Protocol Configuration Options

Log Source Type

Akamai KONA

Protocol Configuration

Akamai Kona REST API

Host

The Host value is provided during the SIEM OPEN API provisioning in the Akamai Luna Control Center. The Host is a unique base URL that contains information about the appropriate rights to query the security events. This parameter is a password field because part of the value contains secret client information.

Client Token

Client Token is one of the two security parameters. This token is paired with Client Secret to make the client credentials. This token can be found after you provision the Akamai SIEM OPEN API.

Client Secret

Client Secret is one of the two security parameters. This secret is paired with Client Token to make the client credentials. This token can be found after you provision the Akamai SIEM OPEN API.

Access Token

Access Token is a security parameter that is used with client credentials to authorize API client access for retrieving the security events. This token can be found after you provision the Akamai SIEM OPEN API.

Security Configuration ID

Security Configuration ID is the ID for each security configuration that you want to retrieve security events for. This ID can be found in the SIEM Integration section of your Akamai Luna portal. You can specify multiple configuration IDs in a comma-separated list. For example: configID1,configID2.

Use Proxy

If JSA accesses the Amazon Web Service by using a proxy, enable Use Proxy.

If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

If the proxy does not require authentication, configure the Proxy IP or Hostname fields.

Automatically Acquire Server Certificate

Select Yes for JSA to automatically download the server certificate and begin trusting the target server.

Recurrence

The time interval between log source queries to the Akamai SIEM API for new events. The time interval can be in hours (H), minutes (M), or days (D).The default is 1 minute.

EPS Throttle

The maximum number of events per second. The default is 5000.

Protocol Configuration

Amazon AWS S3 REST API

Log Source Identifier

Type a unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you have more than one Amazon AWS CloudTrail log source that is configured, you might want to identify the first log source as awscloudtrail1, the second log source as awscloudtrail2, and the third log source as awscloudtrail3.

Authentication Method

• Access Key ID / Secret Key – Standard authentication that can be used from anywhere.

• EC2 Instance IAM Role - If your managed host is running on an AWS EC2 instance, choosing this option uses the IAM Role from the instance metadata assigned to the instance for authentication; no keys are required. This method works only for managed hosts that are running within an AWS EC2 container.

Access Key

The Access Key ID that was generated when you configured the security credentials for your AWS user account

If you selected Access Key ID / Secret Key or Assume IAM Role, the Access Key parameter is displayed.

Secret Key

The Secret Key that was generated when you configured the security credentials for your AWS user account.

If you selected Access Key ID / Secret Key or Assume IAM Role, the Secret Key parameter is displayed.

Assume an IAM Role

Enable this option by authenticating with an Access Key or EC2 instance IAM Role. Then, you can temporarily assume an IAM Role for access.

Assume Role ARN

The full ARN of the role to assume. It must begin with "arn:" and can't contain any leading or trailing spaces, or spaces within the ARN.

If you enabled Assume an IAM Role, the Assume Role ARN parameter is displayed.

Assume Role Session Name

The session name of the role to assume. The default is QRadarAWSSession. Leave as the default if you don't need to change it. This parameter can contain only upper and lowercase alphanumeric characters, underscores, or any of the following characters: =,.@-

If you enabled Assume an IAM Role, the Assume Role Session Name parameter is displayed.

Event Format

AWS Cloud Trail JSON

AWS Network Firewall

AWS VPC Flow Logs

Cisco Umbrella CSB

LINEBYLINE

W3C

Region Name

The region that the SQS Queue or the AWS S3 bucket is in.

Example: us-east-1, eu-west-1, ap-northeast-3

Use as a Gateway Log Source

Select this option for the collected events to flow through the JSA Traffic Analysis engine and for JSA to automatically detect one or more log sources.

Show Advanced Options

Select this option if you want to customize the event data.

File Pattern

This option is available when you set Show Advanced Options to Yes.

Type a regex for the file pattern that matches the files that you want to pull; for example, .*?\.json\.gz

Local Directory

This option is available when you set Show Advanced Options to Yes.

The local directory on the Target Event Collector. The directory must exist before the AWS S3 REST API protocol attempts to retrieve events.

S3 Endpoint URL

This option is available when you set Show Advanced Options to Yes.

The endpoint URL that is used to query the AWS S3 REST API.

If your endpoint URL is different from the default, type your endpoint URL. The default is https:// s3.amazonaws.com

Use S3 Path-Style Access

Forces S3 requests to use path-style access.

This method is deprecated by AWS. However, it might be required when you use other S3 compatible APIs.

Use Proxy

If JSA accesses the Amazon Web Service by using a proxy, enable Use Proxy.

If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

If the proxy does not require authentication, configure the Proxy IP or Hostname field.

Recurrence

How often a poll is made to scan for new data.

If you are using the SQS event collection method, SQS Event Notifications can have a minimum value of 10 (seconds). Because SQS Queue polling can occur more often, a lower value can be used.

If you are using the Directory Prefix event collection method, Use a Specific Prefix has a minimum value of 60 (seconds) or 1M. Because every listBucket request to an AWS S3 bucket incurs a cost to the account that owns the bucket, a smaller recurrence value increases the cost.

Type a time interval to determine how frequently the remote directory is scanned for new event log files. The minimum value is 1 minute. The time interval can include values in hours (H), minutes (M), or days (D). For example, 2H = 2 hours, 15 M = 15 minutes.

EPS Throttle

The maximum number of events per second that are sent to the flow pipeline. The default is 5000.

Ensure that the EPS Throttle value is higher than the incoming rate or data processing might fall behind.

S3 Collection Method

Select Use a Specific Prefix.

Bucket Name

The name of the AWS S3 bucket where the log files are stored.

Directory Prefix

The root directory location on the AWS S3 bucket from where the CloudTrail logs are retrieved; for example, AWSLogs/<AccountNumber>/CloudTrial/<RegionName>/

To pull files from the root directory of a bucket, you must use a forward slash (/) in the Directory Prefix file path.

S3 Collection Method

Select SQS Event Notifications.

SQS Queue URL

The full URL that begins with , for the SQS Queue that is set up to receive notifications for ObjectCreated events from S3.

Manufacturer

Amazon

DSM name

A custom log source type

RPM file name

AWS S3 REST API PROTOCOL

Supported versions

Flow logs v5

Protocol

AWS S3 REST API PROTOCOL

Event format

IPFIX by using JSA Flow Sources

Recorded event types

Network Flows

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

(https:// docs.aws.amazon.com/vpc/latest/userguide/flowlogs. html)

Protocol Configuration

Select Amazon Web Services from the Protocol Configuration list.

Authentication Method

• Access Key ID / Secret Key — Standard authentication that can be used from anywhere.

• EC2 Instance IAM Role — If your JSA managed host is running in an AWS EC2 instance, choosing this option uses the IAM role from the metadata that is assigned to the instance for authentication; no keys are required. This method works only for managed hosts that are running within an AWS EC2 container.

Access Key

The Access Key ID that was generated when you configured the security credentials for your AWS user account.

If you selected Access Key ID / Secret Key, the Access Key parameter displays.

Secret Key

The Secret Key that was generated when you configured the security credentials for your AWS user account.

If you selected Access Key ID / Secret Key, the Access Key parameter displays.

Regions

Select the check box for each region that is associated with the Amazon Web Service that you want to collect logs from.

Other Regions

Type the names of any additional regions that are associated with the Amazon Web Service that you want to collect logs from. To collect from multiple regions use a comma-separated list, as shown in the following example: region1,region2

AWS Service

The name of the Amazon Web Service. From the AWS Service list, select CloudWatch Logs.

Log Group

The name of the log group in Amazon CloudWatch where you want to collect logs from.

Log Stream (Optional)

The name of the log stream within a log group. If you want to collect logs from all log streams within a log group, leave this field blank.

Filter Pattern (Optional)

Type a pattern for filtering the collected events. This pattern is not a regex filter. Only the events that contain the exact value that you specified are collected from CloudWatch Logs. If you type ACCEPT as the Filter Pattern value, only the events that contain the word ACCEPT are collected, as shown in the following example.

{LogStreamName: LogStreamTest,Timestamp: 0,
Message: ACCEPT OK,IngestionTime: 0,EventId: 0}

Extract Original Event

To forward only the original event that was added to the CloudWatch logs to JSA, select this option.

CloudWatch logs wrap the events that they receive with extra metadata.

The original event is the value for the message key that is extracted from the CloudWatch log. The following CloudWatch logs event example shows the original event that is extracted from the CloudWatch log in bold text:

{"owner":"123456789012","subscriptionFilters":
["allEvents"],"logEvents":
[{"id":"35093963143971327215510178578576502306458824699048362100","mes
sage":"{\"eventVersion\":\"1.05\",\"userIdentity\":
{\"type\":\"AssumedRole\",\"principalId\":\"ARO1GH58EM3ESYDW3XHP6:test
_session\",\"arn\":\"arn:aws:sts::123456789012:assumed-role\/
CVDevABRoleToBeAssumed\/
test_visibility_session\",\"accountId\":\"123456789012\",\"accessKeyId
\":\"ASIAXXXXXXXXXXXXXXXX\",\"sessionContext\":{\"sessionIssuer\":
{\"type\":\"Role\",\"principalId\":\"AROAXXXXXXXXXXXXXXXXX\",\"arn\":\
"arn:aws:iam::123456789012:role\/
CVDevABRoleToBeAssumed\",\"accountId\":\"123456789012\",\"userName\":\
"CVDevABRoleToBeAssumed\"},\"webIdFederationData\":{},\"attributes\":
{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-11-13T17:01:54
Z\"}}},\"eventTime\":\"2019-11-13T17:43:18Z\",\"eventSource\":\"cloudt
rail.amazonaws.com\",\"eventName\":\"DescribeTrails\",\"awsRegion\":\"
apnortheast-
1\",\"sourceIPAddress\":\"192.0.2.1\",\"requestParameters\":
null,\"responseElements\":null,\"requestID\":\"41e62e80-
b15d-4e3f-9b7e-b309084dc092\",\"eventID\":\"904b3fda-8e48-46c0-a923-
f1bb2b7a2f2a\",\"readOnly\":true,\"eventType\":\"AwsApiCall\",\"recipi
entAccountId\":\"123456789012\"}","timestamp":1573667733143}],"message
Type":"DATA_MESSAGE","logGroup":"CloudTrail\/
DefaultLogGroup","logStream":"123456789012_CloudTrail_us-east-2_2"}

Use As A Gateway Log Source

If you do not want to define a custom log source identifier for events, ensure that this check box is clear.

Log Source Identifier Pattern

If you selected Use As A Gateway Log Source, use this option to define a custom Log Source Identifier for events that are being processed.

