Knowledge Center Search


 

[STRM] General FAQ

  [KB19281] Show KB Properties

  [KB19281] Hide KB Properties

Categories:
Knowledge Base ID: KB19281
Last Updated: 02 Jan 2013
Version: 8.0

Summary:
Frequently Asked Questions (FAQ) for the Juniper STRM Appliance Series:

For additional FAQs, installation, and troubleshooting documents on STRM, refer to KB18161 - [STRM] Getting Started - Configuration, Troubleshooting & More (JumpStation).

Problem or Goal:
Frequently Asked Questions (FAQ) for the Juniper STRM Appliance Series.

Cause:

Solution:
Questions answered in this FAQ:


What is STRM?
STRM stands for Security Threat Response Manager. This is Juniper’s Security Information and Event Management (SIEM)/Security Event Management (SEM) offering that provides log management, correlation, collection and reporting for all Juniper and multi-vendor products. STRM also provides flow-based analysis and reporting of application and traffic trending and performance visibility.

Can STRM auto-discover my devices?
Yes; STRM can listen to the log messages coming in and automatically identify the devices.

Can STRM be deployed in a distributed model?
Yes, STRM 5000 and STRM 2500 can be deployed in a distributed model. Only STRM 5000 can be deployed as a dedicated console.

Is there a High Availability (HA) option for STRM?
Yes, HA option is available for STRM in 2009.R2.

Is there a way to set the box to factory defaults?
With 2008.3 or later, it is possible to boot from a recovery partition and set the appliance to factory defaults. When you upgrade the appliance, the partition is updated as well.
Port 22 for SSH connection to the CLI, port 443 for access to the UI, and port 514 for devices to be able to send logs to the STRM are needed at the very least.  For more information, refer to KB11458 - What ports are required for STRM communication?.

DSMs are Device Service Modules. They allow STRM to identify and categorize events coming in from different devices. In a multibox STRM deployment, DSMs (and Protocols) are only installed on the Console STRM.  For more information, refer to KB21534 - [STRM] Confirm DSM Installation in a Stand Alone or Distributed Environment.

Can we create our own DSMs?
Yes, STRM comes with a generic Universal DSM that can be customized to allow you to add your own devices/applications into STRM.  Please contact your Juniper Sales Representative if you require Professional Services to help you create your own DSM from the Universal DSM.

How can we download the latest Juniper and non-Juniper device DSMs?
The latest DSMs are posted on the Juniper's Support Site along with the patches.

Can you convert an existing STRM (all-in-one) into a collector?
No, STRM appliances are tied to an activation code; you will have to reimage the box in order to change its role.

Is it possible to forward STRM offenses/incidents to an external system via syslog or SNMP?
Yes, there is an action option in Offense Manager that allows you to send the offenses via syslog or SNMP.

How does STRM deal with Windows logs?

What is the difference between events and flows?
Events, measured in EPS (events per second), are actual logs (syslog, events) sent from Log Source devices like routers, switches, Windows, Unix hosts, firewalls and intrusion detection and prevention (IDP) systems.

Flows, measured in FPM (flows per minute), are traffic sessions monitored by STRM between network devices like routers and switches which are running special protocols like J-flow, S-flow, and so on.

Can I run TCPDUMP on the collector?
Yes, STRM allows SSH/CLI access to the system where you can use the TCPDUMP command for troubleshooting purposes.

How do I get auto-updates or patches if the box doesn’t have Internet access?
You can configure a proxy server (for more information, refer to KB12685 - Configure Proxy for STRM 2008.x Autoupdate). There is also an offline update workflow for installing patches. For manual auto-updates, the administrator must download the autoupdate file and host it on an internal Web server for the STRM to poll. For more information, refer to the Setting up a STRM Update Server Technical Note.

Do I need to configure sentries?
Sentries monitor events and flows for specific (user configured) activity. When the activity is seen, the sentry triggers an offense which will then take some other user defined action like assigning the offense to an admin for review, creating other events as needed, etc. If they are not turned on, no offenses will be generated and nothing will be detected from the flow data.

When I try to ping the STRM box, I get “IP unreachable”?
STRM has IPtables configuration by default, you will need to enable ICMP ports using the management console. To validate connectivity, you can try to SSH v2 to the box (for more information, refer to KB14001 - Enable Ping on STRM).


How does the Event Processor work in the STRM? Is the data stored locally on the Event Processors or is the data sent to the central Log Manager?

Events and Payloads are stored locally on the Event Processor. They are sent in realtime to the console if a user is on the event viewer tab and viewing in “Realtime”.  When a historical search (one minute or more) is performed, the search process will poll the remote Event Collectors/Processors for the data. It will then return the data in the form of a cursor. The cursor will be stored locally until it expires (managed search results).

If data is sent to the central Log Manager, when is the batched up data sent and what sort of deduplication/compression are we likely to see?

Deduplication for events in STRM is known as coalescing.  If coalescing is enabled, STRM will only store it under one record and payload but include a count of how many times it has occurred. The Event must have the same Event name, IPs, ports, usernames etc from the parsed values to be combined. 

Compression occurs only when the disk on the Event collector reaches 85% (configurable value within the deployment editor).  It will compress all data from that timeframe. These are uncompressed when a search is requested for the given time period.

I assume that all the reporting and event searches would still be done on the Log Manager, does this use the centrally stored data on the Log Manager or does it send distributed queries down to the Event Processors?

Manual reports will act similar to a search.  It will poll the Event Collectors/Processors and pull the data back in the form of a cursor.  A scheduled report will run off accumulated data. Once an hour, the reporting engine will perform the searches based on 15 minute increments and pull the data back.  This data is stored as accumulated data which the report will use at the scheduled run time (these launch nightly).

Purpose:
Configuration
Specifications
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.