	The polling interval, which is the amount of time between queries to the database. You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values without an H or M designator poll in seconds.
EPS Throttle	The number of Events Per Second (EPS) that you do not want this protocol to exceed.
Use Named Pipe Communication	If MSDE is configured as the database type, administrators can select this check box to use an alternative method to a TCP/IP port connection. Named pipe connections for MSDE databases require the user name and password field to use a Windows authentication username and password and not the database user name and password. The log source configuration must use the default named pipe on the MSDE database.
Database Cluster Name	If you use your SQL server in a cluster environment, define the cluster name to ensure that named pipe communications function properly.
Use NTLMv2	Forces MSDE connections to use the NTLMv2 protocol with SQL servers that require NTLMv2 authentication. The default value of the check box is selected. The Use NTLMv2 check box does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

Sourcefire Defense Center EStreamer Protocol Options

Sourcefire Defense Center eStreamer protocol is now known as Cisco Firepower eStreamer protocol.

Syslog Redirect Protocol Overview

The Syslog Redirect protocol is used as an alternative to the Syslog protocol. Use this protocol to override how JSA determines the source of a syslog event.

The standard syslog protocol listener on port 514 automatically parses the host name or IP from a standard syslog header and recognizes it as the source value of the event. If an event does not have a standard header, the source IP of the packet it arrived on is used as the source value.

If events are sent to JSA through an intermediary system, such as a syslog forwarder, aggregator, load balancer, third-party log management, or SIEM system, the packet IP is that of the intermediary. Syslog Redirect addresses this issue by determining the source value from elsewhere in the event payload.

The following table describes the protocol-specific parameters for the Syslog Redirect protocol:

Table 29: Syslog Redirect Protocol Parameters

Parameter	Description
Protocol Configuration	Syslog Redirect
Log Source Identifier Regex	Enter a regex (regular expression) to capture one or more values from event payloads that are handled by this protocol. These values are used with the Log Source Identifier Regex Format String to set a source or origin value for each event. This source value is used to route the event to a log source with a matching Log Source Identifier value.
Log Source Identifier Regex Format String	You can use a combination of one or more of the following inputs to form a source value for event payloads that are processed by this protocol: One or more capture groups from the Log Source Identifier Regex. To refer to a capture group, use \xnotation where x is the index of a capture group from the Log Source Identifier Regex. The IP address from which the event data originated. To refer to the packet IP, use the token $PIP$. Literal text characters. The entire Log Source Identifier Regex Format String can be user-provided text. For example, if the Log Source Identifier Regex is 'hostname=(.?) ' and you want to append hostname.com to the capture group 1 value, set the Log Source Identifier Regex Format String* to \1.hostname.com. If an event is processed that containshostname=ibm, then the event payload's source value is set to ibm.hostname.com, and JSA routes the event to a log source with that Log Source Identifier.
Perform DNS Lookup On Regex Match	Select this check box to allow the protocol to perform DNS lookups on source values (as set by the Log Source Identifier Regex and Log Source Identifier Format String parameters) to convert host names into IP addresses. If left clear, the source value remains as-is. By default, the check box is not selected. Note: If you enable the Perform DNS Lookup on Regex Match option, it might slow the performance of the Syslog Redirect protocol.
Listen Port	517 is the default part. Any port can be used for listening, other than port 514 as it is used by the standard Syslog listener.
Protocol	You can select either UDP or TCP.

TCP Multiline Syslog Protocol Configuration Options

You can configure a log source that uses the TCP multiline syslog protocol. To create a single-line event, this protocol uses regular expressions to identify the start and end pattern of multiline events.

