Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

FireEye

 

The JSA DSM for FireEye accepts syslog events in Log Event Extended Format (LEEF) and Common Event Format (CEF).

This DSM applies to FireEye CMS, MPS, EX, AX, NX, FX, and HX appliances. JSA records all relevant notification alerts that are sent by FireEye appliances.

The following table identifies the specifications for the FireEye DSM.

Table 1: FireEye DSM Specifications

Specification

Value

Manufacturer

FireEye

DSM name

FireEye MPS

Supported versions

CMS, MPS, EX, AX, NX, FX, and HX

RPM file name

DSM-FireEyeMPS-JSA_version-Build_number.noarch.rpm

Protocol

Syslog and TLS syslog

Event Format

Common Event Format (CEF). CEF:0 is supported.

JSA recorded event types

All relevant events

Auto discovered?

Yes

Includes identity?

No

More information

FireEye website (www.fireeye.com)

To integrate FireEye with JSA, use the following procedures:

  1. If automatic updates are not enabled, download and install the DSM Common and FireEye MPS RPM from the Juniper Downloads onto your JSA Console.

  2. Download and install the latest TLS Syslog Protocol RPM on JSA.

  3. For each instance of FireEye in your deployment, configure the FireEye system to forward events to JSA.

  4. For each instance of FireEye, create an FireEye log source on the JSA Console.

    The following tables explain how to configure a log source in Syslog and TLS Syslog for FireEye.

    Table 2: Configuring the Syslog Log Source Protocols for FireEye

    Parameter

    Description

    Log Source type

    FireEye

    Protocol Configuration

    Syslog

    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for events from your device.

    Table 3: Configuring the TLS Syslog Log Source Protocols for FireEye

    Parameter

    Description

    Source type

    FireEye

    Protocol Configuration

    TLS Syslog

    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for events from your device.

    TLS Listen Port

    The default TLS listen port is 6514.

    Authentication Mode

    The mode by which your TLS connection is authenticated. If you select the TLS and Client Authentication option, you must configure the certificate parameters.

    Certificate Type

    The type of certificate to use for authentication. If you select the Provide Certificate option, you must configure the file paths for the server certificate and the private key.

    Provided Server Certificate Path

    The type of certificate to use for authentication. If you select the Provide Certificate option, you must configure the file paths for the server certificate and the private key.

    Provided Private Key Path

    The absolute path to the private key.

    Note: The corresponding private key must be a DER-encoded PKCS8 key. The configuration fails with any other key format.

    Maximum Connections

    The Maximum Connections parameter controls how many simultaneous connections the TLS Syslog protocol can accept for each Event Collector.

    The connection limit across all TLS syslog log source configurations is 1000 connections for each Event Collector. The default for each device connection is 50.

    Note: Automatically discovered log sources that share a listener with another log source, such as if you use the same port on the same event collector, count only one time towards the limit.