Use key-value pairs to define the custom Log Source Identifier. The key is the Identifier Format String, which is the resulting source or origin value. The value is the associated regex pattern that is used to evaluate the current payload. This value also supports capture groups that can be used to further customize the key.

Define multiple key-value pairs by typing each pattern on a new line. Multiple patterns are evaluated in the order that they are listed. When a match is found, a custom Log Source Identifier displays.

The following examples show multiple key-value pair functions.

• Patterns - VPC=\sREJECT\sFAILURE

  $1=\s(REJECT)\sOK

  VPC-$1-$2=\s(ACCEPT)\s(OK)

• Events - {LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0}

• Resulting custom log source identifier -

  VPC-ACCEPT-OK

Use Proxy

If JSA accesses the Amazon Web Service by using a proxy, select this option.

If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

Automatically Acquire Server Certificate(s)

Select Yes for JSA to automatically download the server certificate and begin trusting the target server.

You can use this option to initialize a newly created log source and obtain certificates, or to replace expired certificates.

EPS Throttle

The upper limit for the maximum number of events per second (EPS). The default is 5000.

If the Use As A Gateway Log Source option is selected, this value is optional.

If the EPS Throttle parameter value is left blank, no EPS limit is imposed by JSA.

Bootstrap Server List

The <hostname/ip>:<port> the bootstrap server (or servers). Multiple servers can be specified in a comma-separated list, such as in this example: hostname1:9092,10.1.1.1:9092

Consumer Group

A unique string or label that identifies the consumer group this log source belongs to.

Each record that is published to a Kafka topic is delivered to one consumer instance within each subscribing consumer group. Kafka uses these labels to load balance the records over all consumer instances in a group.

Topic Subscription Method

The method that is used for subscribing to Kafka topics. Use the List Topics option to specify specific a list of topics. Use the Regex Pattern Matching option to specify a regular expression to match against available topics.

Topic List

A list of topic names to subscribe to. The list must be comma-separated; for example: Topic1,Topic2,Topic3.

This option is only displayed when List Topics is selected for the Topic Subscription Method option.

Topic Filter Pattern

A regular expression to match the topics to subscribe to.

This option is only displayed when Regex Pattern Matching is selected for the Topic Subscription Method option.

Use SASL Authentication

This option displays SASL authentication configuration options.

When used without client authentication, you must place a copy of the server certificate in the /opt/qradar/conf/ trusted_certificates/ directory.

Use Client Authentication

Displays the client authentication configuration options.

/Key Store/Trust Store Type

The archive file format for your keystore and truststore type. The following options are available for the archive file format:

• JKS

• PKCS12

Trust Store Filename

The name of the truststore file. The truststore must be placed in /opt/qradar/conf/trusted_certificates/ kafka/.

The file contains the username and password.

Keystore Filename

The name of the keystore file. The keystore must be placed in /opt/qradar/conf/trusted_certificates/ kafka/.

The file contains the username and password.

Use As A Gateway Log Source

This option enables collected events to go through the JSA Traffic Analysis engine and to automatically detect the appropriate log sources.

Log Source Identifier Pattern

Defines a custom Log Source Identifier for events that are being processed, if the Use As A Gateway Log Source checkbox is selected.

Key-value pairs are used to define the custom Log Source Identifier. The key is the Identifier Format String, which is the resulting source or origin value. The value is the associated regex pattern that is used to evaluate the current payload. This value also supports capture groups that can be used to further customize the key.

Multiplekey-value pairs are defined by typing each pattern on a new line. Multiple patterns are evaluated in the order that they are listed. When a match is found, a custom Log Source Identifier is displayed.

The following examples show multiple key-value pair functions.

Patterns

1. VPC=\sREJECT\sFAILURE

2. $1=\s(REJECT)\sOK

3. VPC-$1-$2=\s(ACCEPT)\s(OK)

Events

1. {LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0}

Resulting custom log source identifier

1. VPC-ACCEPT-OK

Character Sequence Replacement

Replaces specific literal character sequences in the event payload to actual characters. One or more of the following options are available:

• Newline(CR LF) Character (\r\n)

• Line Feed Character (\n)

• Carriage Return Character (\r)

• Tab Character (\t)

• Space Character (\s)

EPS Throttle

The maximum number of events per second (EPS). No throttling is applied if the field is empty.

API Username

The API user name that is used for authenticating with the Blue Coat Web Security Service. The API user name is configured through the Blue Coat Threat Pulse Portal.

Password

The password that is used for authenticating with the Blue Coat Web Security Service.

Confirm Password

Confirmation of the Password field.

Use Proxy

When you configure a proxy, all traffic for the log source travels through the proxy for JSA to access the Blue Coat Web Security Service.

Configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.

Recurrence

You can specify when the log collects data. The format is M/H/D for Months/Hours/Days. The default is 5 M.

EPS Throttle

The upper limit for the maximum number of events per second (EPS). The default is 5000.

Log Source type

Centrify Identity Platform

Protocol Configuration

Centrify Redrock REST API

Log Source Identifier

A unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you have more than one Centrify Identity Platform log source that is configured, you might want to identify the first log source as centrify1, the second log source as centrify2, and the third log source as centrify3.

Tenant ID

The Centrify assigned unique customer or tenant ID.

Tenant URL

Automatically generated tenant URL for the specified tenant ID. For example, tenantId.my.centrify.com

Username

The user name that is associated with the Cloud service for Centrify Identity Platform.

Password

The password that is associated with the Centrify Identity Platform user name.

Event Logging Filter

Select the logging level of the events that you want to retrieve. Info, Warning and Error are selectable. At least one filter must be selected.

Allow Untrusted Certificates

Enable this option to allow self-signed, untrusted certificates. Do not enable this option for SaaS hosted tenants. However, if required, you can enable this option for other tenant configurations.

The certificate must be downloaded in PEM or DER encoded binary format and then placed in the /opt/ qradar/conf/trusted_certificates/ directory with a .cert or .crt file extension.

Use Proxy

When a proxy is configured, all traffic from the Centrify Redrock REST API travels through the proxy.

Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.

EPS Throttle

The maximum number of events per second. The default is 5000.

Recurrence

The time interval can be in hours (H), minutes (M) or days (D). The default is 5 minutes (5M).

Protocol Configuration

Cisco Firepower eStreamer

Server Port

The port number that the Cisco Firepower eStreamer services is configured to accept connection requests on.

The default port that JSA uses for Cisco Firepower eStreamer is 8302.

Keystore Filename

The directory path and file name for the keystore private key and associated certificate. By default, the import script creates the keystore file in the following directory: /opt/qradar/conf/estreamer.keystore.

Truststore Filename

The directory path and file name for the truststore files. The truststore file contains the certificates that are trusted by the client. By default, the import script creates the truststore file in the following directory: /opt/qradar/conf/estreamer.truststore.

Request Extra Data

Select this option to request extra data from Cisco Firepower Management Center, for example, extra data includes the original IP address of an event.

Domain

The domain where the events are streamed from.

The value in the Domain field must be a fully qualified domain. This means that all ancestors of the desired domain must be listed starting with the top-level domain and ending with the leaf domain that you want to request events from.

Example:

Global is the top level domain, B is a second level domain that is a subdomain of Global, and C is a third-level domain and a leaf domain that is a subdomain of B. To request events from C, type the following value for the Domain parameter:

Global \ B \ C

Protocol Configuration

Cisco NSEL

Log Source Identifier

If the network contains devices that are attached to a management console, you can specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents event searches from identifying the management console as the source for all of the events.

Collector Port

The UDP port number that Cisco ASA uses to forward NSEL events. JSA uses port 2055 for flow data on JSA Flow Processors. You must assign a different UDP port on the Cisco Adaptive Security Appliance for NetFlow.

Protocol Configuration

EMC VMware

Log Source Identifier

The value for this parameter must match the VMware IP parameter.

VMware IP

The IP address of the VMWare ESXi server. The VMware protocol appends the IP address of your VMware ESXi server with HTTPS before the protocol requests event data.

Service Account Credential Type

Specify where the required Service Account Credentials are coming from.

Ensure that the associated service account has the Pub/Sub Subscriber role or the more specific pubsub.subscriptions.consume permission on the configured Subscription Name in GCP.

User Managed Key

Provided in the Service Account Key field by inputting the full JSON text from a downloaded Service Account Key.

GCP Managed Key

Ensure that the JSA managed host is running in a GCP Compute instance and the Cloud API access scopes include Cloud Pub/Sub.

Subscription Name

The full name of the Cloud Pub/Sub subscription. For example, projects/my-project/subscriptions/my-subscription.

Use As A Gateway Log Source

Select this option for the collected events to flow through the JSA Traffic Analysis engine and for JSA to automatically detect one or more log sources.

When you select this option, the Log Source Identifier Pattern can optionally be used to define a custom Log Source Identifier for events being processed.

Log Source Identifier Pattern

When the Use As A Gateway Log Source option is selected, use this option to define a custom log source identifier for events that are processed. If the Log Source Identifier Pattern is not configured, JSA receives events as unknown generic log sources.

The Log Source Identifier Pattern field accepts key-value pairs, such as key=value, to define the custom Log Source Identifier for events that are being processed and for log sources to be automatically discovered when applicable. Key is the Identifier Format String which is the resulting source or origin value. Value is the associated regex pattern that is used to evaluate the current payload. The value (regex pattern) also supports capture groups which can be used to further customize the key (Identifier Format String).

Multiple key-value pairs can be defined by typing each pattern on a new line. When multiple patterns are used, they are evaluated in order until a match is found. When a match is found, a custom Log Source Identifier displays.

The following examples show the multiple key-value pair functionality:

Patterns

VPC=\sREJECT\sFAILURE $1=\s(REJECT)\sOK VPC-$1-$2=\s(ACCEPT)\s(OK)

Events

{LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0}

Resulting custom log source identifier

VPC-ACCEPT-OK

Use Proxy

Select this option for JSA to connect to the GCP by using a proxy.

If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

Proxy IP or Hostname

The IP or host name of the proxy server.

Proxy Port

The port number that is used to communicate with the proxy server.

The default is 8080.

Proxy Username

Required only when the proxy requires authentication.

Proxy Password

Required only when the proxy requires authentication.

EPS Throttle

The upper limit for the maximum number of events per second (EPS) that this log source should not exceed. The default is 5000.

If the Use As A Gateway Log Source option is selected, this value is optional.

If the EPS Throttle parameter value is left blank, no EPS limit is imposed by JSA.

Log Source Identifier

Type a unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you have more than one Google G Suite log source that is configured, you might want to create unique identifiers. For example, you can identify the first log source as googlegsuite1, the second log source as googlegsuite2, and the third log source as googlegsuite3.

