Juniper Networks Junos OS

The Juniper Junos OS Platform DSM for IBM QRadar accepts events that use syslog, structured-data syslog, or PCAP (SRX Series only). QRadar records all valid syslog or structured-data syslog events.

About this task

The Juniper Junos OS Platform DSM supports the following Juniper devices that are running Junos OS:

  • Juniper M Series Multiservice Edge Routing
  • Juniper MX Series Ethernet Services Router
  • Juniper T Series Core Platform
  • Juniper SRX Series Services Gateway

For information on configuring PCAP data that uses a Juniper Networks SRX Series appliance, see Configure the PCAP Protocol.

Note: For more information about structured-data syslog, see RFC 5424 at the Internet Engineering Task Force: http://www.ietf.org/

Before you configure QRadar to integrate with a Juniper device, you must forward data to QRadar using syslog or structured-data syslog.

Procedure

  1. Log in to your Juniper platform command-line interface (CLI).
  2. Include the following syslog statements at the set system hierarchy level:

    [set system] syslog {host (hostname) {facility <severity>; explicit-priority; any any; authorization any; firewall any;

    } source-address source-address; structured-data {brief;} }

    The following table lists and describes the configuration setting variables to be entered in the syslog statement.

    List of Syslog Configuration Setting Variables

    Parameter

    Description

    host

    Type the IP address or the fully qualified host name of your QRadar.

    Facility

    Define the severity of the messages that belong to the named facility with which it is paired. Valid severity levels are:

    • Any
    • None
    • Emergency
    • Alert
    • Critical
    • Error
    • Warning
    • Notice
    • Info

    Messages with the specified severity level and higher are logged. The levels from emergency through info are in order from highest severity to lowest.

    Source-address

    Type a valid IP address configured on one of the router interfaces for system logging purposes.

    The source-address is recorded as the source of the syslog message send to QRadar. This IP address is specified in the host host name statement set system syslog hierarchy level; however, this is not for messages directed to the other routing engine, or to the TX Matrix platform in a routing matrix.

    structured-data

    Inserts structured-data syslog into the data.

    You can now configure the log source in QRadar.

    The following devices are auto discovered by QRadar as a Juniper Junos OS Platform devices:

    • Juniper M Series Multiservice Edge Routing
    • Juniper MX Series Ethernet Services Router
    • Juniper SRX Series
    • Juniper EX Series Ethernet Switch
    • Juniper T Series Core Platform
    Note: Due to logging similarities for various devices in the JunOS family, expected events might not be received by the correct log source type when your device is automatically discovered. Review the automatically created log source for your device and then adjust the configuration manually. You can add any missed log source type or remove any incorrectly added log source type.