PCAP Syslog Combination protocol configuration options
To collect events from Juniper SRX Series Services Gateway or Juniper Junos OS Platform that forward packet capture (PCAP) data, configure a log source to use the PCAP Syslog Combination protocol.
The PCAP Syslog Combination protocol is an inbound/passive protocol.
QRadar supports receiving PCAP data only from Juniper SRX Series Services Gateway or Juniper Junos OS Platform for each event collector.
Parameter | Description |
---|---|
Log Source Name | Type a unique name of the log source. |
Log Source Description | Optional. Type a description for the log source. |
Log Source Type |
From the list, you can select either Juniper SRX Series Services Gateway or Juniper Junos OS Platform. |
Protocol Configuration |
From the list, select PCAP Syslog Combination. |
Log Source Identifier |
Type an IP address, host name, or name to identify the Juniper SRX Series Services Gateway or Juniper Junos OS Platform appliance. The log source identifier must be unique for the log source type. |
Incoming PCAP Port |
If the outgoing PCAP port is edited on the Juniper SRX Series Services Gateway or Juniper Junos OS Platform appliance, you must edit the log source to update the incoming PCAP Port. To edit the Incoming PCAP Port number, complete the following steps:
The port update is complete and event collection starts on the new port number. |
Enabled |
Select this check box to enable the log source. When this check box is clear, the log source does not collect events and the log source is not counted in the license limit. |
Credibility |
Select the credibility of the log source. The range is 0 (lowest) - 10 (highest). The default credibility is 5. Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense. |
Target Event Collector |
Select the target for the log source. When a log source actively collects events from a remote source, this field defines which appliance polls for the events. This option enables administrators to poll and process events on the target event collector, instead of the Console appliance. This can improve performance in distributed deployments. |
Coalescing Events |
Select this check box to enable the log source to coalesce (bundle) events. Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab. When this check box is clear, the events are displayed individually and the information is not bundled. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. |
Store Event Payload |
Select this check box to enable the log source to store the payload information from an event. New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source. |
Log Source Extension |
Optional. Select the name of the extension to apply to the log source. This parameter is available after a log source extension is uploaded. Log source extensions are XML files that contain regular expressions, which can override or repair the event parsing patterns that are defined by a device support module (DSM). |
Extension Use Condition |
From the list box, select the use condition for the log source extension. The options include:
|
Groups | Select one or more groups for the log source. |