User Account

Google user account, which has reports privileges.

Service Account Credentials

Authorizes access to Google's APIs for retrieving the events. The Service Account Credentials are contained in a JSON formatted file that you download when you create a new service account in the Google Cloud Platform.

Use Proxy

If JSA accesses Google G Suite by using a proxy, enable this option.

If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

Recurrence

The time interval between log source queries to the Google G Suite Activity Reports API for new events. The time interval can be in hours (H), minutes (M), or days (D).

The default is 5 minutes.

EPS Throttle

The maximum number of events per second.

Event Delay

The delay, in seconds, for collecting data.

Google G Suite logs work on an eventual delivery system. To ensure that no data is missed, logs are collected on a delay.

The default delay is 7200 seconds (2 hours), and can be set as low as 0 seconds.

Protocol Configuration

From the list, select HTTP Receiver.

Log Source Identifier

The IP address, hostname, or any name to identify the device.

Must be unique for the log source type.

Communication Type

Select HTTP, or HTTPs, or HTTPs and Client Authentication.

Client Certificate Path

If you select HTTPs and Client Authentication as the communication type, you must set the absolute path to the client certificate. You must copy the client certificate to the JSA console or the Event Collector for the log source.

TLS version

The versions of TLS that can be used with this protocol. To use the most secure version, select the TLSv1.2 option.

When you select an option with multiple available versions, the HTTPS connection negotiates the highest version available by both the client and server.

Listen Port

The port that is used by JSA to accept incoming HTTP Receiver events. The default port is 12469.

Message Pattern

By default, the entire HTTP POST is processed as a single event. To divide the POST into multiple single-line events, provide a regular expression to denote the start of each event.

Use As A Gateway Log Source

Select this option for the collected events to flow through the JSA Traffic Analysis engine and for JSA to automatically detect one or more log sources.

Max Payload Length (Byte)

The maximum payload size of a single event in bytes. The event is split when its payload size exceeds this value.

The default value is 8192, and it must not be greater than 32767.

Max POST method Request Length (MB)

The max size of a POST method request body in MB. If a POST request body size exceeds this value, an HTTP 413 status code is returned.

The default value is 5, and it must not be greater than 10.

EPS Throttle

The maximum number of events per second (EPS) that you do not want this protocol to exceed. The default is 5000.

Log Source Name

Type a unique name for the log source.

Log Source Description (Optional)

Type a description for the log source.

Log Source Type

Select your Device Support Module (DSM) that uses the JDBC protocol from the Log Source Type list.

Protocol Configuration

JDBC

Log Source Identifier

Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol.

If the log source collects events from a single appliance that has a static IP address or hostname, use the IP address or hostname of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or hostname, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.

Database Type

Select the type of database that contains the events.

Database Name

The name of the database to which you want to connect.

IP or Hostname

The IP address or hostname of the database server.

Port

Enter the JDBC port. The JDBC port must match the listen port that is configured on the remote database. The database must permit incoming TCP connections. The database must permit incoming TCP connections. The valid range is 1 - 65535.

The defaults are:

• MSDE - 1433

• Postgres - 5432

• MySQL - 3306

• Sybase - 5000

• Oracle - 1521

• Informix - 9088

• Db2 - 50000

If a Database Instance is used with the MSDE database type, administrators must leave the Port parameter blank in the log source configuration.

Username

A user account for JSA in the database.

Password

The password that is required to connect to the database.

Confirm Password

The password that is required to connect to the database.

Authentication Domain (MSDE only)

If you did not select Use Microsoft JDBC, Authentication Domain is displayed.

The domain for MSDE that is a Windows domain. If your network does not use a domain, leave this field blank.

Database Instance (MSDE or Informix only)

The database instance, if required. MSDE databases can include multiple SQL server instances on one server.

When a non-standard port is used for the database or access is blocked to port 1434 for SQL database resolution, the Database Instance parameter must be blank in the log source configuration.

Predefined Query (Optional)

Select a predefined database query for the log source. If a predefined query is not available for the log source type, administrators can select none.

Table Name

The name of the table or view that includes the event records. The table name can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period (.).

Select List

The list of fields to include when the table is polled for events. You can use a comma-separated list or type an asterisk (*) to select all fields from the table or view. If a comma-separated list is defined, the list must contain the field that is defined in the Compare Field.

Compare Field

A numeric value or timestamp field from the table or view that identifies new events that are added to the table between queries. Enables the protocol to identify events that were previously polled by the protocol to ensure that duplicate events are not created.

Use Prepared Statements

Prepared statements enable the JDBC protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most JDBC protocol configurations can use prepared statements.

Start Date and Time (Optional)

Select or enter the start date and time for database polling. The format is yyyy-mm-dd HH:mm, where HH is specified using a 24 hour clock.

If this parameter is empty, polling begins immediately and repeats at the specified polling interval.

This parameter is used to set the time and date at which the protocol connects to the target database to initialize event collection. It can be used along with the Polling Interval parameter to configure specific schedules for the database polls. For example, to ensure that the poll happens at five minutes past the hour, every hour, or to ensure that the poll happens at exactly 1:00 AM each day.

This parameter cannot be used to retrieve older table rows from the target database. For example, if you set the parameter to Last Week, the protocol does not retrieve all table rows from the previous week. The protocol retrieves rows that are newer than the maximum value of the Compare Field on initial connection.

Polling Interval

Enter the amount of time between queries to the event table. To define a longer polling interval, append H for hours or M for minutes to the numeric value

The maximum polling interval is one week.

EPS Throttle

The number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 20,000.

Security Mechanism (Db2 only)

From the list, select the security mechanism that is supported by your Db2 server. If you don't want to select a security mechanism, select None.

The default is None.

For more information about security mechanisms that are supported by Db2 environments, see the https://support.juniper.net/support/downloads/.

Use Named Pipe Communication (MSDE only)

If you did not select Use Microsoft JDBC, Use Named Pipe Communication is displayed.

MSDE databases require the username and password field to use a Windows authentication username and password and not the database username and password. The log source configuration must use the default named pipe on the MSDE database.

Database Cluster Name (MSDE only)

If you selected Use Named Pipe Communication, Use Named Pipe Communication parameter is displayed.

If you are running your SQL server in a cluster environment, define the cluster name to ensure named pipe communication functions properly.

Use NTLMv2 (MSDE only)

If you did not select Use Microsoft JDBC, Use NTLMv2 is displayed.

Select this option if you want MSDE connections to use the NTLMv2 protocol when they are communicating with SQL servers that require NTLMv2 authentication. This option does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

Does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

Use Microsoft JDBC (MSDE only)

If you want to use the Microsoft JDBC driver, you must enable Use Microsoft JDBC.

Use SSL (MSDE only)

Select this option if your connection supports SSL. This option appears only for MSDE.

SSL Certificate Hostname

This field is required when both Use Microsoft JDBC and Use SSL are enabled.

This value must be the fully qualified domain name (FQDN) for the host. The IP address is not permitted.

For more information about SSL certificates and JDBC, see the procedures at the following links:

• QRadar: Configuring JDBC Over SSL with a Self-signed certificate

• Configuring JDBC Over SSL with an Externally-signed Certificate

Use Oracle Encryption

Oracle Encryption and Data Integrity settings is also known as Oracle Advanced Security.

If selected, Oracle JDBC connections require the server to support similar Oracle Data Encryption settings as the client.

Database Locale (Informix only)

For multilingual installations, use this field to specify the language to use.

Code-Set (Informix only)

The Code-Set parameter displays after you choose a language for multilingual installations. Use this field to specify the character set to use.

Enabled

Select this checkbox to enable the log source. By default, the checkbox is selected.

Credibility

From the list, select the Credibility of the log source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

Target Event Collector

Select the Target Event Collector to use as the target for the log source.

Coalescing Events

Select the Coalescing Events checkbox to enable the log source to coalesce (bundle) events.

By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Store Event Payload

Select the Store Event Payload checkbox to enable the log source to store event payload information.

By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Protocol Configuration

JDBC - SiteProtector

Database Type

From the list, select MSDE as the type of database to use for the event source.

Database Name

Type RealSecureDB as the name of the database to which the protocol can connect.

IP or Hostname

The IP address or host name of the database server.

Port

The port number that is used by the database server. The JDBC SiteProtector configuration port must match the listener port of the database. The database must have incoming TCP connections enabled. If you define a Database Instance when with MSDE as the database type, you must leave the Port parameter blank in your log source configuration.

Username

If you want to track access to a database by the JDBC protocol, you can create a specific user for your JSA system.

Authentication Domain

If you select MSDE and the database is configured for Windows, you must define a Windows domain.

If your network does not use a domain, leave this field blank.

Database Instance

If you select MSDE and you have multiple SQL server instances on one server, define the instance to which you want to connect. If you use a non-standard port in your database configuration, or access is blocked to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank in your configuration.

Predefined Query

The predefined database query for your log source. Predefined database queries are only available for special log source connections.

Table Name

SensorData1

AVP View Name

SensorDataAVP

Response View Name

SensorDataResponse

Select List

Type * to include all fields from the table or view.

Compare Field

SensorDataRowID

Use Prepared Statements

Prepared statements allow the JDBC protocol source to set up the SQL statement, and then execute the SQL statement numerous times with different parameters. For security and performance reasons, use prepared statements. You can clear this check box to use an alternative method of querying that does not use pre-compiled statements.

Include Audit Events

Specifies to collect audit events from IBM Proventia Management SiteProtector.

Start Date and Time

Optional. A start date and time for when the protocol can start to poll the database.

Polling Interval

The amount of time between queries to the event table. You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. Numeric values without an H or M designator poll in seconds.

EPS Throttle

The number of Events Per Second (EPS) that you do not want this protocol to exceed.

Database Locale

For multilingual installations, use the Database Locale field to specify the language to use.

Database Codeset

For multilingual installations, use the Codeset field to specify the character set to use.

Use Named Pipe Communication

If you are using Windows authentication, enable this parameter to allow authentication to the AD server. If you are using SQL authentication, disable Named Pipe Communication.

Database Cluster Name

The cluster name to ensure that named pipe communications function properly.

Use NTLMv2

Forces MSDE connections to use the NTLMv2 protocol with SQL servers that require NTLMv2 authentication. The Use NTLMv2 check box does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

Use SSL

Enables SSL encryption for the JDBC protocol.

Log Source Language

Select the language of the events that are generated by the log source. The log source language helps the system parse events from external appliances or operating systems that can create events in multiple languages.

