Juniper Networks Junos OS
The Juniper Junos OS Platform DSM for JSA accepts events that use syslog, structured-data syslog, or PCAP (SRX Series only). JSA records all valid syslog or structured-data syslog events.
The Juniper Junos OS Platform DSM supports the following Juniper devices that are running Junos OS:
Juniper M Series Multiservice Edge Routing
Juniper MX Series Ethernet Services Router
Juniper T Series Core Platform
Juniper SRX Series Services Gateway
For information on configuring PCAP data that uses a Juniper Networks SRX Series appliance, see Configure the PCAP Protocol.
For more information about structured-data syslog, see RFC 5424 at the Internet Engineering Task Force: http://www.ietf.org/
Before you configure JSA to integrate with a Juniper device, you must forward data to JSA using syslog or structured-data syslog.
Log in to your Juniper platform command-line interface (CLI).
Include the following syslog statements at the
set systemhierarchy level:[set system] syslog {host (hostname) {facility <severity>; explicit-priority; any any; authorization any; firewall any;} source-address source-address; structured-data {brief;} }The following table lists and describes the configuration setting variables to be entered in the syslog statement.
Parameter
Description
host
Type the IP address or the fully qualified host name of your JSA.
Facility
Define the severity of the messages that belong to the named facility with which it is paired. Valid severity levels are:
Any
None
Emergency
Alert
Critical
Error
Warning
Notice
Info
Messages with the specified severity level and higher are logged. The levels from emergency through info are in order from highest severity to lowest.
Source-address
Type a valid IP address configured on one of the router interfaces for system logging purposes.
The source-address is recorded as the source of the syslog message send to JSA. This IP address is specified in the host host name statement
set system sysloghierarchy level; however, this is not for messages directed to the other routing engine, or to the TX Matrix platform in a routing matrix.structured-data
Inserts structured-data syslog into the data.
You can now configure the log source in JSA.
The following devices are auto discovered by JSA as a Juniper Junos OS Platform devices:
Juniper M Series Multiservice Edge Routing
Juniper MX Series Ethernet Services Router
Juniper SRX Series
Juniper EX Series Ethernet Switch
Juniper T Series Core Platform
Note:Due to logging similarities for various devices in the Junos OS family, expected events might not be received by the correct log source type when your device is automatically discovered. Review the automatically created log source for your device and then adjust the configuration manually. You can add any missed log source type or remove any incorrectly added log source type.
Syslog Log Source Parameters for Juniper Junos OS
If JSA does not automatically detect the log source, add Juniper Junos OS log source on the JSA Console by using the Syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Syslog events from Juniper Junos OS:
Parameter |
Value |
|---|---|
Log Source type |
|
Protocol Configuration |
Syslog |
For more information about your Juniper device, see your vendor documentation.
Configure the PCAP Protocol
The Juniper SRX Series appliance supports forwarding of packet capture (PCAP) and syslog data to JSA.
Syslog data is forwarded to JSA on port 514. The IP address and outgoing PCAP port number are configured on the Juniper Networks SRX Series appliance interface. The Juniper Networks SRX Series appliance must be configured in the following format to forward PCAP data:
<IP Address>:<Port>
Where,
<IP Address> is the IP address of JSA.
<Port> is the outgoing port address for the PCAP data.
For more information about Configuring Packet Capture, see your Juniper Networks Junos OS documentation.
You are now ready to configure the new Juniper Networks SRX Log Source with PCAP protocol in JSA.
PCAP Syslog Combination Log Source Parameters for Juniper SRX Series
If JSA does not automatically detect the log source, add a Juniper SRX Series log source on the JSA Console by using the PCAP Syslog Combination protocol.
JSA detects the syslog data and adds the log source automatically. The PCAP data can be added to JSA as Juniper SRX Series Services Gateway log source by using the PCAP Syslog combination protocol. Adding the PCAP Syslog Combination protocol after JSA auto discovers the Junos OS syslog data adds a log source to your existing log source limit. Deleting the existing syslog entry, then adding the PCAP Syslog Combination protocol adds both syslog and PCAP data as single log source.
When using the PCAP Syslog Combination protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect PCAP Syslog Combination events from Juniper SRX Series:
Parameter |
Value |
|---|---|
Log Source type |
Juniper SRX Series Services Gateway |
Juniper Junos OS Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Juniper MX Series Ethernet Services Router sample message when you use the Syslog protocol
The following sample event message shows that a member is successfully added to a group.
<166>Oct 14 10:16:59 juniper.mxseries.test (FPC Slot 5, PIC Slot 2) 2019-10-14
08:16:59: WifiAuleU5{WifiAuleU5A}JSERVICES_SESSION_CLOSE: application:none, domain.2051
10.253.200.191:39718 [10.253.203.241:2268] -> 10.255.78.72:80 (TCP)JSA field name |
Highlighted payload field name |
|---|---|
Log Source Time |
Oct 14 10:16:59 |
Event ID |
JSERVICES_SESSION_CLOSE |
IP address |
10.253.200.191 |
Source Port |
39718 |