Configuring event logging

The Juniper Junos WebApp Secure appliance must be configured to determine which logs are forwarded to IBM QRadar.

Procedure

  1. Using a web browser, log in to the configuration site for your Juniper Junos WebApp Secure appliance.

    https://<IP address>:<port>

    Where:

    • <IP address> is the IP address of your Juniper Junos WebApp Secure appliance.
    • <Port> is the port number of your Juniper Junos WebApp Secure appliance.

      The default configuration uses a port number of 5000.

  2. From the navigation menu, select Configuration Manager.
  3. From the configuration menu, select Basic Mode.
  4. Click the Global Configuration tab and select Logging.
  5. Click the link Show Advanced Options.
  6. Configure the following parameters:
    Table 1. Juniper Junos WebApp Secure logging parameters

    Parameter

    Description

    Access logging: Log Level

    Click this option to configure the level of information that is logged when access logging is enabled.

    The options include the following levels:

    • 0 - Access logging is disabled.
    • 1 - Basic logging.
    • 2 - Basic logging with headers.
    • 3 - Basic logging with headers and body.
    Note: Access logging is disabled by default. It is suggested that you enable access logging only for debugging purposes. For more information, see your Juniper Junos WebApp Secure documentation.
    Access logging: Log requests before processing

    Click this option and select True to log the request before it is processed, then forward the event to QRadar.

    Access logging: Log requests to access log after processing

    Click this option and select True to log the request after it is processed. After Juniper Junos WebApp Secure processes the event, then it is forwarded to QRadar.

    Access logging: Log responses to access log after processing

    Click this option and select True to log the response after it is processed. After Juniper Junos WebApp Secure processes the event, then the event is forwarded to QRadar.

    Access logging: Log responses to access log before processing

    Click this option and select True to log the response before it is processed, then forward the event to QRadar.

    Incident severity log level

    Click this option to define the severity of the incident events to log. All incidents at or above the level that is defined are forwarded to QRadar.

    The options include the following levels:

    • 0 - Informational level and later incident events are logged and forwarded.
    • 1 - Suspicious level and later incident events are logged and forwarded.
    • 2 - Low level and later incident events are logged and forwarded.
    • 3 - Medium level and later incident events are logged and forwarded.
    • 4 - High level and later incident events are logged and forwarded.
    Log incidents to the syslog

    Click this option and select Yes to enable syslog forwarding to QRadar.

    The configuration is complete. The log source is added to QRadar as Juniper Junos WebApp Secure events are automatically discovered. Events that are forwarded to QRadar by Juniper Junos WebApp Secure are displayed on the Log Activity tab of QRadar.