Documentation Center
AlienVault® USM Anywhere™

Juniper SA SSL VPN

When you configure Juniper Secure Access VPN integration to send log data to USM Anywhere, you can use the Juniper Secure Access VPN plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Juniper Networks
Device type VPN
Connection type syslog
Vendor link Use the vendor search page to access the Juniper SA-SSLVN 7.0 Administration Guide in PDF format.

Integrating Juniper SA SSL VPN

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

To configure Juniper SA SSL VPN to send log data to USM Anywhere

  1. Log into the Juniper administration console as system administrator and go to System > Log Monitoring.

  2. Select one of the following, then select Settings:

    • Events Log
    • User Access Log
    • Admin Access Log
    • Sensors Log
  3. In the Maximum Log Size field, specify the maximum file size for the local log file (500 MB possible).

    The system log displays data up to the amount specified.

    Important: Maximum Log Size is an internal setting that most closely corresponds with the size of standard-format logs. If you select a more verbose format, such as WELF, your log files may exceed the limit that you specify here.

  4. Under Select Events to Log, indicate the types of events that you want to capture in the local log file:

    • Login/Logout
    • SAM/Java
    • User Settings
    • Secure Terminal
    • Network Connect
    • File Requests

      Note: If you deselect the Statistics checkbox in the Events Log tab, the IVE does not write statistics to the log file, but continues to display them in the System > Log/Monitoring > Statistics tab.

  5. Under Syslog Servers, type information about the USM Anywhere Sensor to which you want to send your log files:

    1. IP address of the USM Anywhere Sensor.
    2. Indicate a facility for the USM Anywhere Sensor.

      The IVE provides eight facilities (LOCAL0-LOCAL7) that you can map to facilities on the USM Anywhere Sensor.

    3. (Central Manager only) Select the filter that you want to apply to the log file.
    4. Click Add.
  6. (Optional) Repeat for multiple sensors, if required, using different filters, if desirable.

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • audit_reason
  • customfield_0
  • customfield_1
  • customfield_2
  • destination_address
  • destination_hostname
  • destination_port
  • destination_username
  • error_code
  • event_name
  • file_name
  • file_type
  • rep_device_address
  • rep_device_hostname
  • request_url
  • security_group_name
  • source_address
  • source_mac
  • source_username
  • timestamp_occured
  • timestamp_received
  • transport_protocol

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10093&actp=search