Configuring a TLS Log Source

Protocol Configuration

TLS Syslog

Log Source Identifier

An IP address or host name to identify the log source.

TLS Listen Port

The default TLS listen port is 6514.

Authentication Mode

The mode by which your TLS connection is authenticated. If you select the TLS and Client Authentication option, you must configure the certificate parameters.

Client Certificate Path

The absolute path to the client-certificate on disk. The certificate must be stored on the JSA Console or Event Collector for this log source.

Certificate Type

The type of certificate to use for authentication for the server certificate and server key.

Select one of the following options from the Certificate Type list:

• Generated Certificate

• Single Certificate and Private Key

• PKCS12 Certificate and Password

Generated Certificate

This option is available when you configure the Certificate Type.

If you want to use the default certificate and key that is generated by JSA for the server certificate and server key, select this option.

Single Certificate and Private Key

This option is available when you configure the Certificate Type.

If you want to use a single PEM certificate for the server certificate, select this option and then configure the following parameters:

• Provided Server Certificate Path - The absolute path to the server certificate.

• Provided Private Key Path - The absolute path to the private key.

PKCS12 Certificate and Password

This option is available when you configure the Certificate Type.

If you want to use a PKCS12 file that contains the server certificate and server key, select this option and then configure the following parameters:

• PKCS12 Certificate Path - Type the file path for the PKCS12 file that contains the server certificate and server key.

• PKCS12 Password - Type the password to access the PKCS12 file.

• Certificate Alias - If there is more than one entry in the PKCS12 file, an alias must be provided to specify which entry to use. If there is only one alias in the PKCS12 file, leave this field blank.

Max Payload Length

The maximum payload length (characters) that is displayed for TLS Syslog message.

Maximum Connections

The Maximum Connections parameter controls how many simultaneous connections the TLS Syslog protocol can accept for each Event Collector. There is a limit of 1000 connections across all TLS syslog log source configurations for each Event Collector. The default for each device connection is 50.

TLS Protocols

The TLS Protocol to be used by the log source. Select one of the following options:

• TLS 1.2 and above

• TLS 1.1 and above

• TLS 1.0 and above

To avoid security vulnerabilities, use TLS 1.2 and above.

Use As A Gateway Logsource

Sends collected events through the JSA Traffic Analysis Engine to automatically detect the appropriate log source.

You must select this in order for JSA to detect/create the correct log source for events.

When this option is not selected and Log Source Identifier Pattern is not configured, JSA receives events as unknown generic log sources.

Log Source Identifier Pattern

If you selected Use As A Gateway Log Source, use this option to define a custom log source identifier for events that are being processed and for log sources to be automatically discovered when applicable. If you don't configure the Log Source Identifier Pattern, JSA receives events as unknown generic log sources.

Use key-value pairs to define the custom Log Source Identifier. The key is the Identifier Format String, which is the resulting source or origin value. The value is the associated regex pattern that is used to evaluate the current payload. This value also supports capture groups that can be used to further customize the key.

Define multiple key-value pairs by typing each pattern on a new line. Multiple patterns are evaluated in the order that they are listed. When a match is found, a custom Log Source Identifier displays.

The following examples show multiple key-value pair functions.

Patterns

VPC=\sREJECT\sFAILURE
$1=\s(REJECT)\sOK
VPC-$1-$2=\s(ACCEPT)\s(OK)

Events

{LogStreamName: LogStreamTest,Timestamp:
0,Message: ACCEPT OK,IngestionTime: 0,EventId:
0}

Resulting custom log source identifier

VPC-ACCEPT-OK

Enable Multiline

Aggregate multiple messages into single events based on a Start/End Matching or an ID-Linked regular expression.

Aggregation Method

This parameter is available when Enable Multiline is turned on.

• ID-Linked - Processes event logs that contain a common value at the beginning of each line.

• Start/End Matching - Aggregates events based on a start or end regular expression (regex).

Event Start Pattern

This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to Start/End Matching.

The regular expression (regex) that is required to identify the start of a TCP multiline event payload. Syslog headers typically begin with a date or timestamp. The protocol can create a single-line event that is based on solely on an event start pattern, such as a timestamp. When only a start pattern is available, the protocol captures all the information between each start value to create a valid event.

Event End Pattern

This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to Start/End Matching.

This regular expression (regex) that is required to identify the end of a TCP multiline event payload. If the syslog event ends with the same value, you can use a regular expression to determine the end of an event. The protocol can capture events that are based on solely on an event end pattern. When only an end pattern is available, the protocol captures all the information between each end value to create a valid event.

Message ID Pattern

This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to id-Linked.

This regular expression (regex) required to filter the event payload messages. The TCP multiline event messages must contain a common identifying value that repeats on each line of the event message.

Time Limit

This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to id-Linked.

The number of seconds to wait for more matching payloads before the event is pushed into the event pipeline. The default is 10 seconds.

Retain Entire Lines during Event Aggregation

This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to id-Linked.

If you set the Aggregation Method parameter to ID-Linked, you can enable Retain Entire Lines during Event Aggregation to discard or keep the part of the events that comes before Message ID Pattern when concatenating events with the same ID pattern together.

Flatten Multiline Events Into Single Line

This parameter is available when Enable Multiline is turned on.

Shows an event in one single line or multiple lines.

Event Formatter

This parameter is available when Enable Multiline is turned on.

Use the Windows Multiline option for multiline events that are formatted specifically for Windows.