Juniper Networks IDP (deprecated)
The Juniper IDP DSM for IBM QRadar accepts events using syslog. QRadar records all relevant Juniper IDP events.
About this task
You can configure a sensor on your Juniper IDP to send logs to a syslog server:
Procedure
- Log in to the Juniper NSM user interface.
- In NSM, double-click the Sensor in Device Manager.
- Select Global Settings.
- Select Enable Syslog.
- Type the Syslog Server IP address to forward events to QRadar.
- Click OK.
- Use Update Device to load the new settings onto the IDP
Sensor.
The format of the syslog message that is sent by the IDP Sensor is as follows:
<day id>, <record id>, <timeReceived>, <timeGenerated>, <domain>, <domainVersion>, <deviceName>, <deviceIpAddress>, <category>, <subcategory>,<src zone>, <src intface>, <src addr>, <src port>, <nat src addr>, <nat src port>, <dstzone>, <dst intface>, <dst addr>, <dst port>, <nat dst addr>, <nat dst port>,<protocol>, <rule domain>, <rule domainVersion>, <policyname>, <rulebase>, <rulenumber>, <action>, <severity>, <is alert>, <elapsed>, <bytes in>, <bytes out>, <bytestotal>, <packet in>, <packet out>, <packet total>, <repeatCount>, <hasPacketData>, <varData Enum>, <misc-str>, <user str>, <application str>, <uri str>
See the following syslog example:
[syslog@juniper.net dayId="20061012" recordId="0" timeRecv="2006/10/12 21:52:21" timeGen="2006/10/12 21:52:21" domain="" devDomVer2="0" device_ip="<IP_address>" cat="Predefined" attack="TROJAN:SUBSEVEN:SCAN" srcZn="NULL" srcIntf="NULL" srcAddr="<Source_IP_address>" srcPort="63396" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="<Destination_IP_address>" dstPort="27374" natDstAddr="NULL" natDstPort="0" protocol="TCP" ruleDomain="" ruleVer="5" policy="Policy2" rulebase="IDS" ruleNo="4" action="NONE" severity="LOW" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="31" misc="<017>'interface=eth2" user="NULL" app="NULL" uri="NULL"]