When you configure Juniper Secure Access VPN integration to send log data to USM Anywhere, you can use the Juniper Secure Access VPN plugin to translate the raw log data into normalized events for analysis.
|Device vendor||Juniper Networks|
|Vendor link||Use the vendor search page to access the Juniper SA-SSLVN 7.0 Administration Guide in PDF format.|
Integrating Juniper SA SSL VPN
Before you configure the integration, you must have the IP Address of the USM Anywhere Sensor.
To configure Juniper SA SSL VPN to send log data to USM Anywhere
Log into the Juniper administration console as system administrator and go to System > Log Monitoring.
Select one of the following, then select Settings:
- Events Log
- User Access Log
- Admin Access Log
- Sensors Log
In the Maximum Log Size field, specify the maximum file size for the local log file (500 MB possible).
The system log displays data up to the amount specified.
Important: Maximum Log Size is an internal setting that most closely corresponds with the size of standard-format logs. If you select a more verbose format, such as WELF, your log files may exceed the limit that you specify here.
Under Select Events to Log, indicate the types of events that you want to capture in the local log file:
- User Settings
- Secure Terminal
- Network Connect
Note: If you deselect the Statistics checkbox in the Events Log tab, the IVE does not write statistics to the log file, but continues to display them in the System > Log/Monitoring > Statistics tab.
Under Syslog Servers, type information about the USM Anywhere Sensor to which you want to send your log files:
- IP address of the USM Anywhere Sensor.
Indicate a facility for the USM Anywhere Sensor.
The IVE provides eight facilities (LOCAL0-LOCAL7) that you can map to facilities on the USM Anywhere Sensor.
- (Central Manager only) Select the filter that you want to apply to the log file.
- Click Add.
- (Optional) Repeat for multiple sensors, if required, using different filters, if desirable.
For plugin enablement information, see Manual Plugin Management.
Available Plugin Fields
The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.
Important: In some instances, users may experience syslog messages sending incomplete event data. To ensure that USM Anywhere properly parses the syslog messages, make sure you have updated Juniper to PCS release version 8.0 or later.
For troubleshooting, refer to the vendor documentation:
Important: To ensure that syslog headers are being parsed correctly for USM Anywhere, it is recommended that you are running PCS version 8.0 or later. The use of earlier versions may result in event details missing certain fields.