The following example is a multiline event:

The following table describes the protocol-specific parameters for the TCP multiline syslog protocol:

Table 30: TCP Multiline Syslog Protocol Parameters

Parameter	Description
Protocol Configuration	TCP Multiline Syslog
Log Source Identifier	Type an IP address or host name to identify the log source. To use a name instead, select Use Custom Source Name and fill in the Source Name Regex and Source Name Formatting String parameters. Note: These parameters are only available if Show Advanced Options is set to Yes.
Listen Port	The default port is 12468.
Aggregation Method	The default is Start/End Matching. Use ID-Linked if you want to combine multiline events that are joined by a common identifier.
Event Start Pattern	This parameter is available when you set the Aggregation Method parameter to Start/End Matching. The regular expression (regex) that is required to identify the start of a TCP multiline event payload. Syslog headers typically begin with a date or time stamp. The protocol can create a single-line event that is based on solely on an event start pattern, such as a time stamp. When only a start pattern is available, the protocol captures all the information between each start value to create a valid event.
Event End Pattern	This parameter is available when you set the Aggregation Method parameter to Start/End Matching. This regular expression (regex) that is required to identify the end of a TCP multiline event payload. If the syslog event ends with the same value, you can use a regular expression to determine the end of an event. The protocol can capture events that are based on solely on an event end pattern. When only an end pattern is available, the protocol captures all the information between each end value to create a valid event.
Message ID Pattern	This parameter is available when you set the Aggregation Method parameter to ID-Linked. This regular expression (regex) required to filter the event payload messages. The TCP multiline event messages must contain a common identifying value that repeats on each line of the event message.
Event Formatter	Use the Windows Multiline option for multiline events that are formatted specifically for Windows.
Show Advanced Options	The default is No. Select Yes if you want to customize the event data.
Use Custom Source Name	This parameter is available when you set Show Advanced Options to Yes. Select the check box if you want to customize the source name with regex.
Source Name Regex	This parameter is available when you check Use Custom Source Name. The regular expression (regex) that captures one or more values from event payloads that are handled by this protocol. These values are used along with the Source Name Formatting String parameter to set a source or origin value for each event. This source value is used to route the event to a log source with a matching Log Source Identifier value.
Source Name Formatting String	This parameter is available when you check Use Custom Source Name. You can use a combination of one or more of the following inputs to form a source value for event payloads that are processed by this protocol: One or more capture groups from the Source Name Regex. To refer to a capture group, use \x notation where x is the index of a capture group from the Source Name Regex. The IP address where the event data originated from. To refer to the packet IP, use the token $PIP$. Literal text characters. The entire Source Name Formatting String can be user-provided text. For example, if the Source Name Regex is ’hostname=(.?)’ and you want to append hostname.com to the capture group 1 value, set the Source Name Formatting String* to\1.hostname.com. If an event is processed that contains hostname=ibm, then the event payload's source value is set to ibm.hostname.com, and JSA routes the event to a log source with that Log Source Identifier.
Use as a Gateway Log Source	This parameter is available when you set Show Advanced Options to Yes. When selected, events that flow through the log source can be routed to other log sources, based on the source name tagged on the events. When this option is not selected and Use Custom Source Name is not checked, incoming events will be tagged with a source name that corresponds to the Log Source Identifier parameter.
Flatten Multiline Events into Single Line	This parameter is available when you set Show Advanced Options to Yes. Shows an event in one single line or multiple lines.
Retain Entire Lines during Event Aggregation	This parameter is available when you set Show Advanced Options to Yes. If you set the Aggregation Method parameter to ID-Linked, you can enable Retain Entire Lines during Event Aggregation to either discard or keep the part of the events that comes before Message ID Pattern when concatenating events with the same ID pattern together.

