Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Universal LEEF

The Universal LEEF DSM for JSA collects events from devices that produce events that use the Log Event Extended Format (LEEF).

The LEEF event format is a proprietary event format, which allows hardware manufacturers and software product manufacturers to read and map device events specifically designed for JSA integration.

LEEF formatted events sent to JSA outside of the partnership program require you to have installed the Universal LEEF DSM and manually identify each event forwarded to JSA by mapping unknown events. The Universal LEEF DSM can parse events forwarded from syslog or files containing events in the LEEF format polled from a device or directory using the Log File protocol.

To configure events in JSA using Universal LEEF, you must:

  1. Configure a Universal LEEF log source in JSA.

  2. Send LEEF formatted events from your device to JSA. For more information on forwarding events, see your vendor documentation.

  3. Map unknown events to JSA Identifiers (QIDs).

Syslog Protocol Log Source parameters for Universal LEEF

Add a Universal LEEF log source on the JSA Console by using the Syslog protocol.

JSA receives events from a real-time source by using the Syslog protocol.

When using the Syslog protocol, there are specific parameters that you must use.

Table 1: Syslog Log Source Parameters for the Universal LEEF DSM

Parameter

Value

Log Source type

Universal LEEF

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the log source as an identifier for Universal LEEF events.

Forwarding Events to JSA

After you create your log source, you can forward or retrieve events for JSA. Forwarding events by using syslog might require more configuration of your network device.

As events are discovered by JSA, either using syslog or polling for log files, events are displayed in the Log Activity tab. Events from the devices that forward LEEF events are identified by the name that you type in the Log Source Name field. The events for your log source are not categorized by default in JSA and they require categorization. For more information on categorizing your Universal LEEF events, see Universal LEEF event map creationEvent mapping is required for the Universal LEEF DSM, because Universal LEEF events do not contain a predefined JSA Identifier (QID) map to categorize security events. .

Universal LEEF Event Map Creation

Event mapping is required for the Universal LEEF DSM, because Universal LEEF events do not contain a predefined JSA Identifier (QID) map to categorize security events.

Members of the SIPP Partner Program have QID maps designed for their network devices, whereby the configuration is documented, and the QID maps are tested by IBM Corp.

The Universal LEEF DSM requires that you individually map each event for your device to an event category in JSA. Mapping events allows JSA to identify, coalesce, and track events that recur from your network devices. Until you map an event, all events that are displayed in the Log Activity tab for the Universal LEEF DSM are categorized as unknown. Unknown events are easily identified as the Event Name column and Low-Level Category columns display Unknown.

Discovering Unknown Events

As your device forwards events to JSA, it can take time to categorize all of the events from a device, because some events might not be generated immediately by the event source appliance or software.

It is helpful to know how to quickly search for unknown events. When you know how to search for unknown events, you can repeat this search until you are happy that most of your Universal LEEF events are identified.

  1. Log in to JSA.

  2. Click the Log Activity tab.

  3. Click Add Filter.

  4. From the first list, select Log Source.

  5. From the Log Source Group list, select the log source group or Other.

    Log sources that are not assigned to a group are categorized as Other.

  6. From the Log Source list, select your Universal LEEF log source.

  7. Click Add Filter.

    The Log Activity tab is displayed with a filter for your Universal LEEF DSM.

  8. From the View list, select Last Hour.

    Any events that are generated by your Universal LEEF DSM in the last hour are displayed. Events that are displayed as unknown in the Event Name column or Low Level Category column require event mapping in JSA.

    Note:

    You can save your existing search filter by clicking Save Criteria.

    You are now ready to modify the event map for your Universal LEEF DSM.

Modifying an Event Map

Modifying an event map allows you to manually categorize events to a JSA Identifier (QID) map.

Any event categorized to a log source can be remapped to a new JSA Identifier (QID). By default, the Universal LEEF DSM categorizes all events as unknown.

Note:

Events that do not have a defined log source cannot be mapped to an event. Events without a log source display SIM Generic Log in the Log Source column.

  1. On the Event Name column, double-click an unknown event for your Universal LEEF DSM.

    The detailed event information is displayed.

  2. Click Map Event.

  3. From the Browse for QID pane, select any of the following search options to narrow the event categories for a JSA Identifier (QID):

    1. From the High-Level Category list, select a high-level event categorization.

      For a full list of high-level and low-level event categories or category definitions, see the Event Categories section of the Juniper Secure Analytics Administration Guide.

  4. From the Low-Level Category list, select a low-level event categorization.

  5. From the Log Source Type list, select a log source type.

    The Log Source Type list allows you to search for QIDs from other individual log sources. Searching for QIDs by log source is useful when the events from your Universal LEEF DSM are similar to another existing network device. For example, if your Universal DSM provides firewall events, you might select Cisco ASA, as another firewall product that likely captures similar events.

  6. To search for a QID by name, type a name in the QID/Name field.

    The QID/Name field allows you to filter the full list of QIDs for a specific word, for example, MySQL.

  7. Click Search.

    A list of QIDs is displayed.

  8. Select the QID you want to associate to your unknown Universal LEEF DSM event.

  9. Click OK.

    JSA maps any additional events forwarded from your device with the same QID that matches the event payload. The event count increases each time the event is identified by JSA.

    Note:

    If you update an event with a new JSA Identifier (QID) map, past events stored in JSA are not updated. Only new events are categorized with the new QID.