<Course

IPS Logging
Title>
and Reporting

LY
N
O
SE
U
AL
N
R
TE
IN
IPS Logging and Reporting

LY
N
O
SE
U
AL

IPS Syslog Configuration

N

The Junos OS allows an administrator to configure a notification action under the IPS rulebase rule.
This action notifies the syslog of an IPS match. The administrator can configure a file under the
R

system | syslog hierarchy to be exclusive to notifications from the IPS engine. By using the
match keyword under the file options and matching for the RT_IDP string as shown in the slide,
TE

the file will only be populated by logs relating to IPS notifications. The user can then view the
contents of the log file by simply using the show log filename command.
IN

2 www.juniper.net
 IPS Logging and Reporting

LY
N
O
SE
U
AL

Anatomy of a Syslog Message

N

Syslog messages from the SRX Series device contain a tremendous amount of information, some of
which is self-explanatory but some of which is rather cryptic. The slide illustrates the overall structure
R

of a syslog message regarding a security event. You can see from the labeled items exactly what the
message contains.
TE
IN

www.juniper.net 3
IPS Logging and Reporting

LY
N
O
SE
U
AL

IDP Operational Commands: Part 1

N

The Junos CLI provides the user with a large array of show commands for monitoring the status and
usage of the IDP engine. The user is encouraged to find the appropriate command by visiting the CLI
R

reference located at http://www.juniper.net/techpubs/hardware/junos-srx/index.html and click on

the appropriate version. Another way to find an applicable command is by using the question mark
TE

after show security idp.

The slide illustrates two useful IDP operational commands. show security idp status
displays the status of the current IDP policy, which includes the aggregated throughput of
packets per second and kbits per second. It also includes the minimum, maximum, and average
IN

latency delay for a packet to receive and return by a node in microseconds. This command also
includes ICMP, TCP, and UDP packet statistics.

4 www.juniper.net
 IPS Logging and Reporting

LY
N
O
SE
U
AL

IPS Operational Commands: Part 2

N

The slide points out show security idp attack table. This command displays various
attacks that have current hits. You can also use command modifiers like match or count to display
R

on specific items and counts. To clear this counter use the clear security idp attack
table command.
TE
IN

www.juniper.net 5
IPS Logging and Reporting

LY
N
O
SE
U
AL

Security CLI Commands: Part 1

N

You can see details about security-related sessions using the show security flow session
command. The output provides you with the internal Session ID number, the policy handling the
R

session, the ingress IP address and interface, and the egress IP address and interface.
TE
IN

6 www.juniper.net
 IPS Logging and Reporting

LY
N
O
SE
U
AL

Security CLI Commands: Part 2

N

You can use the show security flow session command along with | match value to display only
entries that match conditions that you want to view. In the example on the slide, we have used show
R

security flow session protocol 6 | match “In: 192.168.1.10” and the device
displays only TCP entries that contain the value 192.168.1.10.
TE

You can also use the count modifier to get the count of sessions utilized by a particular entry.
IN

www.juniper.net 7
IPS Logging and Reporting

LY
N
O
SE
U
AL

Troubleshooting Traffic Flows with Flow Traceoptions

N

The Junos OS provides the user with the ability to troubleshoot the decisions that the SRX Series
device is making on the traffic itself.
R

Provides More Detailed Information than Firewall Logs

TE

Often just looking at the firewall logs will provide enough detail to understand what the SRX Series
device is doing (permit, deny, firewall policy applied, NAT, VPN, and so forth) but sometimes there is
not enough information on what the SRX Series device is doing to the packet itself and that is why
you might need to debug a packet flow with the use security flow traceoptions.
IN

Advanced Packet Filtering Provided

The filtering feature also provides you with the flexibility to capture only specific traffic with filters
using the packet-filter option shown in the next slide.
The SRX Series device supports only one expression per packet filter, so if you need to capture more
than one flow then you will need multiple packet filters per capture (one for each direction).
We encourage you to enable packet-filters when tracing traffic to match only what is needed. This will
not only make it easier to find the information needed, but it prevents the SRX Series device from
taking a performance hit when trying to capture ALL traffic going through the device.