TCP Multiline Syslog Protocol Configuration Use Cases

To set the TCP Multiline Syslog listener log source to collect all events that are sent from the same system, follow these steps:

Leave Use As A Gateway Log Source and Use Custom Source Name cleared.
Enter the IP address of the system that is sending events in the Log Source Identifier parameter.
Figure 1: A JSA Log Source Collects Events Sent from a Single System to a TCP Multiline Syslog Listener
If multiple systems are sending events to the TCP Multiline Syslog listener, or if one intermediary system is forwarding events from multiple systems and you want the events to be routed to separate log sources based on their syslog header or IP address, check the Use As A Gateway Log Source check box.
Note
JSA checks each event for an RFC3164 or RFC5424-compliant syslog header, and if present, uses the IP/hostname from that header as the source value for the event. The event is routed to a log source with that same IP or host name as its Log Source Identifier. If no such header is present, JSA uses the source IP value from the network packet that the event arrived on as the source value for the event.
Figure 2: Separate JSA Log Sources Collect Events Sent from Multiple Systems to a TCP Multiline Listener, by Using the Syslog Header.
Figure 3: Separate JSA Log Sources Collect Events Sent from Multiple Systems and Forwarded Via an Intermediate System to a TCP Multiline Listener, by Using the Syslog Header.

To route events to separate log sources based on a value other than the IP or host name in their syslog header, follow these steps:

Check the Use Custom Source Name check box.
Configure a Source Name Regex and Source Name Formatting String to customize how JSA sets a source name value for routing the received events to log sources.
Figure 4: Separate JSA Log Sources Collect Events Sent from Multiple Systems and Forwarded Via an Intermediate System to a TCP Multiline Listener, by Using the Source Name Regex and Source Name Formatting String.

TLS Syslog Protocol Configuration Options

Configure a TLS Syslog protocol log source to receive encrypted syslog events from up to 1000 network devices that support TLS Syslog event forwarding.

The log source creates a listen port for incoming TLS Syslog events and generates a certificate file for the network devices. Up to 50 network appliances can forward events to the listen port that is created for the log source. If you create additional log sources with unique listen ports, you can configure up to 1000 network appliances.

The following table describes the protocol-specific parameters for the TLS Syslog protocol:

Table 31: TLS Syslog Protocol Parameters

Parameter	Description
Protocol Configuration	TLS Syslog
TLS Listen Port	The default TLS listen port is 6514.
Authentication Mode	The mode by which your TLS connection is authenticated. If you select the TLS and Client Authentication option, you must configure the certificate parameters.
Client Certificate Path	The absolute path to the client-certificate on disk. The certificate must be stored on the Console or Event Collector for this log source.
Certificate Type	The type of certificate to use for authentication. If you select the Provide Certificate option, you must configure the file paths for the server certificate and the private key.
Provided Server Certificate Path	The absolute path to the server certificate.
Provided Private Key Path	The absolute path to the private key. Note: The corresponding private key must be a DER-encoded PKCS8 key. The configuration fails with any other key format.
Maximum Connections	The Maximum Connections parameter controls how many simultaneous connections the TLS Syslog protocol can accept for each Event Collector. There is a limit of 1000 connections across all TLS syslog log source configurations for each Event Collector. The default for each device connection is 50. Note: Automatically discovered log sources that share a listener with another log source count only one time towards the limit. For example, the same port on the same event collector.

TLS Syslog Use Cases

The following use cases represent possible configurations that you can create:

Client Authentication--You can supply a client-certificate that enables the protocol to engage in client-authentication. If you select this option and provide the certificate, incoming connections are validated against the client-certificate.
User-provided Server Certificates--You can configure your own server certificate and corresponding private key. The configured TLS Syslog provider uses the certificate and key. Incoming connections are presented with the user-supplied certificate, rather than the automatically generated TLS Syslog certificate.

Default authentication--To use the default authentication method, use the default values for the Authentication Mode and Certificate Type parameters. After the log source is saved, a syslog-tls certificate is created for log source device. The certificate must be copied to any device on your network that forwards encrypted syslog data.

Configuring Multiple Log Sources Over TLS Syslog

You can configure multiple devices in your network to send encrypted syslog events to a single TLS Syslog listen port. The TLS Syslog listener acts as a gateway, decrypts the event data, and feeds it within JSA to extra log sources configured with the Syslog protocol.

Ensure that the TLS Syslog log source is configured.

