Event Collection from Third-party Devices
To configure event collection from third-party devices, you need to complete configuration tasks on the third-party device, and your JSA Console, Event Collector, or Event Processor. The key components that work together to collect events from third-party devices are log sources, DSMs, and automatic updates.
A log source is any external device, system that is configured to either send events to your JSA system or be collected by your JSA system. JSA shows events from log sources in the Log Activity tab.
To receive raw events from log sources, JSA supports several protocols, including syslog from OS, applications, firewalls, IPS/IDS, SNMP, SOAP, JDBC for data from database tables and views. JSA also supports proprietary vendor-specific protocols such as OPSEC/LEA from Checkpoint.
A Device Support Module (DSM) is a configuration file that parses received events from multiple log sources and coverts them to a standard taxonomy format that can be displayed as output. Each type of log source has a corresponding DSM.
JSA provides daily and weekly automatic updates on a recurring schedule. The weekly automatic update includes new DSM releases, corrections to parsing issues, and protocol updates. For more information about automatic updates, see the Juniper Secure Analytics Administration Guide.
Third-party Device Installation Process
To collect events from third-party device, you must complete installation and configuration steps on both the log source device and your JSA system. For some third-party devices, extra configuration steps are needed, such as configuring a certificate to enable communication between that device and JSA.
The following steps represent a typical installation process:
Read the specific instructions for how to integrate your third-party device.
Download and install the RPM for your third-party device. RPMs are available for download from the https://www.juniper.net/support/downloads/
If your JSA system is configured to accept automatic updates, this step might not be required.
Configure the third-party device to send events to JSA.
After some events are received, JSA automatically detects some third-party devices and creates a log source configuration. The log source is listed on the Log Sources list and contains default information. You can customize the information.
If JSA does not automatically detect the log source, manually add a log source. The list of supported DSMs and the device-specific topics indicate which third-party devices are not automatically detected.
Deploy the configuration changes and restart your web services.
Universal DSMs for Unsupported Third-party Log Sources
After the events are collected and before the correlation can begin, individual events from your devices must be properly normalized. Normalization means to map information to common field names, such as event name, IP addresses, protocol, and ports. If an enterprise network has one or more network or security devices that JSA does not provide a corresponding DSM, you can use the Universal DSM. JSA can integrate with most devices and any common protocol sources by using the Universal DSM.
To configure the Universal DSM, you must use device extensions to associate a Universal DSM to devices. Before you define device extension information in the Log Sources window in the Admin tab, you must create an extensions document for the log source.