Log Source Type

Juniper Networks Network and Security Manager

Protocol Configuration

Juniper NSM

Protocol Configuration

Security Binary Log Collector

XML Template File Location

The path to the XML file used to decode the binary stream from your Juniper SRX Series Services Gateway or Juniper J Series appliance. By default, the device support module (DSM) includes an XML file for decoding the binary stream.

The XML file is in the following directory: /opt/qradar/conf/security_log.xml.

Protocol Configuration

Log File

Select the protocol to use when retrieving log files from a remote server.

• SFTP - Secure file transfer protocol (default)

• FTP - File transfer protocol

• FTPS - File transfer protocol secure

• SCP - Secure copy protocol

• AWS - Amazon Web Services

The server that you specify in the Remote IP or Hostname field must enable the SFTP subsystem to retrieve log files with SCP or SFTP.

Remote Port

If the remote host uses a non-standard port number, you must adjust the port value to retrieve events.

SSH Key File

If the system is configured to use key authentication, type the SSH key. When an SSH key file is used, the Remote Password field is ignored.

The SSH key must be located in the /opt/qradar/conf/keys directory.

Remote Directory

For FTP, if the log files are in the remote users home directory, you can leave the remote directory blank. A blank remote directory field supports systems where a change in the working directory (CWD) command is restricted.

Recursive

Enable this checkbox to allow FTP or SFTP connections to recursively search subfolders of the remote directory for event data. Data that is collected from subfolders depends on matches to the regular expression in the FTP File Pattern. The Recursive option is not available for SCP connections.

FTP File Pattern

The regular expression (regex) that is needed to identify the files to download from the remote host.

FTP Transfer Mode

For ASCII transfers over FTP, you must select NONE in the Processor field and LINEBYLINE in the Event Generator field.

The versions of TLS that can be used with FTPS connections. To use the most secure version, select the TLSv1.2 option. When you select an option with multiple available versions, the FTPS connection negotiates the highest version available by both the client and server.

This option can be configured only if you selected FTPS in the Service Type parameter.

Recurrence

The time interval to determine how frequently the remote directory is scanned for new event log files. The time interval can include values in hours (H), minutes (M), or days (D). For example, a recurrence of 2H scans the remote directory every 2 hours.

Run On Save

Starts the log file import immediately after you save the log source configuration. When selected, this checkbox clears the list of previously downloaded and processed files. After the first file import, the Log File protocol follows the start time and recurrence schedule that is defined by the administrator.

EPS Throttle

The number of Events Per Second (EPS) that the protocol cannot exceed.

Change Local Directory?

Changes the local directory on the Target Event Collector to store event logs before they are processed.

Local Directory

The local directory on the Target Event Collector. The directory must exist before the Log File protocol attempts to retrieve events.

File Encoding

The character encoding that is used by the events in your log file.

Folder Separator

The character that is used to separate folders for your operating system. Most configurations can use the default value in Folder Separator field. This field is intended for operating systems that use a different character to define separate folders. For example, periods that separate folders on mainframe systems.

Use Event Hub Connection String

Authenticate with an Azure Event Hub by using a connection string.

Event Hub Connection String

Authorization string that provides access to an Event Hub. For example,

Endpoint=sb://<Namespace Name>.servicebus.windows.net/;SharedAccess KeyNam Key Name>;SharedAccessKey=<SAS Key>; EntityPath=<Event Hub Name>

Consumer Group

Specifies the view that is used during the connection. Each Consumer Group maintains its own session tracking. Any connection that shares consumer groups and connection information shares session tracking information.

Use Storage Account Connection String

Authenticates with an Azure Storage Account by using a connection string.

Storage Account Connection String

Authorization string that provides access to a Storage Account. For example,

DefaultEndpointsProtocol=https;Account Name=<Stor Account Name>AccountKey=<StorageAccount Key>;EndpointSuffix=core.windows.net

Format Azure Linux Events To Syslog

Formats Azure Linux logs to a single -line syslog format that resembles standard syslog logging from Linux systems.

Use as a Gateway Log Source

Select this option for the collected events to flow through the JSA Traffic Analysis engine and for JSA to automatically detect one or more log sources.

When you select this option, the Log Source Identifier Pattern can optionally be used to define a custom Log Source Identifier for events that are being processed.

Log Source Identifier Pattern

When the Use As A Gateway Log Source option is selected, use this option to define a custom log source identifier for events that are processed. If the Log Source Identifier Pattern is not configured, JSA receives events as unknown generic log sources.

The Log Source Identifier Pattern field accepts key-value pairs, such as key=value, to define the custom Log Source Identifier for events that are being processed and for log sources to be automatically discovered when applicable. Key is the Identifier Format String which is the resulting source or origin value. Value is the associated regex pattern that is used to evaluate the current payload. The value (regex pattern) also supports capture groups which can be used to further customize the key (Identifier Format String).

Multiple key-value pairs can be defined by typing each pattern on a new line. When multiple patterns are used, they are evaluated in order until a match is found. When a match is found, a custom Log Source Identifier is displayed.

The following examples show the multiple keyvalue pair functionality:

PatternsVPC=\sREJECT\sFAILURE$1=\s(REJECT)\sOKVPC-$1-$2=\s(ACCEPT)\s(OK)

Events{LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0}

Resulting custom log source identifierVPC-ACCEPT-OK

Use Predictive Parsing

If you enable this parameter, an algorithm extracts log source identifier patterns from events without running the regex for every event, which increases the parsing speed.

Enable predictive parsing only for log source types that you expect to receive high event rates and require faster parsing.

Use Proxy

When you configure a proxy, all traffic for the log source travels through the proxy to access the Azure Event Hub. After you enable this parameter, configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields.

If the proxy does not need authentication, you can leave the Proxy Username and Proxy Password fields blank.

Proxy IP or Hostname

The IP address or hostname of the proxy server.

This parameter appears when Use Proxy is enabled.

Proxy Port

The port number used to communicate with the proxy. The default value is 8080.

This parameter appears when Use Proxy is enabled.

Proxy Username

The username for accessing the proxy server.

This parameter appears when Use Proxy is enabled.

Proxy Password

The password for accessing the proxy server.

This parameter appears when Use Proxy is enabled.

EPS Throttle

The maximum number of events per second (EPS). The default is 5000.

Deprecated - Namespace Name

This option displays if Use Event Hub Connection String option is set to off.

The name of the top-level directory that contains the Event Hub entities in the Microsoft Azure Event Hubs user interface.

Deprecated - Event Hub Name

This option displays if Use Event Hub Connection String option is set to off.

The identifier for the Event Hub that you want to access. The Event Hub Name must match one of the Event Hub entities within the namespace.

Deprecated - SAS Key Name

This option displays if Use Event Hub Connection String option is set to off.

The Shared Access Signature (SAS) name identifies the event publisher.

Deprecated - SAS Key

This option displays if Use Event Hub Connection String option is set to off.

The Shared Access Signature (SAS) key authenticates the event publisher.

Deprecated - Storage Account Name

This option displays if Use Storage Account Connection String option is set to off.

The name of the storage account that stores Event Hub data.

The Storage Account Name is part of the authentication process that is required to access data in the Azure Storage Account.

Deprecated - Storage Account Key

This option displays if Use Storage Account Connection String option is set to off.

An authorization key that is used for storage account authentication.

The Storage Account Key is part of the authentication process that is required to access data in the Azure Storage Account.

Log Source type

Microsoft 365 Defender

Protocol Configuration

Microsoft Defender for Endpoint SIEM REST API

Authorization Server URL

The URL for the server that provides the authorization to obtain an access token. The access token is used as the authorization to collect events from Microsoft 365 Defender.

The Authorization Server URL uses the following format:

where <Tenant_ID> is a UUID.

Resource

The resource that is used to access Microsoft 365 Defender SIEM API events.

Client ID

Ensures that the user is authorized to obtain an access token.

Client Secret

The Client Secret value is displayed only one time, and then is no longer visible. If you don't have access to the Client Secret value, contact your Microsoft Azure administrator to request a new client secret.

Region

Select the regions that are associated with Microsoft 365 Defender SIEM API that you want to collect logs from.

Other Region

Type the names of any additional regions that are associated with the Microsoft 365 Defender SIEM API that you want to collect logs from.

Use a comma-separated list; for example, region1,region2.

Use GCC Endpoints

Enable or disable the use of GCC and GCC High & DOD endpoints. GCC and GCC High & DOD endpoints are endpoints for US Government customers.

For more information, see Microsoft Defender for Endpoint for US Government customers.

GCC Type

Select GCC or GCC High & DOD.

• GCC: Microsoft's Government Community Cloud

• GCC High & DoD: Compliant with the regulations

  from Department of Defense.

Use Proxy

If a proxy for JSA is configured, all traffic for the log source travels through the proxy so that JSA can access the Microsoft 365 Defender SIEM API.

Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

Recurrence

You can specify how often the log collects data. The format is M/H/D for Minutes/Hours/Days.

The default is 5 M.

EPS Throttle

The upper limit for the maximum number of events per second (EPS). The default is 5000.

Protocol Configuration

Microsoft DHCP

Log Source Identifier

Type a unique hostname or other identifier unique to the log source.

Server Address

The IP address or host name of your Microsoft DHCP server.

Domain

Type the domain for your Microsoft DHCP server.

This parameter is optional if your server is not in a domain.

Username

Type the user name that is required to access the DHCP server.

Password

Type the password that is required to access the DHCP server.

Confirm Password

Type the password that is required to access the server.

Folder Path

The directory path to the DHCP log files. The default is /WINDOWS/system32/dhcp/

File Pattern

The regular expression (regex) that identifies event logs. The log files must contain a three-character abbreviation for a day of the week. Use one of the following file patterns:

English:

• IPv4 file pattern: DhcpSrvLog-(?:Sun|Mon|Tue|Wed|Thu|Fri|Sat) \.log.

• IPv6 file pattern: DhcpV6SrvLog-(?:Sun|Mon|Tue|Wed|Thu|Fri|Sat) \.log.

• Mixed IPv4 and IPv6 file pattern: Dhcp.*SrvLog- (?:Sun|Mon|Tue|Wed|Thu|Fri|Sat)\.log.

• Mixed IPv4 and IPv6 file pattern: Dhcp.*SrvLog-(?:Sun|Mon|Tue|Wed|Thu|Fri|Sat) \.log.

Polish:

• IPv4 file pattern: DhcpSrvLog-(?:Pia|Pon|Sob|Wto|Sro|Csw|Nie) \.log.

• IPv6 file pattern: DhcpV6SrvLog-(?:Pt|Pon|So|Wt|Si|Csw|Nie) \.log.

Recursive

Select this option if you want the file pattern to search the sub folders.

SMB Version

The version of SMB to use:

AUTO - Auto-detects to the highest version that the client and server agree to use.

