Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Universal CEF

The JSA DSM for Universal CEF accepts events from any device that produces events in the Common Event Format (CEF).

The following table identifies the specifications for the Universal CEF DSM:

Table 1: Universal CEF DSM Specifications

Specification

Value

DSM name

Universal CEF

RPM file name

DSM-UniversalCEF-JSA_version-build_number.noarch.rpm

Protocol

Syslog

Log File

Event Format

Common Event Format (CEF). CEF:0 is supported.

Recorded event types

CEF-formatted events

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

To send events from a device that generates CEF-formatted events to JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the Juniper Downloads onto your JSAConsole:

    • DSMCommon RPM

    • Universal CEF RPM

  2. Add a Universal CEF log source on the JSA Console. Use the following values that are specific to Universal CEF:

    Parameter

    Description

    Log Source Type

    Universal CEF

    Protocol Configuration

    Syslog or Log File

  3. Configure your third-party device to send events to JSA. For more information about how to configure your third-party device, see your vendor documentation.

  4. Configure event mapping for Universal CEF events.

The JSA DSM for Universal CEF accepts events from any device that produces events in the Common Event Format (CEF).

Configuring Event Mapping for Universal CEF Events

Universal CEF events do not contain a predefined JSA Identifier (QID) map to categorize security events. You must search for unknown events from the Universal CEF log source and map them to high and low-level categories.

Ensure that you installed the Universal CEF DSM and added log source for it in JSA.

By default, the Universal CEF DSM categorizes all events as unknown. All Universal CEF events display a value of unknown in the Event Name and Low Level Category columns on the Log Activity tab. You must modify the QID map to individually map each event for your device to an event category in JSA. Mapping events allows JSA to identify, coalesce, and track events from your network devices.

For more information about event mapping, see the Juniper Secure Analytics Users Guide.

  1. Log in to JSA.

  2. Click the Log Activity tab.

  3. Click Add Filter.

  4. From the first list, select Log Source.

  5. From the Log Source Group list, select Other.

  6. From the Log Source list, select your Universal CEF log source.

  7. Click Add Filter.

  8. From the View list, select Last Hour.

  9. Click Save Criteria to save your existing search filter.

  10. On the Event Name column, double-click an unknown event for your Universal CEF DSM.

  11. Click Map Event.

  12. From the Browse for QID pane, select any of the following search options to narrow the event categories for a JSA Identifier (QID):

    • From the High-Level Category list, select a high-level event category. For a full list of high-level and low-level event categories or category definitions, see the Event Categories section of the Juniper Secure Analytics Administration Guide.

    • From the Low-Level Category list, select a low-level event category.

    • From the Log Source Type list, select a log source type.

      Tip:

      Searching for QIDs by log source is useful when the events from your Universal CEF DSM are similar to another existing network device. For example, if your Universal CEF provides firewall events, you might select Cisco ASA, as another firewall product that likely captures similar events.

    • To search for a QID by name, type a name in the QID/Name field.

  13. Click Search.

  14. Select the QID that you want to associate to your unknown Universal CEF DSM event and click OK.