FireEye
The JSA DSM for FireEye accepts syslog events in Log Event Extended Format (LEEF) and Common Event Format (CEF).
This DSM applies to FireEye CMS, MPS, EX, AX, NX, FX, and HX appliances. JSA records all relevant notification alerts that are sent by FireEye appliances.
The following table identifies the specifications for the FireEye DSM.
Specification |
Value |
---|---|
Manufacturer |
FireEye |
DSM name |
FireEye MPS |
Supported versions |
CMS, MPS, EX, AX, NX, FX, and HX |
RPM file name |
DSM-FireEyeMPS-JSA_version-Build_number.noarch.rpm |
Protocol |
Syslog and TLS syslog |
Event Format |
Common Event Format (CEF). CEF:0 is supported. |
JSA recorded event types |
All relevant events |
Auto discovered? |
Yes |
Includes identity? |
No |
More information |
FireEye website (www.fireeye.com) |
To integrate FireEye with JSA, use the following procedures:
If automatic updates are not enabled, download and install the DSM Common and FireEye MPS RPM from the Juniper Downloads onto your JSA Console.
Download and install the latest TLS Syslog Protocol RPM on JSA.
For each instance of FireEye in your deployment, configure the FireEye system to forward events to JSA.
For each instance of FireEye, create an FireEye log source on the JSA Console.
The following tables explain how to configure a log source in Syslog and TLS Syslog for FireEye.
Table 2: Configuring the Syslog Log Source Protocols for FireEye Parameter
Description
Log Source type
FireEye
Protocol Configuration
Syslog
Log Source Identifier
Type the IP address or host name for the log source as an identifier for events from your device.
Table 3: Configuring the TLS Syslog Log Source Protocols for FireEye Parameter
Description
Source type
FireEye
Protocol Configuration
TLS Syslog
Log Source Identifier
Type the IP address or host name for the log source as an identifier for events from your device.
TLS Listen Port
The default TLS listen port is 6514.
Authentication Mode
The mode by which your TLS connection is authenticated. If you select the TLS and Client Authentication option, you must configure the certificate parameters.
Certificate Type
The type of certificate to use for authentication. If you select the Provide Certificate option, you must configure the file paths for the server certificate and the private key.
Provided Server Certificate Path
The type of certificate to use for authentication. If you select the Provide Certificate option, you must configure the file paths for the server certificate and the private key.
Provided Private Key Path
The absolute path to the private key.
Note:The corresponding private key must be a DER-encoded PKCS8 key. The configuration fails with any other key format.
Maximum Connections
The Maximum Connections parameter controls how many simultaneous connections the TLS Syslog protocol can accept for each Event Collector.
The connection limit across all TLS syslog log source configurations is 1000 connections for each Event Collector. The default for each device connection is 50.
Note:Automatically discovered log sources that share a listener with another log source, such as if you use the same port on the same event collector, count only one time towards the limit.