SMB1 - Forces the use of SMB1. SMB1 uses the jCIFS.jar (Java ARchive) file.

SMB2 - Forces the use of SMB2. SMB2 uses the jNQ.jar file.

SMB3 - Forces the use of SMB3. SMB3 uses the jNQ.jar file.

Polling Interval (in seconds)

The number of seconds between queries to the log files to check for new data. The minimum polling interval is 10 seconds. The maximum polling interval is 3,600 seconds.

Throttle events/sec

The maximum number of events the DHCP protocol can forward per second. The minimum value is 100 EPS. The maximum value is 20,000 EPS.

File Encoding

The character encoding that is used by the events in your log file.

Enabled

When this option is not enabled, the log source does not collect events and the log source is not counted in the license limit.

Credibility

Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user-created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.

Target Event Collector

Specifies the JSA Event Collector that polls the remote log source.

Use this parameter in a distributed deployment to improve Console system performance by moving the polling task to an Event Collector.

Coalescing Events

Increases the event count when the same event occurs multiple times within a short time interval. Coalesced events provide a way to view and determine the frequency with which a single event type occurs on the Log Activity tab.

When this check box is clear, events are viewed individually and events are not bundled.

New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. You can use this check box to override the default behavior of the system settings for an individual log source.

Protocol Configuration

Microsoft Exchange

Log Source Identifier

Type the IP address, host name, or name to identify your log source.

Server Address

The IP address or host name of your Microsoft Exchange server.

Domain

Type the domain for your Microsoft Exchange server.

This parameter is optional if your server is not in a domain.

Username

Type the user name that is required to access your Microsoft Exchange server.

Password

Type the password that is required to access your Microsoft Exchange server.

Confirm Password

Type the password that is required to access your Microsoft Exchange server.

SMTP Log Folder Path

The directory path to access the SMTP log files.

The default file path is Program Files/Microsoft/Exchange Server/ TransportRoles/Logs/ProtocolLog

When the folder path is clear, SMTP event collection is disabled.

OWA Log Folder Path

The directory path to access OWA log files.

The default file path is Windows/system32/LogFiles/W3SVC1

When the folder path is clear, OWA event collection is disabled.

MSGTRK Log Folder Path

The directory path to access message tracking logs.

The default file path is Program Files/Microsoft/Exchange Server/ TransportRoles/Logs/MessageTracking

Message tracking is available on Microsoft Exchange 2017 or 2010 servers that are assigned the Hub Transport, Mailbox, or Edge Transport server role.

Use Custom File Patterns

Select this check box to configure custom file patterns. Leave the check box clear to use the default file patterns.

MSGTRK File Pattern

The regular expression (regex) that is used to identify and download the MSTRK logs. All files that match the file pattern are processed.

The default file pattern is MSGTRK\d+-\d+\.(?:log|LOG)$

All files that match the file pattern are processed.

MSGTRKMD File Pattern

The regular expression (regex) that is used to identify and download the MSGTRKMD logs. All files that match the file pattern are processed.

The default file pattern is MSGTRKMD\d+-\d+\.(?:log|LOG)$

All files that match the file pattern are processed.

MSGTRKMS File Pattern

The regular expression (regex) that is used to identify and download the MSGTRKMS logs. All files that match the file pattern are processed.

The default file pattern is MSGTRKMS\d+-\d+\.(?:log|LOG)$

All files that match the file pattern are processed.

MSGTRKMA File Pattern

The regular expression (regex) that is used to identify and download the MSGTRKMA logs. All files that match the file pattern are processed.

The default file pattern is MSGTRKMA\d+-\d+\.(?:log|

All files that match the file pattern are processed.

SMTP File Pattern

The regular expression (regex) that is used to identify and download the SMTP logs. All files that match the file pattern are processed.

The default file pattern is .*\.(?:log|LOG)$

All files that match the file pattern are processed.

OWA File Pattern

The regular expression (regex) that is used to identify and download the OWA logs. All files that match the file pattern are processed.

The default file pattern is .*\.(?:log|LOG)$

All files that match the file pattern are processed.

Force File Read

If the check box is cleared, the log file is read only when JSA detects a change in the modified time or file size.

Recursive

If you want the file pattern to search sub folders, use this option. By default, the check box is selected.

SMB Version

Select the version of SMB that you want to use.

AUTO - Auto-detects to the highest version that the client and server agree to use.

SMB1 - Forces the use of SMB1. SMB1 uses the jCIFS.jar (Java ARchive) file

SMB2 - Forces the use of SMB2. SMB2 uses the jNQ.jar file.

SMB3 – Forces the use of SMB3. SMB3 uses the jNQ.jar file.

Polling Interval (in seconds)

Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The default is 10 seconds.

Throttle Events/Second

The maximum number of events the Microsoft Exchange protocol can forward per second.

File Encoding

The character encoding that is used by the events in your log file.

Log Source Type

A custom log source type or a specific DSM that uses this protocol.

Protocol Configuration

Microsoft Graph Security API

Tenant ID

The Tenant ID value that is used for Microsoft Azure Active Directory authentication.

Client ID

The Client ID parameter value from your application configuration of Microsoft Azure Active Directory.

Client Secret

The Client Secret parameter value from your application configuration of Microsoft Azure Active Directory.

Event Filter

Retrieve events by using the Microsoft Security Graph API query filter. For example, severity eq 'high'. Do not type "filter=" before the filter parameter.

Use Proxy

If JSA accesses the Microsoft Graph Security API by proxy, enable this checkbox.

If the proxy requires authentication, configure the Proxy Hostname or IP, Proxy Port, Proxy Username, and Proxy fields.

If the proxy does not require authentication, configure the Proxy Hostname or IP and Proxy Port fields.

Proxy IP or Hostname

The IP address or hostname of the proxy server.

If Use Proxy is set to False, this option is hidden.

Proxy Port

The port number that is used to communicate with the proxy. The default is 8080.

If Use Proxy is set to False, this option is hidden.

Proxy Username

The username that is used to communicate with the proxy.

If Use Proxy is set to False, this option is hidden.

Proxy Password

The password that is used to access the proxy.

If Use Proxy is set to False, this option is hidden.

Recurrence

Type a time interval beginning at the Start Time to determine how frequently the poll scans for new data. The time interval can include values in hours (H), minutes (M), or days (D). For example, 2H - 2 hours, 15M - 15 minutes. The default is 1M.

EPS Throttle

The maximum number of events per second (EPS). The default is 5000.

Show Advanced Options

To configure the advanced options for event collection, set this option to on.

Login Endpoint

Specify the Azure AD Login Endpoint. The default value is login.microsoftonline.com.

If you disable Show Advanced Options, this option is hidden.

Graph API Endpoint

Specify the Microsoft Graph Security API URL. The default value is https://graph.microsoft.com.

If you disable Show Advanced Options, this option is hidden.

Protocol Configuration

Microsoft IIS

Log Source Identifier

Type the IP address, host name, or a unique name to identify your log source.

Server Address

The IP address or host name of your Microsoft IIS server.

Domain

Type the domain for your Microsoft IIS server.

This parameter is optional if your server is not in a domain.

Username

Type the user name that is required to access your server.

Password

Type the password that is required to access your server.

Confirm Password

Type the password that is required to access the server.

Log Folder Path

The directory path to access the log files. For example, administrators can use the c$/LogFiles/ directory for an administrative share, or the LogFiles/ directory for a public share folder path. However, the c:/LogFiles directory is not a supported log folder path.

If a log folder path contains an administrative share (C$), users with NetBIOS access on the administrative share (C$) have the privileges that are required to read the log files.

Local system or domain administrator privileges are also sufficient to access a log files that are on an administrative share.

File Pattern

The regular expression (regex) that identifies the event logs.

Recursive

If you want the file pattern to search sub folders, use this option. By default, the check box is selected.

SMB Version

Select the version of SMB that you want to use.

AUTO - Auto-detects to the highest version that the client and server agree to use.

SMB1 - Forces the use of SMB1. SMB1 uses the jCIFS.jar (Java ARchive) file.

SMB2 - Forces the use of SMB2. SMB2 uses the jNQ.jar file.

SMB3 - Forces the use of SMB3. SMB3 uses the jNQ.jar file.

Polling Interval (In seconds)

Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The default is 10 seconds.

Throttle Events/Second

The maximum number of events the IIS protocol can forward per second.

File Encoding

The character encoding that is used by the events in your log file.

Protocol Configuration

Windows Security Event Log

Protocol Name

MQ JMS

IP or Hostname

The IP address or host name of the primary queue manager.

Port

The default port that is used for communicating with the primary queue manager is 1414.

Standby IP or Hostname

The IP address or host name of the standby queue manager.

Standby Port

The port that is used to communicate with the standby queue manager.

Queue Manager

The name of the queue manager.

Channel

The channel through which the queue manager sends messages. The default channel is SYSTEM.DEF.SVRCONN.

Queue

The queue or list of queues to monitor. A list of queues is specified with a comma-separated list.

Username

The user name that is used for authenticating with the MQ service.

Password

Optional: The password that is used to authenticate with the MQ service.

Incoming Message Encoding

The character encoding that is used by incoming messages.

Process Computational Fields

Optional: Select this option only if the retrieved messages contain computational data that is defined in a COBOL copybook. The binary data in the messages is processed according to the field definition found in the specified copybook file.

CopyBook File Name

This parameter displays when Process Computational Fields is selected. The name of the copybook file to use for processing data. The copybook file must be placed in /store/ec/mqjms/*

Event Formatter

Select the event formatting to be applied for any events that are generated from processing data containing computational fields. By default, No Formatting is used.

Include JMS Message Header

Select this option to include a header in each generated event containing JMS message fields such as the JMSMessageID and JMSTimestamp.

EPS Throttle

The limit for the maximum number of events per second (EPS).

Log Source Identifier

A unique name for the log source.

The name can't include spaces and must be unique among all log sources of this type that are configured with the Office 365 Message Trace REST API protocol.

Office 365 User Account email

To authenticate with the Office 365 Message Trace REST API, provide an Office 365 e-mail account with proper permissions.

Office 365 User Account Password

To authenticate with the Office 365 Message Trace REST API, provide the password that is associated with the Office 365 user account email.

Event Delay

The delay, in seconds, for collecting data.

Office 365 Message Trace logs work on an eventual delivery system. To ensure that no data is missed, logs are collected on a delay. The default delay is 900 seconds (15 minutes), and can be set as low as 0 seconds.

Use Proxy

If the server is accessed by using a proxy, select the Use Proxy checkbox. If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

Proxy IP or Hostname

The IP address or hostname of the proxy server.

Proxy Port

The port number that is used to communicate with the proxy. The default is 8080.

