Universal LEEF

The Universal LEEF DSM for JSA can accept events from devices that produce events using the Log Event Extended Format (LEEF).

The LEEF event format is a proprietary event format, which allows hardware manufacturers and software product manufacturers to read and map device events specifically designed for JSA integration.

LEEF formatted events sent to JSA outside of the partnership program require you to have installed the Universal LEEF DSM and manually identify each event forwarded to JSA by mapping unknown events. The Universal LEEF DSM can parse events forwarded from syslog or files containing events in the LEEF format polled from a device or directory using the Log File protocol.

To configure events in JSA using Universal LEEF, you must:

1. Configure a Universal LEEF log source in JSA.

2. Send LEEF formatted events from your device to JSA. For more information on forwarding events, see your vendor documentation.

3. Map unknown events to JSA Identifiers (QIDs).

Configuring a Universal LEEF Log Source

Before you configure your device to send events to JSA, you must add a log source for the device providing LEEF events.

JSA can receive events from a real-time source using syslog or files stored on a device or in a repository using the Log File protocol.

To configure a log source for Universal LEEF using syslog:

1. Log in to JSA.
2. Click the Admin tab.
3. On the navigation menu, click Data Sources.
4. Click the Log Sources icon.
5. Click Add.
6. In the Log Source Name field, type a name for your log source.
7. In the Log Source Description field, type a description for the log source.
8. From the Log Source Type list, select Universal LEEF.
9. Using the Protocol Configuration list, select Syslog.
10. Configure the following values:

    Table 1: Syslog Protocol Parameters

    Parameter	Description
    Log Source Identifier	Type the IP address or host name for the log source as an identifier for Universal LEEF events.

11. Click Save.
12. On the Admin tab, click Deploy Changes.

    The log source is added to JSA. You are now ready to forward LEEF events to JSA.

Configuring the Log File Protocol to Collect Universal LEEF Events

The Log File protocol allows JSA to retrieve archived event or log files from a remote host or file repository.

The files are transferred, one at a time, to JSA for processing. JSA reads the event files and updates the log source with new events. Due to the Log File protocol polling for archive files, the events are not provided in real-time, but added in bulk. The log file protocol can manage plain text, compressed files, or archives.

1. Log in to JSA.
2. Click the Admin tab.
3. On the navigation menu, click Data Sources.
4. Click the Log Sources icon.
5. In the Log Source Name field, type a name for the Universal LEEF log source.
6. In the Log Source Description field, type a description for the Universal LEEF log source.
7. From the Log Source Type list, select Universal LEEF.
8. Using the Protocol Configuration list, select Log File.
9. Configure the following parameters:

   Table 2: Log File Protocol Parameters

   Parameter	Description
   Log Source Identifier	Type the IP address or host name for your Universal LEEF log source. This value must match the value configured in the Remote Host IP or Hostname parameter. The log source identifier must be unique for the log source type.
   Service Type	From the list, select the protocol you want to use when retrieving log files from a remove server. The default is SFTP. SFTP SSH File Transfer Protocol FTP File Transfer Protocol SCP Secure Copy The underlying protocol used to retrieve log files for the SCP and SFTP service type requires that the server specified in the Remote IP or Hostname field has the SFTP subsystem enabled.
   Remote IP or Hostname	Type the IP address or host name of the host from which you want to receive files.
   Remote Port	Type the TCP port on the remote host that is running the selected Service Type. If you configure the Service Type as FTP, the default is 21. If you configure the Service Type as SFTP or SCP, the default is 22. The valid range is 1 to 65535.
   Remote User	Type the username necessary to log in to the host running the selected Service Type. The username can be up to 255 characters in length.
   Remote Password	Type the password necessary to log in to the host containing the LEEF event files.
   Confirm Password	Confirm the Remote Password to log in to the host containing the LEEF event files.
   SSH Key File	If you select SCP or SFTP as the Service Type, this parameter allows you to define an SSH private key file. When you provide an SSH Key File, the Remote Password option is ignored.
   Remote Directory	Type the directory location on the remote host from which the files are retrieved. For FTP only. If your log files reside in the remote userâ€s home directory, you can leave the remote directory blank. This is to support operating systems where a change in the working directory (CWD) command is restricted.
   Recursive	Select this check box if you want the file pattern to search sub folders. By default, the check box is clear. The Recursive parameter is not used if you configure SCP as the Service Type.
   FTP File Pattern	If you select SFTP or FTP as the Service Type, this option allows you to configure the regular expression (regex) required to filter the list of files specified in the Remote Directory. All matching files are included in the processing. For example, if you want to list all files starting with the word log, followed by one or more digits and ending with tar.gz, use the following entry: log[0-9]+\.tar\.gz. Use of this parameter requires knowledge of regular expressions (regex). For more information, see the following website: http://download.oracle.com/javase/tutorial/essential/regex/
   FTP Transfer Mode	This option is only displayed if you select FTP as the Service Type. The FTP Transfer Mode parameter allows you to define the file transfer mode when retrieving log files over FTP. From the list, select the transfer mode you want to apply to this log source: Binary - Select Binary for log sources that require binary data files or compressed zip, gzip, tar, or tar+gzip archive files. ASCII - Select ASCII for log sources that require an ASCII FTP file transfer. You must select NONE as the Processor and LINEBYLINE as the Event Generator when using ASCII as the FTP Transfer Mode.
   SCP Remote File	If you select SCP as the Service Type you must type the file name of the remote file.
   Start Time	Type the time of day you want processing to begin. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24 hour clock, in the following format: HH:MM.
   Recurrence	Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D). For example, type 2H if you want the directory to be scanned every 2 hours. The default is 1H.
   Run On Save	Select this check box if you want the log file protocol to run immediately after you click Save. After the Run On Save completes, the log file protocol follows your configured start time and recurrence schedule. Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed File parameter.
   EPS Throttle	Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 to 5000.
   Processor	If the files located on the remote host are stored in a zip, gzip, tar, or tar+gzip archive format, select the processor that allows the archives to be expanded and contents processed.
   Ignore Previously Processed File(s)	Select this check box to track files that have already been processed that you do not want to be processed a second time. This only applies to FTP and SFTP Service Types.
   Change Local Directory?	Select this check box to define the local directory on your JSA system that you want to use for storing downloaded files during processing. We recommend that you leave this check box clear. When the check box is selected, the Local Directory field is displayed, allowing you to configure the local directory to use for storing files.
   Event Generator	From the Event Generator list, select LineByLine. The Event Generator applies additional processing to the retrieved event files. The LineByLine option reads each line of the file as single event. For example, if a file has 10 lines of text, 10 separate events are created.

