Name Value Pair
The Name Value Pair DSM gives you the option to integrate JSA with devices that might not normally send syslog logs.
The Name Value Pair DSM provides a log format that gives you the option to send logs to JSA. For example, for a device that does not export logs natively with syslog, you can create a script to export the logs from a device that JSA does not support, format the logs in the Name Value Pair log format, and send the logs to JSA using syslog.
The Name Value Pair DSM log source that is configured in JSA then receives the logs and is able to parse the data since the logs are received in the Name Value Pair log format.
Events for the Name Value Pair DSM are not automatically discovered by JSA.
The Name Value Pair DSM accepts events by using syslog. JSA records all relevant
events. The log format for the Name Value Pair DSM must be a tab-separated single-line
list of Name=Parameter. The Name Value Pair DSM does not require a
valid syslog header.
The Name Value Pair DSM assumes an ability to create custom scripts or thorough knowledge of your device capabilities to send logs to JSA using syslog in Name Value Pair format.
The Name Value Pair DSM is able to parse the following tags:
|
Tag |
Description |
|---|---|
|
DeviceType |
Type NVP as the DeviceType. This identifies the log formats as a Name Value Pair log message. This is a required parameter and |
|
EventName |
Type the event name that you want to use to identity the event in the Events interface when using the Event Mapping functions. For more information on mapping events, see the Juniper Secure Analytics Users Guide. This is a required parameter. |
|
EventCategory |
Type the event category that you want to use to identify the event in
the Events interface. If this value is not included in the log
message, the value |
|
SourceIp |
Type the source IP address for the message. |
|
SourcePort |
Type the source port for the message. |
|
SourceIpPreNAT |
Type the source IP address for the message before Network Address Translation (NAT) occurred. |
|
SourceIpPostNAT |
Type the source IP address for the message after NAT occurs. |
|
SourceMAC |
Type the source MAC address for the message. |
|
SourcePortPreNAT |
Type the source port for the message before NAT occurs. |
|
SourcePortPostNAT |
Type the source port for the message after NAT occurs. |
|
DestinationIp |
Type the destination IP address for the message. |
|
DestinationPort |
Type the destination port for the message. |
|
DestinationIpPreNAT |
Type the destination IP address for the message before NAT occurs. |
|
DestinationIpPostNAT |
Type the IP address for the message after NAT occurs. |
|
DestinationPortPreNAT |
Type the destination port for the message before NAT occurs. |
|
DestinationPortPostNAT |
Type the destination port for the message after NAT occurs. |
|
DestinationMAC |
Type the destination MAC address for the message. |
|
DeviceTime |
Type the time that the event was sent, according to the device. The format is: YY/MM/DD hh:mm:ss. If no specific time is provided, the syslog header or DeviceType parameter is applied. |
|
UserName |
Type the user name that is associated with the event. |
|
HostName |
Type the host name that is associated with the event. Typically, this parameter is only associated with identity events. |
|
GroupName |
Type the group name that is associated with the event. Typically, this parameter is only associated with identity events. |
|
NetBIOSName |
Type the NetBIOS name that is associated with the event. Typically, this parameter is only associated with identity events. |
|
Identity |
Type TRUE or FALSE to indicate whether you wish this event to generate an identity event. An identity event is generated if the log message contains the SourceIp (if the IdentityUseSrcIp parameter is set to TRUE) or DestinationIp (if the IdentityUseSrcIp parameter is set to FALSE) and one of the following parameters: UserName, SourceMAC, HostName, NetBIOSName, or GroupName. |
|
IdentityUseSrcIp |
Type TRUE or FALSE (default). TRUE indicates that you wish to use the source IP address for identity. FALSE indicates that you wish to use the destination IP address for identity. This parameter is used only if the Identity parameter is set to TRUE. |
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Example 1
The following example parses all fields:
DeviceType=NVP EventName=Test DestinationIpPostNAT=<IP_address> DeviceTime=2007/12/14 09:53:49 SourcePort=1111 Identity=FALSE SourcePortPostNAT=3333 DestinationPortPostNAT=6666 HostName=testhost DestinationIpPreNAT=<IP_address> SourcePortPreNAT=2222 DestinationPortPreNAT=5555 SourceMAC=<MAC_address> SourceIp=<IP_address> SourceIpPostNAT=<IP_address> NetBIOSName=<BIOS_name> DestinationMAC=<MAC_address> EventCategory=Accept DestinationPort=4444 GroupName=testgroup SourceIpPreNAT=<IP_address> UserName=<Username> DestinationIp=<IP_address>
Example 2
The following example provides identity by using the destination IP address:
<133>Apr 16 12:41:00 192.0.2.1 namevaluepair: DeviceType=NVP EventName=Test EventCategory=Accept Identity=TRUE SourceMAC=<MAC_address> SourceIp=<Source_IP_address> DestinationIp=<Destination_IP_address> UserName=<Username>
Example 3
The following example provides identity by using the source IP address:
DeviceType=NVP EventName=Test EventCategory=Accept DeviceTime=2007/12/14 09:53:49 SourcePort=5014 Identity=TRUE IdentityUseSrcIp=TRUE SourceMAC=<MAC_address> SourceIp=<Source_IP_address> DestinationIp=<Destination_IP_address> DestinationMAC=<MAC_address> UserName=<Username>
Example 4
The following example provides an entry with no identity:
DeviceType=NVP EventName=Test EventCategory=Accept DeviceTime=2007/12/14 09:53:49 SourcePort=5014 Identity=FALSE SourceMAC=<MAC_address> SourceIp=<Source_IP_address> DestinationIp=<Destination_IP_address> DestinationMAC=<MAC_address> UserName=<Username>