ON THIS PAGE
Juniper Networks IDP
The Juniper IDP DSM for JSA accepts events using syslog. JSA records all relevant Juniper IDP events.
You can configure a sensor on your Juniper IDP to send logs to a syslog server:
- Log in to the Juniper NSM user interface.
- In NSM, double-click on the Sensor in Device Manager.
- Select Global Settings.
- Select Enable Syslog.
- Type the Syslog Server IP address to forward events to JSA.
- Click OK.
- Use Update Device to load the new settings
onto the IDP Sensor.
The format of the syslog message sent by the IDP Sensor is as follows:
<day id>, <record id>, <timeReceived>, <timeGenerated>, <domain>, <domainVersion>, <deviceName>, <deviceIpAddress>, <category>, <subcategory>,<src zone>, <src intface>, <src addr>, <src port>, <nat src addr>, <nat src port>, <dstzone>, <dst intface>, <dst addr>, <dst port>, <nat dst addr>, <nat dst port>,<protocol>, <rule domain>, <rule domainVersion>, <policyname>, <rulebase>, <rulenumber>, <action>, <severity>, <is alert>, <elapsed>, <bytes in>, <bytes out>, <bytestotal>, <packet in>, <packet out>, <packet total>, <repeatCount>, <hasPacketData>,<varData Enum>, <misc-str>, <user str>, <application str>, <uri str>
See the following syslog example:
[syslog@juniper.net dayId="20061012" recordId="0" timeRecv="2006/10/12 21:52:21" timeGen="2006/10/12 21:52:21" domain="" devDomVer2="0" device_ip="10.209.83.4" cat="Predefined" attack="TROJAN:SUBSEVEN:SCAN" srcZn="NULL" srcIntf="NULL" srcAddr="192.168.170.20" srcPort="63396" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="192.168.170.10" dstPort="27374" natDstAddr="NULL" natDstPort="0" protocol="TCP" ruleDomain="" ruleVer="5" policy="Policy2" rulebase="IDS" ruleNo="4" action="NONE" severity="LOW" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="31" misc="<017>'interface=eth2" user="NULL" app="NULL" uri="NULL"]
Configure a Log Source
Juniper NSM is a central management server for Juniper IDP. You can configure JSA to collect and represent the Juniper IDP alerts as coming from a central NSM, or JSA can collect syslog from the individual Juniper IDP device.
To configure JSA to receive events from Juniper Networks Secure Access device:
From the Log Source Type list, select Juniper Networks Intrusion Detection and Prevention (IDP)For more information about Juniper IDP, see your Network and Security Manager documentation.