Documentation Center
AlienVault® USM Anywhere™

Juniper Netscreen NSM

When you configure Juniper Netscreen NSM integration to send log data to USM Anywhere, you can use the Juniper Netscreen NSM plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Juniper
Device type Network and security manager
Connection type syslog
Vendor link https://www.juniper.net/techpubs/en_US/nsm2012.2/topics/task/operational/security-service-syslog-configuring-nsm.html

Integrating Netscreen NSM

Integrating Netscreen NSM consists of

Configuring a Syslog Host to Use Netscreen NSM

To configure a syslog host to use Netscreen NSM

  1. On the Syslog configuration screen, click the Add icon to launch the Config dialog box for host configuration.

  2. Specify the hostname and port (514 for UDP, or 601 for TCP)
  3. For each syslog host, specify

    • any applicable traffic log entries or event log entries
    • the Security Facility responsible for classifying and sending messages to the syslog host for security-related actions

    • the Standard Facility responsible for classifying and sending messages for events unrelated to security
    • transport protocol used for sending syslog messages (UDP or TCP)

  4. Click OK.

Using WebTrends Reporting to Enable syslog Reporting

The WebTrends Firewall Suite allows customization of syslog reports to display the information you specify in a graphical format, such as that shown in the following illustration.

As of ScreenOS 6.3, the event log, traffic log, and IDP log formats follow the WebTrends Enhanced Format (WELF) log regulation. If backup for the logs is enabled, you can send logs to a maximum of four WebTrends servers.

To configure the security device to send syslog reports to a WebTrends syslog host

  1. Enable WebTrends reporting.
  2. Specify the name of the WebTrends host and port on through which to send the syslog messages.

    Note: If you are sending reports through a VPN tunnel, click Use Trust Zone Interface.

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • bytes_in
  • bytes_out
  • destination_address
  • destination_nat_address
  • destination_nat_port
  • destination_port
  • destination_username
  • destination_zone
  • device_inbound_interface
  • device_outbound_interface
  • event_category
  • event_description
  • event_name
  • event_severity
  • event_subcategory
  • packet_data
  • packets_received
  • packets_sent
  • policy
  • rep_device_address
  • rep_device_hostname
  • rule_id
  • source_address
  • source_nat_address
  • source_nat_port
  • source_port
  • source_zone
  • timestamp_occured
  • timestamp_received
  • total_packets
  • transport_protocol

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28986&actp=search