Proxy Username

The username that is used to access the proxy server when the proxy requires authentication.

Proxy Password

The password that is used to access the proxy server when the proxy requires authentication.

Recurrence

The time interval between log source queries to the Office 365 Message Trace REST API for new events.

The time interval can be in hours (H), minutes (M), or days (D). The default is 5 minutes.

EPS Throttle

The maximum number of events per second (EPS). The default is 5000.

Log Source Identifier

A unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the log source Name. If you have more than one Okta log source that is configured, you might want to identify the first log source as okta1, the second log source as okta2, and the third log source as okta3.

IP or Hostname

oktaprise.okta.com

Authentication Token

A single authentication token that is generated by the Okta console and must be used for all API transactions.

Use Proxy

If JSA accesses Okta by using a proxy, enable this option.

When a proxy is configured, all traffic for the log source travels through the proxy for JSA to access Okta.

If the proxy requires authentication, configure the Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.

Hostname

If you select Use Proxy, this parameter is displayed.

Proxy Port

If you select Use Proxy, this parameter is displayed.

Proxy Username

If you select Use Proxy, this parameter is displayed.

Proxy Password

If you select Use Proxy, this parameter is displayed.

Recurrence

A time interval to determine how frequently the poll is made for new data. The time interval can include values in hours (H), minutes (M), or days (D). For example, 2H = 2 hours, 15M = 15 minutes, 30 = seconds. The default is 1M.

EPS Throttle

The maximum number of events per second that are sent to the flow pipeline. The default is 5000.

Ensure that the EPS Throttle value is higher than the incoming rate or data processing might fall behind.

Protocol Configuration

OPSEC/LEA

Log Source Identifier

The IP address, host name, or any name to identify the device.

Must be unique for the log source type.

Server IP

Type the IP address of the server.

Server Port

The port number that is used for OPSEC communication. The valid range is 0 - 65,536 and the default is 18184.

Use Server IP for Log Source

Select the Use Server IP for Log Source check box if you want to use the LEA server IP address instead of the managed device IP address for a log source. By default, the check box is selected.

Statistics Report Interval

The interval, in seconds, during which the number of syslog events are recorded in the qradar.log file. The valid range is 4 - 2,147,483,648 and the default interval is 600.

Authentication Type

From the list, select the Authentication Type that you want to use for this LEA configuration. The options are sslca (default), sslca_clear, or clear. This value must match the authentication method that is used by the server.

OPSEC Application Object SIC Attribute (SIC Name)

The Secure Internal Communications (SIC) name is the distinguished name (DN) of the application, for example: CN=LEA, o=fwconsole..7psasx.

Log Source SIC Attribute (Entity SIC Name)

The SIC name of the server, for example: cn=cp_mgmt,o=fwconsole..7psasxz.

Specify Certificate

Select this check box if you want to define a certificate for this LEA configuration. JSA attempts to retrieve the certificate by using these parameters when the certificate is needed.

Certificate Filename

This option appears only if Specify Certificate is selected. Type the file name of the certificate that you want to use for this configuration. The certificate file must be located in the /opt/qradar/conf/ trusted_certificates/lea directory.

Certificate Authority IP

Type the Check Point Manager Server IP address.

Pull Certificate Password

Type the password.

OPSEC Application

The name of the application that makes the certificate request.

Enabled

Select this check box to enable the log source. By default, the check box is selected.

Credibility

From the list, select the Credibility of the log source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

Target Event Collector

From the list, select the Target Event Collector to use as the target for the log source.

Coalescing Events

Select the Coalescing Events check box to enable the log source to coalesce (bundle) events.

By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Store Event Payload

Select the Store Event Payload check box to enable the log source to store event payload information.

By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Protocol Configuration

Oracle Database Listener

Log Source Identifier

Type the IP address, host name, or a unique name to identify your log source.

Server Address

The IP address or host name of your Oracle Database Listener server.

Domain

Type the domain for your Oracle Database Learner server.

This parameter is optional if your server is not in a domain.

Username

Type the user name that is required to access your server.

Password

Type the password that is required to access your server.

Confirm Password

Type the password that is required to access the server.

Log Folder Path

Type the directory path to access the Oracle Database Listener log files.

File Pattern

The regular expression (regex) that identifies the event logs.

Force File Read

Select this check box to force the protocol to read the log file when the timing of the polling interval specifies.

When the check box is selected, the log file source is always examined when the polling interval specifies, regardless of the last modified time or file size attribute.

When the check box is not selected, the log file source is examined at the polling interval if the last modified time or file size attributes changed.

Recursive

If you want the file pattern to search sub folders, use this option. By default, the check box is selected.

SMB Version

Select the version of SMB that you want to use:

AUTO - Auto-detects to the highest version that the client and server agree to use.

SMB1 - Forces the use of SMB1. SMB1 uses the jCIFS.jar (Java ARchive) file.

SMB2 - Forces the use of SMB2. SMB2 uses the jNQ.jar file.

SMB3 - Forces the use of SMB3. SMB3 uses the jNQ.jar file.

Polling Interval (in seconds)

Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The default is 10 seconds.

Throttle events/sec

The maximum number of events the Oracle Database Listener protocol forwards per second.

File Encoding

The character encoding that is used by the events in your log file.

Protocol Configuration

SDEE

URL

The HTTP or HTTPS URL that is required to access the log source, for example, https://www.mysdeeserver.com/cgi-bin/sdee-server.

For SDEE/CIDEE (Cisco IDS v5.x and later), the URL must end with /cgi-bin/sdee-server. Administrators with RDEP (Cisco IDS v4.x), the URL must end with /cgi-bin/event-server.

Force Subscription

When the check box is selected, the protocol forces the server to drop the least active connection and accept a new SDEE subscription connection for the log source.

Maximum Wait To Block For Events

When a collection request is made and no new events are available, the protocol enables an event block. The block prevents another event request from being made to a remote device that did not have any new events. This timeout is intended to conserve system resources.

Protocol Configuration

SMB Tail

Log Source Identifier

Type the IP address, hostname, or a unique name to identify your log source.

Server Address

The IP address or hostname of your SMB Tail server.

Domain

Type the domain for your SMB Tail server.

This parameter is optional if your server is not in a domain.

Username

Type the username that is required to access your server.

Password

Type the password that is required to access your server.

Confirm Password

Confirm the password that is required to access the server.

Log Folder Path

The directory path to access the log files. For example, administrators can use the c$/LogFiles/ directory for an administrative share, or the LogFiles/ directory for a public share folder path. However, the c:/LogFiles directory is not a supported log folder path.

If a log folder path contains an administrative share (C$), users with NetBIOS access on the administrative share (C$) have the privileges that are required to read the log files.

Local system or domain administrator privileges are also sufficient to access a log files that are on an administrative share.

File Pattern

The regular expression (regex) that identifies the event logs.

SMB Version

Select the version of Server Message Block (SMB) that you want to use.

AUTO - Auto-detects to the highest version that the client and server agree to use.

SMB1 - Forces the use of SMB1. SMB1 uses the jCIFS.jar (Java ARchive) file.

SMB2 - Forces the use of SMB2. SMB2 uses the jNQ.jar file.

SMB3 - Forces the use of SMB3. SMB3 uses the jNQ.jar file.

Force File Read

If the checkbox is cleared, the log file is read only when JSA detects a change in the modified time or file size.

Recursive

If you want the file pattern to search sub folders, use this option. By default, the checkbox is selected.

Polling Interval (In seconds)

Type the polling interval, which is the number of seconds between queries to the log files to check for new data. The default is 10 seconds.

Throttle Events/Second

The maximum number of events the SMB Tail protocol forwards per second.

File Encoding

The character encoding that is used by the events in your log file.

Protocol Configuration

SNMPv2

Community

The SNMP community name that is required to access the system that contains SNMP events. For example, Public.

Include OIDs in Event Payload

Specifies that the SNMP event payload is constructed by using name-value pairs instead of the event payload format.

When you select specific log sources from the Log Source Types list, OIDs in the event payload are required for processing SNMPv2 or SNMPv3 events.

Coalescing Events

Select this check box to enable the log source to coalesce (bundle) events.

Coalescing events increase the event count when the same event occurs multiple times within a short time interval. Coalesced events provide administrators a way to view and determine the frequency with which a single event type occurs on the Log Activity tab.

When this check box is clear, the events are displayed individually and the information is not bundled.

New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source.

Store Event Payload

Select this check box to enable the log source to store the payload information from an event.

New and automatically discovered log sources inherit the value of this check box from the System Settings configuration on the Admin tab. Administrators can use this check box to override the default behavior of the system settings for an individual log source.

Protocol Configuration

SNMPv3

Log Source Identifier

Type a unique name for the log source.

Authentication Protocol

The algorithm that you want to use to authenticate SNMP3 traps:

• SHA uses Secure Hash Algorithm (SHA) as your authentication protocol.

• MD5 uses Message Digest 5 (MD5) as your authentication protocol.

Authentication Password

The password to authenticate SNMPv3. Your authentication password must include a minimum of 8 characters.

Decryption Protocol

Select the algorithm that you want to use to decrypt the SNMPv3 traps.

• DES

• AES128

• AES192

• AES256

Decryption Password

The password to decrypt SNMPv3 traps. Your decryption password must include a minimum of 8 characters.

User

The user name that was used to configure SNMPv3 on your appliance.

Include OIDs in Event Payload

Specifies that the SNMP event payload is constructed by using name-value pairs instead of the standard event payload format. When you select specific log sources from the Log Source Types list, OIDs in the event payload are required for processing SNMPv2 or SNMPv3 events.

Log Source Type

Seculert

Protocol Configuration

Seculert Protection REST API

Log Source Identifier

Type the IP address or host name for the log source as an identifier for events from Seculert.

Each additional log source that you create when you have multiple installations ideally includes a unique identifier, such as an IP address or host name.

API Key

The API key that is used for authenticating with the Seculert Protection REST API. The API key value is obtained from the Seculert web portal.

Use Proxy

When you configure a proxy, all traffic for the log source travels through the proxy for JSA to access the Seculert Protection REST API.

Configure the Proxy IP or Hostname, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.

Automatically Acquire Server Certificate(s)

If you select Yes form the list, JSA downloads the certificate and begins trusting the target server.

Recurrence

Specify when the log collects data. The format is M/H/D for Minutes/Hours/Days. The default is 1 M.

EPS Throttle

The upper limit for the maximum number of events per second (eps) for events that are received from the API.

Enabled

Select this check box to enable the log source. By default, the check box is selected.

Credibility

Select the Credibility of the log source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

Target Event Collector

Select the Target Event Collector to use as the target for the log source.

Coalescing Events

Select this check box to enable the log source to coalesce (bundle) events.

