Documentation Center
AlienVault® USM Anywhere™

Juniper EX Series

When you configure Juniper EX Series integration to send log data to USM Anywhere, you can use the Juniper EX Series plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Juniper Networks
Device type Switch
Connection type syslog
Vendor link https://www.juniper.net/techpubs/en_US/junos14.1/topics/reference/configuration-statement/host-edit-system.html

Integrating Juniper EX Series

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

To configure Juniper EX Series to send log data over syslog to USM Anywhere

  1. Log into the Juniper EX device CLI console.

  2. Include the host statement at the [edit system syslog] hierarchy level:

    host (<hostname>) {

    <facility> <severity>;

    explicit-priority;

    facility-override <facility>;

    log-prefix <string>;

    match "<regular-expression>";

    port 514;

    source-address <source-address>;

    }

    Where:

    • hostname = IP address of the USM Anywhere Sensor
    • In each host statement, include the facility-override statement to assign an alternative facility.

      Facility Type of Event or Error
      any All (messages from all facilities)
      authorization Authentication and authorization attempts.
      change-log Changes to the Junos OS configuration.
      conflict-log Specified configuration is invalid on the router type.
      daemon Actions performed or errors encountered by system processes.
      dfc Events related to dynamic flow capture.
      firewall Packet filtering actions performed by a firewall filter.
      ftp Actions performed or errors encountered by the FTP process.
      interactive-commands Commands issued at the Junos OS command-line interface (CLI) prompt or by a client application such as a Junos XML protocol or NETCONF XML client.
      kernel Actions performed or errors encountered by the Junos OS kernel.
      pfe Actions performed or errors encountered by the Packet Forwarding Engine.
      user Actions performed or errors encountered by user-space processes.
    • severity = the severity of your choice.

      Severity Level Description
      any Includes all severity levels.
      none Disables logging of the associated facility to a destination.
      emergency System panic or other condition that causes the router to stop functioning.
      alert Conditions that require immediate correction, such as a corrupted system database.
      critical Critical conditions, such as hard errors.
      error Error conditions that generally have less serious consequences than errors at the emergency, alert, and critical levels.
      warning Conditions that warrant monitoring.
      notice Conditions that are not errors but might warrant special handling.
      info Events or non-error conditions of interest.
    • (Optional) Explicit-priority: Record the priority (facility and severity level) in each standard-format system log message directed to a file or remote destination.
    • (Optional) string = the log prefix of your choice. See the following examples.
    • (Optional) regular-expression = the regular expression of your choice.
    • (Optional) source-address = IP address of the router that is reported in the messages as their source.

Plugin Enablement

The Juniper EX plugin automatically processes all messages whose syslog tag matches the value dot1xd.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • device_inbound_interface

  • event_category

  • event_description

  • event_name

  • highlight_fields

  • plugin_device

  • plugin_rule

  • source_mac

  • source_username

  • transient

  • virtual_source_name

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB9936&actp=search