Note

The Log Source Identifier and Log Source Type for the TLS Syslog log source is of no importance. You can use any placeholder to identify the TLS Syslog log source. The TLS Syslog log source is configured to host the TLS syslog listener and acts as a gateway.

Multiple devices within your network that support TLS-encrypted syslog can send encrypted events via a TCP connection to the TLS Syslog listen port. These encrypted events are decrypted by the TLS syslog (gateway) and are fired into the event pipeline. The decrypted events get routed to the appropriate receiver log sources or to the traffic analysis engine for autodiscovery.

Events are routed within JSA to log sources with a Log Source Identifier value that matches the source value of an event. For syslog events with an RFC3164- or RFC5424-compliant syslog header, the source value is the IP address or the host name from the header. For events that do not have a compliant header, the source value is the IP address from which the syslog event was sent.

On JSA, you can configure multiple log sources with Syslog protocol to receive encrypted events that are sent to a single TLS Syslog listen port from multiple devices.

Note

Most TLS-enabled clients require the target server or listener's public certificate to authenticate the server's connection. By default, a TLS Syslog log source generates a certificate that is named syslog-tls.cert in /opt/qradar/conf/trusted_certificates/ on the target Event Collector that the log source is assigned to. This certificate file must be copied to all clients that is making a TLS connection.

Log in to JSA.
Click the Admin tab.
Click Log Sources >Add.
From the Protocol Configuration list, select TLS Syslog.
Configure the log source device to use the TLS Syslog port to send events to JSA.
Repeat steps 3-5 for each log sources that is receiving events through the gateway TLS listener.Note
You can also add multiple receiver log sources in bulk by clicking Bulk Actions > Bulk Add from the Log Sources window.

UDP Multiline Syslog Protocol Configuration Options

To create a single-line syslog event from a multiline event, configure a log source to use the UDP multiline protocol. The UDP multiline syslog protocol uses a regular expression to identify and reassemble the multiline syslog messages into single event payload.

The original multiline event must contain a value that repeats on each line in order for a regular expression to capture that value and identify and reassemble the individual syslog messages that make up the multiline event. For example, this multiline event contains a repeated value, 2467222, in the conn field. This field value is captured so that all syslog messages that contain conn=2467222 are combined into a single event.

The following table describes the protocol-specific parameters for the UDP multiline syslog protocol:

Table 32: UDP Multiline Syslog Protocol Parameters

Parameter	Description
Protocol Configuration	UDP Multiline Syslog
Listen Port	The default port number that is used by JSA to accept incoming UDP Multiline Syslog events is 517. You can use a different port in the range 1 - 65535. To edit a saved configuration to use a new port number, complete the following steps: In the Listen Port field, type the new port number for receiving UDP Multiline Syslog events. Click Save. Click Deploy Changes to make this change effective. The port update is complete and event collection starts on the new port number.
Message ID Pattern	The regular expression (regex) required to filter the event payload messages. The UDP multiline event messages must contain a common identifying value that repeats on each line of the event message.
Event Formatter	The event formatter that formats incoming payloads that are detected by the listener. Select No Formatting to leave the payload untouched. Select Cisco ACS Multiline to format the payload into a single-line event. In ACS syslog header, there are total_seg and seg_num fields. These two fields are used to rearrange ACS multiline events into a single-line event with correct order when you select the Cisco ACS Multiline option.
Show Advanced Options	The default is No. Select Yes if you want to configure advanced options.
Use Custom Source Name	Select the check box if you want to customize the source name with regex.
Source Name Regex	Use the Source Name Regex and Source Name Formatting String parameters if you want to customize how JSA determines the source of the events that are processed by this UDP Multiline Syslog configuration. For Source Name Regex, enter a regex to capture one or more identifying values from event payloads that are handled by this protocol. These values are used with the Source Name Formatting String to set a source or origin value for each event. This source value is used to route the event to a log source with a matching Log Source Identifier value when the Use As A Gateway Log Source option is enabled.
Source Name Formatting String	You can use a combination of one or more of the following inputs to form a source value for event payloads that are processed by this protocol: One or more capture groups from the Source Name Regex. To refer to a capture group, use \x notation where x is the index of a capture group from the Source Name Regex. The IP address from which the event data originated. To refer to the packet IP, use the token $PIP$. Literal text characters. The entire Source Name Formatting String can be user-provided text. For example, CiscoACS\1\2$PIP$, where \1\2 means first and second capture groups from the Source Name Regex value, and $PIP$ is the packet IP.
Use As A Gateway Log Source	If this check box is clear, incoming events are sent to the log source with the Log Source Identifier matching the IP that they originated from. When checked, this log source serves as a single entry point or gateway for multiline events from many sources to enter JSA and be processed in the same way, without the need to configure a UDP Multiline Syslog log source for each source. Events with an RFC3164- or RFC5424-compliant syslog header are identified as originating from the IP or host name in their header, unless the Source Name Formatting String parameter is in use, in which case that format string is evaluated for each event. Any such events are routed through JSA based on this captured value. If one or more log sources exist with a corresponding Log Source Identifier, they are given the event based on configured Parsing Order. If they do not accept the event, or if no log sources exist with a matching Log Source Identifier, the events are analyzed for autodetection.
Flatten Multiline Events Into Single Line	Shows an event in one single line or multiple lines. If this check box is selected, all newline and carriage return characters are removed from the event.
Retain Entire Lines During Event Aggregation	Choose this option to either discard or keep the part of the events that comes before Message ID Pattern when the protocol concatenates events with same ID pattern together.
Enabled	Select this check box to enable the log source.
Credibility	Select the credibility of the log source. The range is 0 - 10. The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.
Target Event Collector	Select the Event Collector in your deployment that should host the UDP Multiline Syslog listener.
Coalescing Events	Select this check box to enable the log source to coalesce (bundle) events. By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.
Store Event Payload	Select this check box to enable the log source to store event payload information. By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Configuring UDP Multiline Syslog for Cisco ACS Appliances

The Cisco ACS DSM for JSA accepts syslog events from Cisco ACS appliances with log sources that are configured to use the UDP Multiline Syslog protocol.

Log in to JSA.
Click the Admin tab.
In the Data Sources section, click the Log Sources icon, and then click Add.
In the Log Source Name field, type a name for your log source.
From the Log Source Type list, select Cisco ACS.
From the Protocol Configuration list, select UDP Multiline Syslog.

Configure the parameters:

The following parameters require specific values to collect events from Cisco ACS appliances:

Table 33: Cisco ACS Log Source Parameters

Parameter	Value
Log Source Identifier	Type the IP address, host name, or name to identify your Cisco ACS appliance.
Listen Port	The default port number that is used by JSA to accept incoming UDP Multiline Syslog events is 517. You can use a different port. The valid port range is 1 - 65535. To edit a saved configuration to use a new port number, complete the following steps. In the Listen Port field, type the new port number for receiving UDP Multiline Syslog events. Click Save. The port update is complete and event collection starts on the new port number.
Message ID Pattern	\s(\d{10})\s
Event Formatter	Select Cisco ACS Multiline from the list.

VMware VCloud Director Protocol Configuration Options

To collect events from the VMware vCloud Director virtual environments, you can create a log source that uses the VMware vCloud Director protocol.

The following table describes the protocol-specific parameters for the VMware vCloud Director protocol:

Table 34: VMware VCloud Director Protocol Parameters

Parameter	Description
Protocol Configuration	VMware vCloud Director
vCloud URL	The URL that is configured on the VMware vCloud appliance to access the REST API. The URL must match the address that is configured as the VCD public REST API base URL on the vCloud Server, for example, `https://1.1.1.1.`.
User Name	The user name that is required to remotely access the vCloud Server, for example, `console/user@organization`. To configure a read-only account to use with the vCloud Director protocol, a user must have Console Access Only permission.