Juniper NETWORKS STRM - TECHNICAL NOTE REV 6-2008 Manual

Hide thumbs

page of 16

/ 16
Bookmarks

Quick Links

Download this manual

About Extension

Documents

Release 2008.2

UNIPER

ECHNICAL

SING

XTENSION

2008

UNE

Device extensions allow you to modify how a DSM parses logs, which is useful for

resolving parsing issues. However, before you define a device extension, you must

build an extension document. This document provides information on defining an

extension document including:

•

About Extension Documents

•

Understanding Extension Document Elements

Creating Extension Documents

•

Device Type IDs

•

This document assumes an advanced knowledge of XML coding.

The extension document is specified in Extensible Markup Language (XML)

format. You can create and edit the document using any common word processing

application. You can create multiple extension documents and associate an

extension document to various device types. Using an extension document, you

can resolve parsing issues, such as:

Fixing an event that has missing or incorrect fields (for example, if the

•

username is not being parsed).

Completing the parsing of an event when the DSM to which it is attached fails to

•

produce a result. Any new events produced by the device extension are

associated to the device that failed to parse the original payload. This action

prevents these events from appearing as un-parsed in the STRM interface.

XML format allows for a simplification of the extension document's organization,

and verifies the extension document's contents. Using this format requires that all

regular expressions be contained in character data (CDATA) sections to prevent

the special characters that are needed by regular expressions from interfering with

the markup format. For example:

<![CDATA[(tcp|udp|icmp|gre)]]></pattern>

Where

(tcp|udp|icmp|gre)

ETWORKS

OTE

OCUMENTS

is the actual regular expression pattern.

STRM

Need help?

Do you have a question about the JUNIPER NETWORKS STRM - TECHNICAL NOTE REV 6-2008 and is the answer not in the manual?

Questions and answers

Summary of Contents for Juniper JUNIPER NETWORKS STRM - TECHNICAL NOTE REV 6-2008

Page 1 STRM UNIPER ETWORKS ECHNICAL SING XTENSION OCUMENTS 2008 Device extensions allow you to modify how a DSM parses logs, which is useful for resolving parsing issues. However, before you define a device extension, you must build an extension document. This document provides information on defining an extension document including: •...
Page 2 The extension document allows you to parse a device’s payload. Within the extension document you can include statements of varying degrees of complexity, as required to parse the desired information. Understanding This section explains the two main divisions of the extension document: Extension Patterns •...
Page 3 Understanding Extension Document Elements Table 2 Match Group Parameters (continued) Parameter Description Specify a different device’s QID. Allows the particular match group device-type- to search in the specified device for the event type. It must be a id-override (Optional) valid device type ID, represented as an integer. A list of device type Table 6 IDs is presented in If not specified, this parameter defaults to the device type of the...
Page 4 Table 3 Matcher Entity Parameters (continued) Parameter Description Specify capture group(s), as denoted in the regular capture-group (Optional) expression inside parenthesis ( ). These captures are indexed starting at one and processed from left to right in the pattern. The capture-group field must be a positive integer less than or equal to the number of capture groups contained in the pattern.
Page 5 Understanding Extension Document Elements Table 4 provides a list of valid field names for use in the matcher field parameter (see Table 3 Table 4 Matcher Field Names Field Name Description EventName Specify the event name to be retrieved from the QID to (Required) identify the event.
Page 6 Table 4 Matcher Field Names (continued) Field Name Description Protocol Specify the protocol associated with the event; for example, TCP, UDP, or ICMP. If a protocol is not properly parsed out of a message, ports that were parsed may not appear in STRM (it only displays ports for port-based protocols).
Page 7 Creating Extension Documents Table 5 Single-Event Modifier Parameters (continued) Parameter Description Specifies the sending of identity change information send-identity from the event. Choose one of the following options: UseDSMResults – If the DSM returns an identity • event, the event is passed on. If the DSM does not return an identity event, the DSM does not create or modify the identity information.
Page 8 Writing a Complete The example of an extension document included in this section provides Extension Document information on how to parse one particular type of Cisco FWSM so that events are not sent with an incorrect event name. For example, if you wish to resolve the word , which is embedded in the middle of the event name: session Nov 17 09:28:26 129.15.126.6 %FWSM-session-0-302015: Built UDP...
Page 9 Creating Extension Documents <matcher field="DestinationPort" order="1" pattern-id="DestinationIp" capture-group="2" /> <matcher field="Protocol" order="1" pattern-id="Protocol" capture-group="1" /> <matcher field="Protocol" order="2" pattern-id="Protocol_6" capture-group="TCP" enable-substitutions=”true”/> <event-match-multiple pattern-id="EventNameId" capture-group-index="1" device-event-category="Cisco Firewall"/> </match-group> </device-extension> The above extension document example demonstrates some of the basic aspects of parsing: IP addresses •...
Page 10 a dash and then the true event name as expected by STRM. The only string with a capture group (that is, bounded by parenthesis) is this pattern of digits (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) The IP addresses and ports for the event all follow the same basic pattern: an IP address followed by a slash followed by the numeric port number.
Page 11 Creating Extension Documents Solving Specific This section provides you with XML examples that can be used when resolving Parsing Issues specific parsing issues that may arise: Converting a Protocol • Making a Single Substitution • • Generating Colon-Separated MAC Address Combining IP Address and Port •...
Page 12 If the dashes are removed from the pattern, the pattern converts a MAC address with no separators. If spaces are inserted, the pattern converts a space-separated MAC address, and so on. Combining IP Address and Port Typically an IP address and port are combined in one field, separated by a colon or a slash.
Page 13 Device Type IDs Device Type IDs Table 6 lists the Device Type IDs that can be used in a statement: match-group Table 6 Device Type ID Numbers Device Description Snort Snort Open Source IDS CheckPoint CheckPoint Firewall-1 Devices via syslog GenericFirewall Configurable Firewall Filter NetScreenFirewall...
Page 14 Table 6 Device Type ID Numbers (continued) Device Description TopLayerIPS TopLayer IPS Generic Generic DSM Tripwire Tripwire Cisco ASA Niksun Niksun Sidewinder Secure Computing - Sidewinder NetscreenNSM Netscreen NSM WebProxy Squid WebProxy IpAngel Lucid IpAngel OracleDbAudit Oracle Database Audit Records BigIP F5 Networks BigIP SolarisDhcpd...
Page 15 Device Type IDs Table 6 Device Type ID Numbers (continued) Device Description metainfo Meta IP metainfo Meta IP SymantecSystemCenter Symantec System Center JDBC/WinAgent Cisco ACS Cisco ACS Sentinel Enterasys Sentinel CounterACT Forescount CounterACt McAfee ePO McAfee ePolicy Orchestrator Cisco CSA-syslog Cisco CSA using syslog Cisco NAC Cisco NAC Appliance...
Page 16 Copyright Notice Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners.

This manual is also suitable for:

Strm