Documentation Center
AlienVault® USM Anywhere™

Juniper SSG

When you configure Juniper SSG integration to send log data to USM Anywhere, you can use the Juniper SSG plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Juniper
Device type Firewall
Connection type syslog
Vendor link https://kb.juniper.net/InfoCenter/index?page=content&id=KB4759&actp=search

Integrating Juniper SSG

To configure Juniper SSG to send log data to USM Anywhere

  1. Open the web UI.

    For more information, refer to KB4317 - [ScreenOS] Accessing your Juniper firewall device using the WebUI.

  2. From the ScreenOS console menu, go to Configuration > Report Settings > Syslog.

  3. From the Syslog page, select Enable Syslog Messages.

  4. Expand Source interface and select the interface from which syslog packets are sent.

    Note: Syslog messages can be sent to up to four designated syslog servers.

  5. Enter information about the USM Anywhere Sensor.

    • Enable — activate the checkbox to enable the source
    • IP/ Hostname — enter the IP address or hostname of yourUSM Anywhere Sensor
    • Port — we recommend you use the default setting of UDP 514

    • Security Facility — classifies and sends security-specific events to the syslog host

    • Facility — standard facility responsible for classifying and sending all other messages for events unrelated to security
    • Event Log — activate the checkbox send event log entries to the syslog host
    • Traffic Log — activate the checkbox to send traffic log entries to the syslog host
    • TCP — use the TCP transport protocol instead of the default UDP setting

      Important: There are known issues with manageability when using the TCP protocol. Consult the Juniper KB article to learn more.

  6. Click Apply.

CLI Version of Integration

To configure Juniper SSG to send log data to USM Anywhere

set syslog enable

set syslog config <xxx.xxx.x.x>

set syslog config <xxx.xxx.x.x> facilities local0 local0

set syslog config <xxx.xxx.x.x> log traffic

set syslog src-interface <<interface_name>>

Log Event Levels

When a level is chosen, that level of events, and above, are logged.

  • Local0 == Debug level. Debug level and above (ALL) events are logged
  • Local1 == Info level (Info | Notify | Warning / Error | Critical | Alert | Emergency level events are logged)
  • Local2 == Notify level (Info | Notify | Warning / Error | Critical | Alert | Emergency level events are logged)
  • Local3 == Warning level (Warning / Error / Critical / Alert / Emergency level events are logged)
  • Local4 == Error level (Error / Critical / Alert / Emergency level events are logged)
  • Local5 == Critical level (Critical / Alert / Emergency level events are logged)
  • Local6 == Alert level (Alert and Emergency level events are logged)
  • Local7 == Emergency level (Only Emergency level events are logged)

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_type
  • customfield_0
  • customfield_1
  • destination_address
  • destination_port
  • destination_username
  • event_action
  • event_category
  • event_name
  • event_severity
  • plugin_device_version
  • rep_device_hostname
  • rep_device_inbound_interface
  • rep_device_rule_id
  • source_address
  • source_mac
  • source_port
  • source_username
  • timestamp_occured
  • timestamp_received
  • transport_protocol

Troubleshooting

For troubleshooting, refer to the vendor documentation:

http://www.juniper.net/techpubs/en_US/release-independent/screenos/information-products/pathway-pages/ssg-series/product/index.html