By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Store Event Payload

Select this check box to enable the log source to store event payload information.

By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Protocol Configuration

Sophos Enterprise Console JDBC

Log Source Identifier

Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol.

If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.

Database Type

MSDE

Database Name

The database name must match the database name that is specified in the Log Source Identifier field.

Port

The default port for MSDE in Sophos Enterprise Console is 1168. The JDBC configuration port must match the listener port of the Sophos database to communicate with JSA. The Sophos database must have incoming TCP connections enabled.

If a Database Instance is used with the MSDE database type, you must leave the Port parameter blank.

Authentication Domain

If your network does not use a domain, leave this field blank.

Database Instance

The database instance, if required. MSDE databases can include multiple SQL server instances on one server.

When a non-standard port is used for the database or administrators block access to port 1434 for SQL database resolution, the Database Instance parameter must be blank.

Table Name

vEventsCommonData

Select List

*

Compare Field

InsertedAt

Use Prepared Statements

Prepared statements enable the protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most configurations can use prepared statements. Clear this check box to use an alternative method of querying that do not use pre-compiled statements.

Start Date and Time

Optional. A start date and time for when the protocol can start to poll the database. If a start time is not defined, the protocol attempts to poll for events after the log source configuration is saved and deployed.

Polling Interval

The polling interval, which is the amount of time between queries to the database. You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values without an H or M designator poll in seconds.

EPS Throttle

The number of Events Per Second (EPS) that you do not want this protocol to exceed.

Use Named Pipe Communication

If MSDE is configured as the database type, administrators can select this check box to use an alternative method to a TCP/IP port connection.

Named pipe connections for MSDE databases require the user name and password field to use a Windows authentication username and password and not the database user name and password. The log source configuration must use the default named pipe on the MSDE database.

Database Cluster Name

If you use your SQL server in a cluster environment, define the cluster name to ensure that named pipe communications function properly.

Use NTLMv2

Forces MSDE connections to use the NTLMv2 protocol with SQL servers that require NTLMv2 authentication. The default value of the check box is selected.

The Use NTLMv2 check box does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

Protocol Configuration

Syslog Redirect

Log Source Identifier Regex

Enter a regex to parse the Log Source Identifier from the payload.

Log Source Identifier

Enter a Log Source Identifier to use as a default. If the Log Source Identifier Regex cannot parse the Log Source Identifier from a particular payload by using the regex that is provided, the default is used.

Log Source Identifier Regex Format String

Format string to combine capture groups from the Log Source Identifier Regex.

For example:

1. "$1" would use the first capture group.

2. "$1$2" would concatenate capture groups 1 and 2.

3. "$1 TEXT $2" would concatenate capture group 1, the literal "TEXT" and capture group 2.

The resulting string is used as the new log source identifier.

Perform DNS Lookup On Regex Match

Select the Perform DNS Lookup On Regex Match, check box to enable DNS functionality, which is based on the Log Source Identifier Regex and parameter value.

By default, the check box is not selected.

Listen Port

Enter any unused port and set your log source to send events to JSA on that port.

Protocol

From the list, select either TCP or UDP.

The Syslog Redirect protocol supports any number of UDP syslog connections, but restricts TCP connections to 2500. If the syslog stream has more than 2500 log sources, you must enter a second log source and listen port number.

Enabled

Select this check box to enable the log source. By default, the check box is selected.

Credibility

From the list, select the Credibility of the log source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

Target Event Collector

From the list, select the Target Event Collector to use as the target for the log source.

Coalescing Events

Select the Coalescing Events check box to enable the log source to coalesce (bundle) events.

By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Incoming Event Payload

From the Incoming Event Payload list, select the incoming payload encoder for parsing and storing the logs.

Store Event Payload

Select the Store Event Payload check box to enable the log source to store event payload information.

By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Protocol Configuration

TCP Multiline Syslog

Log Source Identifier

Type an IP address or host name to identify the log source. To use a name instead, select Use Custom Source Name and fill in the Source Name Regex and Source Name Formatting String parameters.

Listen Port

The default port is 12468.

Aggregation Method

The default is Start/End Matching. Use ID-Linked if you want to combine multiline events that are joined by a common identifier.

Event Start Pattern

This parameter is available when you set the Aggregation Method parameter to Start/End Matching.

The regular expression (regex) that is required to identify the start of a TCP multiline event payload. Syslog headers typically begin with a date or time stamp. The protocol can create a single-line event that is based on solely on an event start pattern, such as a time stamp. When only a start pattern is available, the protocol captures all the information between each start value to create a valid event.

Event End Pattern

This parameter is available when you set the Aggregation Method parameter to Start/End Matching.

This regular expression (regex) that is required to identify the end of a TCP multiline event payload. If the syslog event ends with the same value, you can use a regular expression to determine the end of an event. The protocol can capture events that are based on solely on an event end pattern. When only an end pattern is available, the protocol captures all the information between each end value to create a valid event.

Message ID Pattern

This parameter is available when you set the Aggregation Method parameter to ID-Linked.

This regular expression (regex) required to filter the event payload messages. The TCP multiline event messages must contain a common identifying value that repeats on each line of the event message.

Event Formatter

Use the Windows Multiline option for multiline events that are formatted specifically for Windows.

Show Advanced Options

The default is No. Select Yes if you want to customize the event data.

Use Custom Source Name

This parameter is available when you set Show Advanced Options to Yes.

Select the check box if you want to customize the source name with regex.

Source Name Regex

This parameter is available when you check Use Custom Source Name.

The regular expression (regex) that captures one or more values from event payloads that are handled by this protocol. These values are used along with the Source Name Formatting String parameter to set a source or origin value for each event. This source value is used to route the event to a log source with a matching Log Source Identifier value.

Source Name Formatting String

This parameter is available when you check Use Custom Source Name.

You can use a combination of one or more of the following inputs to form a source value for event payloads that are processed by this protocol:

• One or more capture groups from the Source Name Regex. To refer to a capture group, use \x notation where x is the index of a capture group from the Source Name Regex.

• The IP address where the event data originated from. To refer to the packet IP, use the token $PIP$.

• Literal text characters. The entire Source Name Formatting String can be user-provided text. For example, if the Source Name Regex is ’hostname=(.*?)’ and you want to append hostname.com to the capture group 1 value, set the Source Name Formatting String to\1.hostname.com. If an event is processed that contains hostname=ibm, then the event payload's source value is set to ibm.hostname.com, and JSA routes the event to a log source with that Log Source Identifier.

Use as a Gateway Log Source

This parameter is available when you set Show Advanced Options to Yes.

When selected, events that flow through the log source can be routed to other log sources, based on the source name tagged on the events.

When this option is not selected and Use Custom Source Name is not checked, incoming events are tagged with a source name that corresponds to the Log Source Identifier parameter.

Flatten Multiline Events into Single Line

This parameter is available when you set Show Advanced Options to Yes.

Shows an event in one single line or multiple lines.

Retain Entire Lines during Event Aggregation

This parameter is available when you set Show Advanced Options to Yes.

If you set the Aggregation Method parameter to ID-Linked, you can enable Retain Entire Lines during Event Aggregation to either discard or keep the part of the events that comes before Message ID Pattern when concatenating events with the same ID pattern together.

Time Limit

The number of seconds to wait for additional matching payloads before the event is pushed into the event pipeline. The default is 10 seconds.

Enabled

Select this check box to enable the log source.

Credibility

Select the credibility of the log source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

Target Event Collector

Select the Event Collector in your deployment that should host the TCP Multiline Syslog listener.

Coalescing Events

Select this check box to enable the log source to coalesce (bundle) events.

By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Store Event Payload

Select this check box to enable the log source to store event payload information.

By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Protocol Configuration

TLS Syslog

Log Source Identifier

An IP address or hostname to identify the log source.

TLS Listen Port

The default TLS listen port is 6514.

Authentication Mode

The mode your TLS connection uses to authenticate. If you select the TLS and Client Authentication option, you must configure the certificate parameters.

Client Certificate Authentication

Select one of the following options from the list:

• CN Allowlist and Issuer Verification

• Client Certificate on Disk

Use CN Allowlist

Enable this parameter to use a CN allowlist.

CN Allowlist

The allowlist of trusted client certificate common names. You can enter plain text or a regular expression (regex). To define multiple entries, enter each one on a separate line.

Use Issuer Verification

Enable this parameter to use issuer verification.

Root/Intermediate Issuer's Certificate or Public key

Enter the Root/Intermediate issuer's certificate or public key in PEM format.

• Enter the certificate, beginning with:

  -----BEGIN CERTIFICATE-----

  and ending with:

  -----END CERTIFICATE-----

• Enter the public key beginning with:

  -----BEGIN PUBLIC KEY-----

  and ending with:

  -----END PUBLIC KEY-----

Check Certificate Revocation

Checks the certificate revocation status against the client certificate. This option requires network connectivity to the URL that is specified by the CRL Distribution Points field for the client certificate in the X509v3 extension.

Check Certificate Usage

Checks the contents of the certificate X509v3 extensions in the Key Usage and Extended Key Usage extension fields. For incoming client certificate, the allow values of X509v3 Key Usage are digitalSignature and keyAgreement. The allow value for X509v3 Extended Key Usage is TLS Web Client Authentication.

This property is disabled by default.

Client Certificate Path

The absolute path to the client-certificate on disk. The certificate must be stored on the JSA Console or Event Collector for this log source.

Server Certificate Type

The type of certificate to use for authentication for the server certificate and server key.

Select one of the following options from the Server Certificate Type list:

• Generated Certificate

• PEM Certificate and Private Key

• PKCS12 Certificate Chain and Password

• Choose from JSA Certificate Store

Generated Certificate

This option is available when you configure the Certificate Type.

If you want to use the default certificate and key that is generated by JSA for the server certificate and server key, select this option.

The generated certificate is named syslog-tls.cert in the /opt/ qradar/conf/trusted_certificates/ directory on the target Event Collector that the log source is assigned to.

Single Certificate and Private Key

This option is available when you configure the Certificate Type.

If you want to use a single PEM certificate for the server certificate, select this option and then configure the following parameters:

• Provided Server Certificate Path - The absolute path to the server certificate.

• Provided Private Key Path - The absolute path to the private key.

PKCS12 Certificate and Password

This option is available when you configure the Certificate Type.

If you want to use a PKCS12 file that contains the server certificate and server key, select this option and then configure the following parameters:

• PKCS12 Certificate Path - Type the file path for the PKCS12 file that contains the server certificate and server key.

• PKCS12 Password - Type the password to access the PKCS12 file.

• Certificate Alias - If there is more than one entry in the PKCS12 file, an alias must be provided to specify which entry to use. If only one alias in the PKCS12 file, leave this field blank.

