Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Juniper Networks Junos OS WebApp Secure

The Juniper WebApp Secure DSM for JSA accepts events that are forwarded from Juniper Junos OS WebApp Secure appliances by using syslog.

Juniper Junos OS WebApp Secure provides incident logging and access logging events to JSA. Before you can receive events in JSA, you must configure event forwarding on your Juniper Junos OS WebApp Secure, then define the events that you want to forward.

Configuring Syslog Forwarding

To configure a remote syslog server for Juniper Junos OS WebApp Secure, you must use SSH to connect to a configuration interface. You can use the configuration interface to set up or configure core settings on your Juniper Junos OS WebApp Secure appliance.

  1. Use SSH on port 2022 to log in to your Juniper Junos OS WebApp device.

    https://<IP address>:<port>

    Where:

    • <IP address> is the IP address of your Juniper Junos OS WebApp Secure appliance.

    • <Port> is the port number of your Juniper Junos OS WebApp Secure appliance configuration interface.

    The default SSH configuration port is 2022.

  2. From the Choose a Tool menu, select Logging.

  3. Click Run Tool.

  4. From the Log Destination menu, select Remote Syslog Server.

  5. In the Syslog Server field, type the IP address of your JSA console or Event Collector.

  6. Click Save.

  7. From the Choose a Tool menu, select Quit.

  8. Type Exit to close your SSH session.

You are now ready to configure event logging on your Juniper Junos OS WebApp Secure appliance.

Configuring Event Logging

The Juniper Junos OS WebApp Secure appliance must be configured to determine which logs are forwarded to JSA.

  1. Using a web browser, log in to the configuration site for your Juniper Junos OS WebApp Secure appliance.

    https://<IP address>:<port>

    Where:

    • <IP address> is the IP address of your Juniper Junos OS WebApp Secure appliance.

    • <Port> is the port number of your Juniper Junos OS WebApp Secure appliance.

      The default configuration uses a port number of 5000.

  2. From the navigation menu, select Configuration Manager.

  3. From the configuration menu, select Basic Mode.

  4. Click the Global Configuration tab and select Logging.

  5. Click the link Show Advanced Options.

  6. Configure the following parameters:

    Table 1: Juniper Junos OS WebApp Secure Logging Parameters

    Parameter

    Description

    Access logging: Log Level

    Click this option to configure the level of information that is logged when access logging is enabled.

    The options include the following levels:

    • 0 Access logging is disabled.

    • 1 - Basic logging.

    • 2 Basic logging with headers.

    • 3 Basic logging with headers and body.

    Note:

    Access logging is disabled by default. It is suggested that you enable access logging only for debugging purposes. For more information, see your Juniper Junos OS WebApp Secure documentation.

    Access logging: Log requests before processing

    Click this option and select True to log the request before it is processed, then forward the event to JSA.

    Access logging: Log requests to access log after processing

    Click this option and select True to log the request after it is processed. After Juniper Junos OS WebApp Secure processes the event, then it is forwarded to JSA.

    Access logging: Log responses to access log after processing

    Click this option and select True to log the response after it is processed. After Juniper Junos OS WebApp Secure processes the event, then the event is forwarded to JSA.

    Access logging: Log responses to access log before processing

    Click this option and select True to log the response before it is processed, then forward the event to JSA.

    Incident severity log level

    Click this option to define the severity of the incident events to log. All incidents at or above the level that is defined are forwarded to JSA.

    The options include the following levels:

    • 0 Informational level and later incident events are logged and forwarded.

    • 1 - Suspicious level and later incident events are logged and forwarded.

    • 2 Low level and later incident events are logged and forwarded.

    • 3 Medium level and later incident events are logged and forwarded.

    • 4 - High level and later incident events are logged and forwarded.

    Log incidents to the syslog

    Click this option and select Yes to enable syslog forwarding to JSA.

    The configuration is complete. The log source is added to JSA as Juniper Junos OS WebApp Secure events are automatically discovered. Events that are forwarded to JSA by Juniper Junos OS WebApp Secure are displayed on the Log Activity tab of JSA.

Syslog Log Source Parameters for Juniper Networks Junos OS WebApp Secure

If JSA does not automatically detect the log source, add a Juniper Networks Junos OS WebApp Secure log source on the JSA Console by using the Syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Syslog events from Juniper Networks Junos OS WebApp Secure:

Table 2: Syslog Log Source Parameters for the Juniper Networks Junos OS WebApp Secure DSM

Parameter

Value

Log Source Name

Type a name for your log source.

Log Source Description

Type a description for the log source.

Log Source type

Juniper Networks Junos OS WebApp Secure

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from your Juniper Networks Junos OS WebApp Secure appliance.

Juniper Junos WebApp Secure Sample Event Message

Use this sample event message to verify a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Juniper Junos WebApp Secure sample message when you use the Syslog protocol

The following sample event message shows a failed login.

Table 3: Highlighted fields in the Juniper Junos WebApp Secure sample event

JSA field name

Highlighted payload field name

Event ID

MKS_Type

Event Category

In JSA, the value is JuniperMykonosWebSecurity.

Source IP

MKS_SrcIP

Username

MKS_ProfileName