The Juniper Junos OS Platform DSM for IBM
QRadar accepts events that use
syslog, structured-data syslog, or PCAP (SRX Series only). QRadar records all valid syslog or
structured-data syslog events.
About this task
The Juniper Junos OS Platform DSM supports the following Juniper devices that are running Junos
OS:
- Juniper M Series Multiservice Edge Routing
- Juniper MX Series Ethernet Services Router
- Juniper T Series Core Platform
- Juniper SRX Series Services Gateway
For information on configuring PCAP data that uses a Juniper Networks SRX Series appliance, see
Configure the PCAP Protocol.
Note: For more information about structured-data
syslog, see RFC 5424 at the Internet Engineering Task Force:
http://www.ietf.org/
Before
you configure QRadar to
integrate with a Juniper device, you must forward data to QRadar using
syslog or structured-data syslog.
Procedure
- Log in to your Juniper platform command-line interface
(CLI).
- Include the following syslog statements at the
set
system
hierarchy level:
[set system] syslog {host (hostname) {facility
<severity>; explicit-priority; any any; authorization any; firewall
any;
} source-address source-address; structured-data {brief;} }
The following table lists and describes the configuration setting variables to be entered in the
syslog statement.
List of Syslog Configuration Setting Variables
Parameter
|
Description
|
host |
Type the IP address or the fully qualified host name of your QRadar.
|
Facility
|
Define the severity of the messages that belong to the named facility with which it is paired.
Valid severity levels are:
- Any
- None
- Emergency
- Alert
- Critical
- Error
- Warning
- Notice
- Info
Messages with the specified severity level and higher are logged. The levels from emergency
through info are in order from highest severity to lowest.
|
Source-address |
Type a valid IP address configured on one of the router interfaces for system logging
purposes.
The source-address is recorded as the source of the syslog message send to QRadar. This IP address is
specified in the host host name statement set system syslog
hierarchy level; however, this is not for messages directed to the other routing engine, or to the
TX Matrix platform in a routing matrix.
|
structured-data |
Inserts structured-data syslog into the data.
|
You can now configure the log source in QRadar.
The following devices are auto discovered by QRadar as a Juniper Junos OS
Platform devices:
- Juniper M Series Multiservice Edge Routing
- Juniper MX Series Ethernet Services Router
- Juniper SRX Series
- Juniper EX Series Ethernet Switch
- Juniper T Series Core Platform
Note: Due to logging similarities for various devices in the JunOS family, expected events might not
be received by the correct log source type when your device is automatically discovered. Review the
automatically created log source for your device and then adjust the configuration manually. You can
add any missed log source type or remove any incorrectly added log source type.