The binary log format from Juniper SRX or J Series appliances are streamed to IBM
QRadar by using the UDP
protocol. You must specify a unique port for streaming binary formatted events, because the standard
syslog port for QRadar cannot
understand binary formatted events.
About this task
The default port that is assigned to QRadar for receiving streaming
binary events from Juniper appliances is port 40798.
Note: The Juniper Binary Log Collector DSM supports only events that are forwarded in Streaming
mode. The Event mode is not supported.
Procedure
-
Log in to your Juniper SRX or J Series by using the command-line interface (CLI).
-
Type the following command to edit your device configuration:
-
Type the following command to configure the
IP address and port number for streaming binary formatted events:
set security log stream <Name> host <IP
address> port <Port>
Where:
- <Name> is the name that is assigned to the stream.
- <IP address> is the IP address of your QRadar
Console or Event Collector.
- <Port> is a unique port number that is assigned for streaming binary
formatted events to QRadar. By
default, QRadar listens for
binary streaming data on port 40798. For a list of ports that are used by QRadar, see the IBM
QRadar
Common Ports List technical note.
-
Type the following command to set the security log format to binary:
-
Type the following command to enable security log streaming:
set security log mode stream
-
Type the following command to set the source IP address for the event
stream:
set security log source-address <IP address>
Where: <IP address> is the IP address of your Juniper SRX Series or Juniper
J Series appliance.
-
Type the following command to save the configuration changes:
-
Type the following command to exit the configuration mode:
What to do next
The configuration of your Juniper SRX or J Series appliance is complete. You can now
configure a log source in QRadar.