Choose from JSA Certificate Store

This option is available when you configure the Certificate Type.

You can use the Certificate Management app to upload a certificate from the JSA Certificate Store.

The app is supported on JSA 7.3.3 Fix Pack 6 or later, and JSA 7.4.2 or later.

Max Payload Length

The maximum payload length (characters) that is displayed for TLS Syslog message.

Maximum Connections

The Maximum Connections parameter controls how many simultaneous connections the TLS Syslog protocol can accept for each Event Collector.

For each Event Collector, there is a limit of 1000 connections, including enabled and disabled log sources, in the TLS Syslog log source configuration.

TLS Protocols

The TLS Protocol to be used by the log source.

Select the "TLS 1.2 or later" option.

Use As A Gateway Log Source

Sends collected events through the JSA Traffic Analysis Engine to automatically detect the appropriate log source.

If you do not want to define a custom log source identifier for events, clear the checkbox.

When this option is not selected and Log Source Identifier Pattern is not configured, JSA receives events as unknown generic log sources.

Log Source Identifier Pattern

Use the Use As A Gateway Log Source option to define a custom log source identifier for events that are being processed and for log sources to be automatically discovered when applicable. If you don't configure the Log Source Identifier Pattern, JSA receives events as unknown generic log sources.

Use key-value pairs to define the custom Log Source Identifier. The key is the Identifier Format String, which is the resulting source or origin value. The value is the associated regex pattern that is used to evaluate the current payload. This value also supports capture groups that can be used to further customize the key.

Define multiple key-value pairs by typing each pattern on a new line. Multiple patterns are evaluated in the order that they are listed. When a match is found, a custom Log Source Identifier is displayed.

The following examples show multiple key-value pair functions.

• Patterns - VPC=\sREJECT\sFAILURE $1=\s(REJECT)\sOK VPC-$1-$2= \s(ACCEPT)\s(OK)

• Events - {LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0}

• Resulting custom log source identifier - VPC-ACCEPT-OK

Enable Multiline

Aggregate multiple messages into single events based on a Start/End Matching or an ID-Linked regular expression.

Aggregation Method

This parameter is available when Enable Multiline is turned on.

• ID-Linked - Processes event logs that contain a common value at the beginning of each line.

• Start/End Matching - Aggregates events based on a start or end regular expression (regex).

Event Start Pattern

This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to Start/End Matching.

The regular expression (regex) is required to identify the start of a TCP multiline event payload. Syslog headers typically begin with a date or timestamp. The protocol can create a single-line event that is based on solely on an event start pattern, such as a timestamp. When only a start pattern is available, the protocol captures all the information between each start value to create a valid event.

Event End Pattern

This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to Start/End Matching.

This regular expression (regex) is required to identify the end of a TCP multiline event payload. If the syslog event ends with the same value, you can use a regular expression to determine the end of an event. The protocol can capture events that are based on solely on an event end pattern. When only an end pattern is available, the protocol captures all the information between each end value to create a valid event.

Message ID Pattern

This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to ID-Linked.

This regular expression (regex) required to filter the event payload messages. The TCP multiline event messages must contain a common identifying value that repeats on each line of the event message.

Time Limit

This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to ID-Linked.

The number of seconds to wait for more matching payloads before the event is pushed into the event pipeline. The default is 10 seconds.

Retain Entire Lines during Event Aggregation

This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to ID-Linked.

If you set the Aggregation Method parameter to ID-Linked, you can enable Retain Entire Lines during Event Aggregation to discard or keep the part of the events that precedes Message ID Pattern. You can enable this function only when concatenating events with the same ID pattern together.

Flatten Multiline Events Into Single Line

This parameter is available when Enable Multiline is turned on.

Shows an event in one single line or multiple lines.

Event Formatter

This parameter is available when Enable Multiline is turned on.

Use the Windows Multiline option for multiline events that are formatted specifically for Windows.

Protocol Configuration

UDP Multiline Syslog

Listen Port

The default port number that is used by JSA to accept incoming UDP Multiline Syslog events is 517. You can use a different port in the range 1 - 65535.

To edit a saved configuration to use a new port number, complete the following steps:

1. In the Listen Port field, type the new port number for receiving UDP Multiline Syslog events.

2. Click Save.

3. Click Deploy Changes to make this change effective.

The port update is complete and event collection starts on the new port number.

Message ID Pattern

The regular expression (regex) required to filter the event payload messages. The UDP multiline event messages must contain a common identifying value that repeats on each line of the event message.

Event Formatter

The event formatter that formats incoming payloads that are detected by the listener. Select No Formatting to leave the payload untouched. Select Cisco ACS Multiline to format the payload into a single-line event.

In ACS syslog header, there are total_seg and seg_num fields. These two fields are used to rearrange ACS multiline events into a single-line event with correct order when you select the Cisco ACS Multiline option.

Show Advanced Options

The default is No. Select Yes if you want to configure advanced options.

Use Custom Source Name

Select the check box if you want to customize the source name with regex.

Source Name Regex

Use the Source Name Regex and Source Name Formatting String parameters if you want to customize how JSA determines the source of the events that are processed by this UDP Multiline Syslog configuration.

For Source Name Regex, enter a regex to capture one or more identifying values from event payloads that are handled by this protocol. These values are used with the Source Name Formatting String to set a source or origin value for each event. This source value is used to route the event to a log source with a matching Log Source Identifier value when the Use As A Gateway Log Source option is enabled.

Source Name Formatting String

You can use a combination of one or more of the following inputs to form a source value for event payloads that are processed by this protocol:

• One or more capture groups from the Source Name Regex. To refer to a capture group, use \x notation where x is the index of a capture group from the Source Name Regex.

• The IP address from which the event data originated. To refer to the packet IP, use the token $PIP$.

• Literal text characters. The entire Source Name Formatting String can be user-provided text.

For example, CiscoACS\1\2$PIP$, where \1\2 means first and second capture groups from the Source Name Regex value, and $PIP$ is the packet IP.

Use As A Gateway Log Source

If this check box is clear, incoming events are sent to the log source with the Log Source Identifier matching the IP that they originated from.

When checked, this log source serves as a single entry point or gateway for multiline events from many sources to enter JSA and be processed in the same way, without the need to configure a UDP Multiline Syslog log source for each source. Events with an RFC3164- or RFC5424-compliant syslog header are identified as originating from the IP or host name in their header, unless the Source Name Formatting String parameter is in use, in which case that format string is evaluated for each event. Any such events are routed through JSA based on this captured value.

If one or more log sources exist with a corresponding Log Source Identifier, they are given the event based on configured Parsing Order. If they do not accept the event, or if no log sources exist with a matching Log Source Identifier, the events are analyzed for autodetection.

Flatten Multiline Events Into Single Line

Shows an event in one single line or multiple lines. If this check box is selected, all newline and carriage return characters are removed from the event.

Retain Entire Lines During Event Aggregation

Choose this option to either discard or keep the part of the events that comes before Message ID Pattern when the protocol concatenates events with same ID pattern together.

Time Limit

The number of seconds to wait for additional matching payloads before the event is pushed into the event pipeline. The default is 10 seconds.

Enabled

Select this check box to enable the log source.

Credibility

Select the credibility of the log source. The range is 0 - 10.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

Target Event Collector

Select the Event Collector in your deployment that should host the UDP Multiline Syslog listener.

Coalescing Events

Select this check box to enable the log source to coalesce (bundle) events.

By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Store Event Payload

Select this check box to enable the log source to store event payload information.

By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

Log Source Identifier

The log source name can't include spaces and must be unique among all log sources of this type that are configured with the VMware vCloud Director protocol.

Protocol Configuration

VMware vCloud Director

vCloud URL

The URL that is configured on your VMware vCloud appliance to access the REST API. The URL must match the address that is configured as the VCD public REST API base URL field on the vCloud server. For example, https:<my.vcloud.server>/api.

User Name

The username that is required to remotely access the vCloud Server. For example, console/user@organization.

If you want to configure a read-only account to use with JSA, create a vCloud user in your organization that has the Console Access Only permission.

Password

The password that is required to remotely access the vCloud Server.

Polling Interval (in seconds)

The amount of time between queries to the vCloud server for new events.

The default polling interval is 10 seconds.

EPS Throttle

The maximum number of events per second (EPS). The default is 5000.

Enable Advanced Options

Enable this option to configure more parameters.

API PageSize

If you select Enable Advanced Options, this parameter is displayed.

The number of records to return per API call. The maximum is 128.

Enable Legacy vCloud SDK

If you select Enable Advanced Options, this parameter is displayed.

To connect to vCloud 5.1 or earlier, enable this option.

vCloud API Version

If you select Enable Advanced Options and then you select Enable Legacy vCloud SDK, this parameter no longer displays.

The vCloud version that is used in your API request. This version must match a version that is compatible with your vCloud installation.

Use the following examples to help you determine which version is compatible with your vCloud installation:

• vCloud API 33.0 (vCloud Director 10.0)

• vCloud API 32.0 (vCloud Director 9.7)

• vCloud API 31.0 (vCloud Director 9.5)

• vCloud API 30.0 (vCloud Director 9.1)

• vCloud API 29.0 (vCloud Director 9.0)

Allow Untrusted Certificates

If you select Enable Advanced Options and then you select Enable Legacy vCloud SDK, this parameter no longer displays.

When you connect to vCloud 5.1 or later, you must enable this option to allow self-signed, untrusted certificates.

The certificate must be downloaded in PEM or DER encoded binary format and then placed in the /opt/qradar/conf/ trusted_certificates/ directory with a .cert or .crt file extension.

Use Proxy

If you select Enable Advanced Options and then you select Enable Legacy vCloud SDK, this parameter no longer displays.

If the server is accessed by using a proxy, select the Use Proxy checkbox. If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy username, and Proxy Password fields.

If the proxy does not require authentication, configure the Proxy IP or Hostname field.

Proxy IP or Hostname

If you select Use Proxy, this parameter is displayed.

If you select Enable Advanced Options and then you select Enable Legacy vCloud SDK, this parameter no longer displays.

Proxy Port

If you select Use Proxy, this parameter is displayed.

If you select Enable Advanced Options and then you select Enable Legacy vCloud SDK, this parameter no longer displays.

The port number that is used to communicate with the proxy. The default is 8080.

Proxy Username

If you select Use Proxy, this parameter is displayed.

If you select Enable Advanced Options and then you select Enable Legacy vCloud SDK, this parameter no longer displays.

Proxy Password

If you select Use Proxy, this parameter is displayed.

If you select Enable Advanced Options and then you select Enable Legacy vCloud SDK, this parameter no longer displays.