10. Click Save.
11. On the Admin tab, click Deploy Changes.

    The log source is added to JSA. You are now ready to write LEEF events that can be retrieved using the Log file protocol.

Forwarding Events to JSA

After you create your log source, you can forward or retrieve events for JSA. Forwarding events by using syslog might require more configuration of your network device.

As events are discovered by JSA, either using syslog or polling for log files, events are displayed in the Log Activity tab. Events from the devices that forward LEEF events are identified by the name that you type in the Log Source Name field. The events for your log source are not categorized by default in JSA and they require categorization. For more information on categorizing your Universal LEEF events, see Universal LEEF event map creationEvent mapping is required for the Universal LEEF DSM, because Universal LEEF events do not contain a predefined JSA Identifier (QID) map to categorize security events..

Universal LEEF Event Map Creation

Event mapping is required for the Universal LEEF DSM, because Universal LEEF events do not contain a predefined JSA Identifier (QID) map to categorize security events.

Members of the SIPP Partner Program have QID maps designed for their network devices, whereby the configuration is documented, and the QID maps are tested by IBM Corp.

The Universal LEEF DSM requires that you individually map each event for your device to an event category in JSA. Mapping events allows JSA to identify, coalesce, and track events that recur from your network devices. Until you map an event, all events that are displayed in the Log Activity tab for the Universal LEEF DSM are categorized as unknown. Unknown events are easily identified as the Event Name column and Low-Level Category columns display Unknown.

Discovering Unknown Events

As your device forwards events to JSA, it can take time to categorize all of the events from a device, because some events might not be generated immediately by the event source appliance or software.

It is helpful to know how to quickly search for unknown events. When you know how to search for unknown events, you can repeat this search until you are happy that most of your Universal LEEF events are identified.

1. Log in to JSA.
2. Click the Log Activity tab.
3. Click Add Filter.
4. From the first list, select Log Source.
5. From the Log Source Group list, select the log source group or Other.

   Log sources that are not assigned to a group are categorized as Other.

6. From the Log Source list, select your Universal LEEF log source.
7. Click Add Filter.

   The Log Activity tab is displayed with a filter for your Universal LEEF DSM.

8. From the View list, select Last Hour.

   Any events that are generated by your Universal LEEF DSM in the last hour are displayed. Events that are displayed as unknown in the Event Name column or Low Level Category column require event mapping in JSA.

   Note

   You can save your existing search filter by clicking Save Criteria.

   You are now ready to modify the event map for your Universal LEEF DSM.

Modifying an Event Map

Modifying an event map allows you to manually categorize events to a JSA Identifier (QID) map.

Any event categorized to a log source can be remapped to a new JSA Identifier (QID). By default, the Universal LEEF DSM categorizes all events as unknown.

1. On the Event Name column, double-click an unknown event for your Universal LEEF DSM.

   The detailed event information is displayed.

2. Click Map Event.
3. From the Browse for QID pane, select any of the following search options to narrow the event categories for a JSA Identifier (QID):

   1. From the High-Level Category list, select a high-level event categorization.

      For a full list of high-level and low-level event categories or category definitions, see the Event Categories section of the Juniper Secure Analytics Administration Guide.

4. From the Low-Level Category list, select a low-level event categorization.
5. From the Log Source Type list, select a log source type.

   The Log Source Type list allows you to search for QIDs from other individual log sources. Searching for QIDs by log source is useful when the events from your Universal LEEF DSM are similar to another existing network device. For example, if your Universal DSM provides firewall events, you might select Cisco ASA, as another firewall product that likely captures similar events.

6. To search for a QID by name, type a name in the QID/Name field.

   The QID/Name field allows you to filter the full list of QIDs for a specific word, for example, MySQL.

7. Click Search.

   A list of QIDs is displayed.

8. Select the QID you want to associate to your unknown Universal LEEF DSM event.
9. Click OK.

   JSA maps any additional events forwarded from your device with the same QID that matches the event payload. The event count increases each time the event is identified by JSA.

   Note

   If you update an event with a new JSA Identifier (QID) map, past events stored in JSA are not updated. Only new events are categorized with the new QID.