PCAP Syslog Combination protocol configuration options

To collect events from Juniper SRX Series Services Gateway or Juniper Junos OS Platform that forward packet capture (PCAP) data, configure a log source to use the PCAP Syslog Combination protocol.

The PCAP Syslog Combination protocol is an inbound/passive protocol.

Before you configure a log source that uses the PCAP Syslog Combination protocol, determine the outgoing PCAP port that is configured on the Juniper SRX Series Services Gateway or Juniper Junos OS Platform. PCAP data cannot be forwarded to port 514.
Note:

QRadar supports receiving PCAP data only from Juniper SRX Series Services Gateway or Juniper Junos OS Platform for each event collector.

The following table describes the protocol-specific parameters for the PCAP Syslog Combination protocol:
Table 1. PCAP Syslog Combination protocol parameters
Parameter Description
Log Source Name Type a unique name of the log source.
Log Source Description Optional. Type a description for the log source.
Log Source Type

From the list, you can select either Juniper SRX Series Services Gateway or Juniper Junos OS Platform.

Protocol Configuration

From the list, select PCAP Syslog Combination.

Log Source Identifier

Type an IP address, host name, or name to identify the Juniper SRX Series Services Gateway or Juniper Junos OS Platform appliance.

The log source identifier must be unique for the log source type.

Incoming PCAP Port

If the outgoing PCAP port is edited on the Juniper SRX Series Services Gateway or Juniper Junos OS Platform appliance, you must edit the log source to update the incoming PCAP Port.

To edit the Incoming PCAP Port number, complete the following steps:
  1. Type the new port number for receiving PCAP data
  2. Click Save.

The port update is complete and event collection starts on the new port number.

Enabled

Select this check box to enable the log source.

When this check box is clear, the log source does not collect events and the log source is not counted in the license limit.

Credibility

Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5.

Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.

Target Event Collector

Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events.

This option enables administrators to poll and process events on the target event collector, instead of the Console appliance. This can improve performance in distributed deployments.

Coalescing Events

Select this check box to enable the log source to coalesce (bundle) events.

Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab.

When this check box is clear, the events are displayed individually and the information is not bundled.

New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source.

Store Event Payload

Select this check box to enable the log source to store the payload information from an event.

New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source.

Log Source Extension

Optional. Select the name of the extension to apply to the log source.

This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns that are defined by a device support module (DSM).

Extension Use Condition

From the list box, select the use condition for the log source extension. The options include:

  • Parsing enhancement - Select this option when most fields parse correctly for your log source.
  • Parsing override - Select this option when the log source is unable to correctly parse events.
Groups Select one or more groups for the log source.