Starting with ScreenOS release 6.1r2 and later, the ISG 1000/2000 device with IDP can send Syslog events to third-party Syslog servers. With previous releases, IDP logs could only be sent to an NSM server.  In some cases, the NetScreen IDP log is not recognized correctly; additional configuration is required.

STRM will receive two types of logs, Juniper NetScreen firewall log and Juniper NetScreen IDP log.  Very likely the Juniper NetScreen IDP log will not be recognized properly as it will be parsed using the Juniper NetScreen Firewall device type.

To enable and configure this feature:

set syslog config IP_address_or_hostname logvalue

Options for logvalue are: 

all
event
idp
traffic

Example: set syslog config 10.1.1.2 log idp

To enable this feature from the WebUI:

Go to Configuration > Report Settings > Syslog
Here you will see a new option to enable and configure syslog for the IDP.

Once this is configured, continue with the following steps:

1. Create two log sources, using same the IP address as the Log Source Identifier, but with a different device type (Juniper Firewall and Juniper IDP).
2. Configure the parsing order:
   

   From the Admin tab, to go to Data Source > Log Source Parsing Ordering. Then find the two new log sources and order them; make sure the Juniper firewall device type is above the Juniper IDP, as shown in the screenshot below:
   

3. Deploy the changes.

With this setting, STRM should be able to parse both logs correctly.  To know more about parsing order please refer to Log_Source.pdf: search keyword: Defining Log Source Parsing Order