Verifying That JSA Receives Syslog Events
To verify that JSA receives events, review the full syslog header for remote syslog source events. JSA might not receive syslog events because a fire wall blocked communication or the device did not send the events.
Review the event source that sends the syslog events and verify its IP address.
- Use SSH to log in to JSA as the root user.
- If the syslog destination is on another appliance, such as an event collector, use SSH to log in to the event collector.
- Choose one of the following options.
For a TCP syslog, type the following command:
tcpdump -s 0 -A host Device_Address and port 514
For a UDP syslog, type the following command:
tcpdump -s 0 -A host Device_Address and udp port 514
The Device_Address must be an IPv4 address or a host name. The tcpdump command must run on the JSA appliance that receives the events from your device. By default, JSA appliances are configured to receive syslog events by using TCP or UDP and port 514. Do not configure the JSA firewall.
- If the tcpdump command do not display events,
then the syslog events are not sent to the JSA console.
Ask your firewall administrator or operations group to check for firewalls that block communication between the JSA appliance and the device.
Verify that a TCP port is open to Telnet by typing the following command on JSA:
telnet Device_IPAddress 514
Review your remote device's syslog configuration to ensure that events are sent to the proper appliance.
Resolving Unreceived Syslog Events
If the tcpdump command lists events, but no events are shown on the log activity, then the syslog events are not received by the JSA Console.
- Review your system notifications.
- If the system notifications display the incorrect source
address for the log source, choose one of the following options:
Manually re-create the log source.
Update the Log Source Identifier field with the correct host name or IP address.
- Verify that the device supports JSA automatic
The Juniper Secure Analytics Configuring DSMs Guide appendix lists which Device Support Modules (DSMs) support automatic log source creation.
- Verify that the log sources in JSA match
the tcpdump results.
Search for the log source host name or packet IP address in the tcpdump results.
Click the Admin tab.
On the navigation menu, click Data Sources.
In the Events pane, click Log Sources.
Search for the log source host name or packet IP address.
If the JSA host name or packet IP address does not match the tcpdump results, then the log source might be created with an incorrect address. For some devices, unexpected values occur in the syslog header when the event source handles events from multiple devices. Your device might be able to preserve the original event IP address before the syslog event is sent.
- Search for a unique payload value in JSA.
Review the tcpdump raw payloads.
Select an identifier that is unique to your event source.
Click the Log Activity tab.
On the toolbar, click Add Filter.
From the Parameter menu, select Payload Contains.
In the Value field, type your unique identifier.
Review the search results.
If the results return a different log source, then an auto-detection false positive occurred. Delete the wrongly detected log source.
If the log source is discovered incorrectly, verify that your JSA console is installed with the latest DSM version. Rediscover the log source.