Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Extreme Dragon

 

The Extreme Dragon DSM for JSA accepts Extreme events by using either syslog or SNMPv3 to record all relevant Extreme Dragon events.

To configure your JSA Extreme Dragon DSM, use the following procedure:

  1. Create an Alarm Tool policy by using an SNMPv3 notification rule.
  2. Create an Alarm Tool policy by using a Syslog notification rule. See Creating a Policy for SyslogThis procedure describes how to configure an Alarm Tool policy by using a syslog notification rule in the Log Event Extended Format (LEEF) message format..
  3. Configure the log source within JSA. See Configuring a log sourceYou are now ready to configure the log source in JSA..
  4. Configure Dragon Enterprise Management Server (EMS) to forward syslog messages. See Configure the EMS to forward syslog messagesStarting with Dragon Enterprise Management Server (EMS) v7.4.0 appliances, you must use syslog-ng for forwarding events to a Security and Information Manager such as JSA..

Creating a Policy for Syslog

This procedure describes how to configure an Alarm Tool policy by using a syslog notification rule in the Log Event Extended Format (LEEF) message format.

LEEF is the preferred message format for sending notifications to Dragon Network Defense when the notification rate is high or when IPv6 addresses are displayed. If you do not want to use syslog notifications in LEEF format, refer to your Extreme Dragon documentation for more information.

To configure Extreme Dragon with an Alarm Tool policy by using a syslog notification rule:

  1. Log in to the Extreme Dragon EMS.
  2. Click the Alarm Tool icon.
  3. Configure the Alarm Tool Policy:

    In the Alarm Tool Policy View >Custom Policies menu tree, right-click and select Add Alarm Tool Policy.

    The Add Alarm Tool Policy window is displayed.

  4. In the Add Alarm Tool Policy field, type a policy name.

    For example:

    JSA

  5. Click OK.
  6. In the menu tree, select JSA.
  7. To configure the event group:

    Click the Events Group tab.

  8. Click New.

    The Event Group Editor is displayed.

  9. Select the event group or individual events to monitor.
  10. Click Add.

    A prompt is displayed.

  11. Click Yes.
  12. In the right column of the Event Group Editor, type Dragon-Events.
  13. Click OK.
  14. Configure the Syslog notification rule:

    Click the Notification Rules tab.

  15. Click New.
  16. In the name field, type JSA -RuleSys.
  17. Click OK.
  18. In the Notification Rules pane, select the newly created JSA -RuleSys item.
  19. Click the Syslog tab.
  20. Click New.

    The Syslog Editor is displayed.

  21. Update the following values:
    • Facility Using the Facility list, select a facility.

    • Level Using the Level list, select notice.

    • Message Using the Type list, select LEEF.

    The LEEF message format delineates between fields by using a pipe delimiter between each keyword.

  22. Click OK.
  23. Verify that the notification events are logged as separate events:

    Click the Global Options tab.

  24. Click the Main tab.
  25. Make sure that Concatenate Events is not selected.
  26. Configure the alarm information:

    Click the Alarms tab.

  27. Click New.
  28. Type values for the parameters:
    • Name Type JSA -Alarm.

    • Type Select Real Time.

    • Event Group Select Dragon-Events.

    • Notification Rule Select the JSA -RuleSys check box.

  29. Click OK.
  30. Click Commit.
  31. Navigate to the Enterprise View.
  32. Right-click on the Alarm Tool and select Associate Alarm Tool Policy.
  33. Select the newly created JSA policy. Click OK.
  34. In the Enterprise menu, right-click the policy and select Deploy.

    You are now ready to configure a syslog log source in JSA.

Configuring a Log Source

You are now ready to configure the log source in JSA.

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.
  4. Click the Log Sources icon.
  5. Click Add.
  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select Extreme Dragon Network IPS.
  9. From the Protocol Configuration list, select either the SNMPv3 or Syslog option.

    For more information about Extreme Dragon device, see your Extreme Dragon documentation.

    Note

    Using the event mapping tool in the Log Activity tab, you can map a normalized or raw event to a high-level and low-level category (or QID). However, you cannot map combination Dragon messages using the event mapping tool. For more information, see the Juniper Secure Analytics Users Guide.

Configure the EMS to Forward Syslog Messages

Starting with Dragon Enterprise Management Server (EMS) v7.4.0 appliances, you must use syslog-ng for forwarding events to a Security and Information Manager such as JSA.

Syslogd has been replaced by syslog-ng in Dragon EMS v7.4.0 and later.

To configure EMS to forward syslog messages, you must choose one of the following:

Configuring Syslog-ng Using Extreme Dragon EMS V7.4.0 and Later

This section describes the steps to configure syslog-ng in non-encrypted mode and syslogd to forward syslog messages to JSA.

If you are using encrypted syslog-ng, refer to your Extreme documentation.

Do not run both syslog-ng and syslogd at the same time.

To configure syslog-ng in non-encrypted mode:

  1. On your EMS system, open the following file:

    /opt/syslog-ng/etc/syslog-ng.conf

  2. Configure a Facility filter for the Syslog notification rule.

    For example, if you selected facility local1:

    filter filt_facility_local1 {facility(local1); };

  3. Configure a Level filter for the Syslog notification rule.

    For example, if you selected level notice:

    filter filt_level_notice {level(notice); };

  4. Configure a destination statement for the JSA.

    For example, if the IP address of the JSA is 10.10.1.1 and you want to use syslog port of 514, type:

    destination siem { tcp("10.10.1.1" port(514)); };

  5. Add a log statement for the notification rule:

    log { source(s_local); filter (filt_facility_local1); filter (filt_level_notice); destination(siem); };

  6. Save the file and restart syslog-ng.

    cd /etc/rc.d ./rc.syslog-ng stop ./rc.syslog-ng start

  7. The Extreme Dragon EMS configuration is complete.

Configuring Syslogd Using Extreme Dragon EMS V7.4.0 and Below

If your Dragon Enterprise Management Server (EMS) is using a version earlier than v7.4.0 on the appliance, you must use syslogd for forwarding events to a Security and Information Manager such as JSA.

To configure syslogd, you must:

  1. On the Dragon EMS system, open the following file:

    /etc/syslog.conf

  2. Add a line to forward the facility and level you configured in the syslog notification rule to JSA.

    For example, to define the facility local1 and level notice:

    local1.notice @<IP address>

    Where:

    <IP address> is the IP address of the JSA system.

  3. Save the file and restart syslogd.

    cd /etc/rc.d ./rc.syslog stop ./rc.syslog start

    The Extreme Dragon EMS configuration is complete.