Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Cisco Stealthwatch

The JSA DSM for Cisco Stealthwatch receives events from a Cisco Stealthwatch device.

The following table identifies the specifications for the Cisco Stealthwatch DSM:

Table 1: Cisco Stealthwatch DSM Specifications





DSM name

Cisco Stealthwatch

RPM file name


Supported versions




Event format


Recorded event types

Anomaly, Data Hoarding, Exploitation, High Concern Index, High DDoS Source Index, High Target Index, Policy Violation, Recon, High DDoS Target Index, Data Exfiltration, C&C

Automatically discovered?


Includes identity?


Includes Custom properties?


More information

Cisco Stealthwatch website (

To integrate Cisco Stealthwatch with JSA, complete the following steps:

  1. If automatic updates are not configured, download the most recent version of the following RPMs from the Juniper Downloads onto your JSA console:

    • DSMCommon RPM

    • Cisco Stealthwatch DSM RPM

  2. Configure your Cisco Stealthwatch device to send syslog events to JSA.

  3. If JSA does not automatically detect the log source, add a Cisco Stealthwatch log source on the JSA Console. The following table describes the parameters that require specific values for Cisco Stealthwatch event collection:

    Table 2: Cisco Stealthwatch Log Source Parameters



    Log Source type

    Cisco Stealthwatch

    Protocol Configuration


    Log Source

    A unique identifier for the log source.

The following table shows a sample syslog message supported by the Cisco Stealthwatch device:

Table 3: Cisco Stealthwatch Sample Syslog Message

Event name

Low-level category

Sample log message


Network Threshold Policy Violation

May 5 18:11:01 May 05 18:11:01 KW-SMC-100 StealthWatch[3706]: LEEF:2.0|Lancope|Stealthwatch| 6.8|16|0x7C|src=|dst=0. 0.0.0|dstPort=|proto=|msg=The total traffic inbound + outbound exceeds the acceptable total traffic values.|fullmessage=Observed 3.95G bytes. Expected 2.22M bytes, tolerance of 50 allows up to 1.92G bytes.|start=2017-05- 05T18:10:00Z|end=|cat=High Total Traffic|alarmID=3L-1CR1- JI38-QGNE-2|sourceHG=United States|targetHG=Unknown|sourc eHostSnapshot= smc/getHostSnapshot?domainid= 123&hostip= 7-05- 05T18:10:00Z|targetHostSnapsh ot= Snapshot?domainid=123&hostip = 05T18:10:00Z|flowCollectorName =KW-FC- 101|flowCollectorIP=|do|exporterName =|exporterIPAddress=|exporterInf o=|targetUser=|targetHostname=| sourceUser=|alarmStatus=ACTIV E|alarmSev=Major

Configuring Cisco Stealthwatch to Communicate with JSA

Cisco Stealthwatch can forward events of different message types, including customized syslog messages, to third parties.

  1. Log in to the Stealthwatch Management Console (SMC) as an administrator.

  2. In the menu bar, click Configuration >Response Management.

  3. From the Actions section in the Response Management menu, click Add >Syslog Message.

  4. In the Add Syslog Message Action window, configure the following parameters:




    The name for the syslog message action.


    This check box is enabled by default.

    IP Address

    The IP address of the JSA Event Collector.


    The default port is port 514.


    Select Syslog Formats.

  5. Enter the following custom format:

  6. Select the custom format from the list and click OK.


    Use the Test button to send test message to JSA

  7. Click Response Management >Rules.

  8. Click Add and select Host Alarm.

  9. Provide a rule name in the Name field.

  10. Create rules by selecting values from the Type and Options menus. To add more rules, click the ellipsis icon. For a Host Alarm, combine as many possible types in a statement as possible.

  11. In the Action dialog, select JSA syslog action for both Active and Inactive conditions. The event is forwarded to JSA when any predefined condition is satisfied.