Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Add Security Director Insights as a Log Collector

 

To use the log collector functionality that comes along with the Security Director Insights installation, add the IP address of the Security Director Insights virtual machine (VM) as a log collector.

Note

If you prefer to use the legacy Log Collector, then you must configure the SRX Series device to send syslog to both the legacy Log Collector and the Security Director Insights VM. This is to retain Security Director log collector functionality and to provide the Security Director Insights functionalities such as mitigation and incidents verification.

Before you add the log collector node in the GUI, you must set the administrator password. By default, the Security Director log collector is disabled. You must first enable it and then set the administrator password.

To enable the log collector and configure the administrator password:

  1. Go to the Security Director Insights CLI.

    # ssh admin@${security-director-insights_ip}

  2. Enter the application configuration mode.

    user:Core# applications

  3. Enable Security Director log collector.

    user:Core#(applications)# set log-collector enable on

  4. Configure the administrator password.

    user:Core#(applications)# set log-collector password

    Enter the new password for SD Log Collector access:

    Retype the new password:

    Successfully changed password for SD Log Collector database access

To add the Security Director Insights VM IP address as a log collector node:

  1. From the Security Director user interface, select Administration > Logging Management > Logging Nodes, and click the plus sign (+).

    The Add Logging Node page appears.

  2. Choose the Log Collector type as Security Director Log Collector.
  3. Click Next.

    The Add Collector Node page appears.

  4. In the Node Name field, enter a unique name for the log collector.
  5. In the IP Address field, enter the IP address of the Security Director Insights VM.

    The IP address used in the Deploy OVF Template page must be used in the Add Collector Node page, as shown in Figure 1 and Figure 2.

    Figure 1: Deploy OVF Template Page
    Deploy OVF Template
Page
    Figure 2: Add Logging Node Page
    Add Logging Node Page
  6. In the User Name field, enter the username of the Security Director Insights VM.
  7. In the Password field, enter the password of the Security Director Insights VM.
  8. Click Next.

    The certificate details are displayed.

  9. Click Finish and then click OK to add the newly created Logging Node.
  10. After you add Security Director Insights as a log collector, enable the SDI Log Collector Query Format option in Junos Space:
    1. Log in to Junos Space.
    2. Select Administration > Applications.
    3. Right-click Log Director and select Modify Application Settings.
    4. Enable the following option:
      • Enable SDI Log Collector Query Format

Note

The log collector in Security Director Insights supports 25K events per second (eps).

To achieve 25K logs per second, you must have the following configuration:

  • 32 CPUs with CPU reservation 40MHz to 45MHz.

  • 128-GB RAM

Disable the raw log: user:Core#(applications)# set log-collector raw-log disable.