Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[STRM] How to configure IDP-ISG direct log source (without NSM)

0

0

Article ID: KB17785 KB Last Updated: 02 Aug 2011Version: 2.0
Summary:
Starting with ScreenOS release 6.1r2 and later, the ISG 1000/2000 device with IDP can send Syslog events to third-party Syslog servers. With previous releases, IDP logs could only be sent to an NSM server.  In some cases, the NetScreen IDP log is not recognized correctly; additional configuration is required.
Symptoms:
STRM will receive two types of logs, Juniper NetScreen firewall log and Juniper NetScreen IDP log.  Very likely the Juniper NetScreen IDP log will not be recognized properly as it will be parsed using the Juniper NetScreen Firewall device type.

Solution:
To enable and configure this feature:
set syslog config IP_address_or_hostname logvalue

Options for logvalue are: 
all
event
idp
traffic
Example: set syslog config 10.1.1.2 log idp

To enable this feature from the WebUI:
Go to Configuration > Report Settings > Syslog
Here you will see a new option to enable and configure syslog for the IDP.
Once this is configured, continue with the following steps:
  1. Create two log sources, using same the IP address as the Log Source Identifier, but with a different device type (Juniper Firewall and Juniper IDP).
  2. Configure the parsing order:
    From the Admin tab, to go to Data Source > Log Source Parsing Ordering. Then find the two new log sources and order them; make sure the Juniper firewall device type is above the Juniper IDP, as shown in the screenshot below:
  3. Deploy the changes.

With this setting, STRM should be able to parse both logs correctly.  To know more about parsing order please refer to Log_Source.pdf: search keyword: Defining Log Source Parsing Order

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search