Juniper Networks IDP
The Juniper IDP DSM for JSA accepts events using syslog. JSA records all relevant Juniper IDP events.
You can configure a sensor on your Juniper IDP to send logs to a syslog server:
Log in to the Juniper NSM user interface.
In NSM, double-click on the Sensor in Device Manager.
Select Global Settings.
Select Enable Syslog.
Type the Syslog Server IP address to forward events to JSA.
Click OK.
Use Update Device to load the new settings onto the IDP Sensor.
The format of the syslog message sent by the IDP Sensor is as follows:
<day id>, <record id>, <timeReceived>, <timeGenerated>, <domain>, <domainVersion>, <deviceName>, <deviceIpAddress>, <category>, <subcategory>,<src zone>, <src intface>, <src addr>, <src port>, <nat src addr>, <nat src port>, <dstzone>, <dst intface>, <dst addr>, <dst port>, <nat dst addr>, <nat dst port>,<protocol>, <rule domain>, <rule domainVersion>, <policyname>, <rulebase>, <rulenumber>, <action>, <severity>, <is alert>, <elapsed>, <bytes in>, <bytes out>, <bytestotal>, <packet in>, <packet out>, <packet total>, <repeatCount>, <hasPacketData>,<varData Enum>, <misc-str>, <user str>, <application str>, <uri str>
See the following syslog example:
[syslog@juniper.net dayId="20061012" recordId="0" timeRecv="2006/10/12 21:52:21" timeGen="2006/10/12 21:52:21" domain="" devDomVer2="0" device_ip="10.209.83.4" cat="Predefined" attack="TROJAN:SUBSEVEN:SCAN" srcZn="NULL" srcIntf="NULL" srcAddr="192.168.170.20" srcPort="63396" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="192.168.170.10" dstPort="27374" natDstAddr="NULL" natDstPort="0" protocol="TCP" ruleDomain="" ruleVer="5" policy="Policy2" rulebase="IDS" ruleNo="4" action="NONE" severity="LOW" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="31" misc="<017>'interface=eth2" user="NULL" app="NULL" uri="NULL"]
Configure a Log Source
Juniper NSM is a central management server for Juniper IDP. You can configure JSA to collect and represent the Juniper IDP alerts as coming from a central NSM, or JSA can collect syslog from the individual Juniper IDP device.
To configure JSA to receive events from Juniper Networks Secure Access device:
From the Log Source Type list, select Juniper Networks Intrusion Detection and Prevention (IDP)For more information about Juniper IDP, see your Network and Security Manager documentation.