Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Radware AppWall

The JSA DSM for Radware AppWall collects logs from a Radware AppWall appliance.

The following table describes the specifications for the Radware AppWall DSM:

Table 1: Radware AppWall DSM Specifications

Specification

Value

Manufacturer

Radware

DSM name

Radware AppWall

RPM file name

DSM-RadwareAppWall-JSA_version-build_number.noarch.rpm

Supported versions

6.5.2

8.2

Protocol

Syslog

Event format

Vision Log

Recorded event types

Administration

Audit

Learning

Security

System

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

For more information, see the Radware link to public site website (https://www.radware.com).

To integrate Radware AppWall with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the Radware AppWall DSM RPM from the Juniper Downloads onto your JSA Console:

  2. Configure your Radware AppWall device to send logs to JSA.

  3. If JSA does not automatically detect the log source, add a Radware AppWall log source on the JSA Console. The following table describes the parameters that require specific values for Radware AppWall event collection:

    Table 2: Radware AppWall Log Source Parameters

    Parameter

    Value

    Log Source type

    Radware AppWall

    Protocol Configuration

    Syslog

Note:

Your RadWare AppWall device might have event payloads that are longer than the default maximum TCP Syslog payload length of 4096 bytes. This overage can result in the event payload being split into multiple events by JSA. To avoid this behavior, increase the maximum TCP Syslog payload length. To optimize performance, start by configuring the value to 8192 bytes. The maximum length for RadWare AppWall events is 14,019 bytes.

You can verify that JSA is configured to receive events from your Radware AppWall device when you complete Step 6 of the Configuring Radware AppWall to Communicate with JSA procedure.

Configuring Radware AppWall to Communicate with JSA

Configure your Radware AppWall device to send logs to JSA. You integrate AppWall logs with JSA by using the Vision Log event format.

  1. Log in to your Radware AppWall Console.

  2. Select Configuration View from the menu bar.

  3. In the Tree View pane on the left side of the window, click appwall Gateway > Services > Vision Support.

  4. From the Server List tab on the right side of the window, click the add icon (+) in the Server List pane.

  5. In the Add Vision Server window, configure the following parameters:

    Parameter

    Value

    Address

    The IP address for the JSA console.

    Port

    514

    Version

    Select the most recent version from the list. It is the last item in the list.

  6. Click Check to verify that the AppWall can successfully connect to JSA.

  7. Click Submit and Save.

  8. Click Apply >OK.

Increasing the Maximum TCP Syslog Payload Length for Radware AppWall

Increase the maximum TCP Syslog payload length for your RadWare AppWall appliance in JSA for payloads that are longer than the default maximum TCP Syslog payload length.

Note:

Your RadWare AppWall device might have event payloads that are longer than the default maximum TCP Syslog payload length of 4096 bytes. This overage can result in the event payload being split into multiple events by JSA. To avoid this behavior, increase the maximum TCP Syslog payload length. To optimize performance, start by configuring the value to 8192 bytes. The maximum length for RadWare AppWall events is 14,019 bytes.

  1. If you want to increase the maximum TCP Syslog payload length for JSA 2014.6, follow these steps:

    1. Log in to the JSA console as an administrator.

    2. From the Admin tab, click System Settings.

    3. Click Advanced.

    4. In the Max TCP Syslog Payload Length field, type 8192.

    5. Click Save.

    6. From the Admin tab, click Deploy Changes.

  2. If you want to increase the maximum TCP Syslog payload length for JSA 2014.5 and earlier, follow these steps:

    1. Use SSH to log in to the JSA console.

    2. Go to the /opt/qradar/conf/templates/configservice/pluggablesources/ directory, and edit the TCPSyslog.vm file.

    3. Type 8192 for the value for the MaxPayload parameter.

      For example, <parameter type=MaxPayload>8192</parameter>.

    4. Save the TCPSyslog.vm file.

    5. Log in to the JSA console as an administrator.

    6. From the Admin tab, click Advanced >Deploy Full Configuration.

Radware AppWall Sample Event Messages

Use these sample event messages to verify a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Radware AppWall Sample Messages When You Use the Syslog Protocol

Sample 1: The following sample event message shows that a service is stopped.

Table 3: Highlighted values in the Radware AppWall sample event

JSA field name

Highlighted values in the event payload

Event ID

1558936884-109

Source IP

10.22.126.18

Device Time

05/27/2019 06:01:24 +00

Sample 2: The following sample event message shows a reverse DNS lookup failure.

Table 4: Highlighted values in the Radware AppWall sample event

JSA field name

Highlighted values in the event payload

Event ID

1558947633-294

Source IP

10.22.126.18

Device Time

05/27/2019 09:00:33 +00