8 www.juniper.net
 IPS Logging and Reporting

LY
N
O
SE
U
AL

Case Study: Setting Up Flow Traceoptions—Part 1

N

This slide shows an example of setting up flow traceoptions with a packet-filter. It also shows how to
monitor this file in real time.
R
TE
IN

www.juniper.net 9
IPS Logging and Reporting

LY
N
O
SE
U
AL

Case Study: Setting Up Flow Traceoptions—Part 2

N

This slide shows how to view more specific entries in the log file using a matching condition.
R
TE
IN

10 www.juniper.net
 IPS Logging and Reporting

LY
N
O
SE
U
AL

The STRM Device Console

N

The Juniper Networks STRM Series device addresses the needs of network security management by
combining, analyzing, and managing an incomparable set of surveillance data to empower companies
R

to efficiently manage business operations on their network from a single Web-based console. The STRM
device offers multiple network security management features, including but not limited to the following:
TE

• Comprehensive log management and reporting: Scalable and secure log management
with storage capabilities from gigabytes to terabytes of data storage;
• Threat detection: The ability to analyze the right threats at the right time;
IN

• Compliance reporting: Over 1300 report templates allow you to customize and
schedule daily, weekly and monthly reports; and
• Log retention and storage: You can easily archive logs and integrate into an existing
storage infrastructure for long-term log retention and hands-on storage.
The management console is a centralized browser-based user interface (UI). The UI allows
role-based access. Customizable dashboards allow you to view real-time and historical data. An
advanced data-mining interface is available, and the rule engine is easy to use.

www.juniper.net 11
IPS Logging and Reporting

LY
N
O
SE
U
AL

How Does the STRM Device Collect Information?

N

The STRM device collects information from multiple sources. These sources include events, log
messages, flow records, and vulnerability scans. Events can be collected from a variety of external
R

sources. Events are typically sent to the STRM device using RFC-standard syslog on port UDP/514.
TE
IN

12 www.juniper.net
 IPS Logging and Reporting

LY
N
O
SE
U
AL

Log Activity
N

Events can be collected from a variety of external sources. Events typically consists of system log
messages, but can be from other sources as well. Device Support Modules (DSMs) parse the
R

received event and convert them to a standard format and taxonomy. Once an event is mapped, the
data is analyzed and stored.
TE
IN

www.juniper.net 13
IPS Logging and Reporting

LY
N
O
SE
U
AL

Network Activity
N

Flows are records describing all hosts communicating on the network, through a router, or over a
link. A QFlow collector monitors packets on the wire or receives flow messages from other devices.
R

Like DSMs, QFlow collectors process flow messages from a variety of vendors and protocols, and
convert them to a standard format. All records are stored for reporting and forensics. Flows update
TE

asset profiles with ports and services running on each host. Flows are used to detect policy issues
and anomalies in the network.
IN

14 www.juniper.net
 IPS Logging and Reporting

LY
N
O
SE
U
AL

Asset Management
N

The STRM device passively builds asset profiles of observed hosts by analyzing flow and event data.
Asset profiles provide a detailed view of host information, such as a list of open ports, detected
R

vulnerabilities, and attack metrics. You can also manually define the relative importance of a
particular asset to assist the STRM device in prioritizing events and traffic.
TE
IN

www.juniper.net 15
IPS Logging and Reporting

LY
N
O
SE
U
AL

Identity Information
N

Identity information is collected from logs as they are received from the Event Collector. Identity
information is used to identify an offender at the time of an incident and is tracked in asset profiles.
R

The collection of identity information allows you to optimize problem resolution and improves user
accountability. The user identity simplifies tracking down threats in remote access environments.
TE
IN

16 www.juniper.net
 IPS Logging and Reporting

LY
N
O
SE
U
AL

Navigation Basics
N

The STRM administration console is an easy to use, Web-based interface. When you first access the
Admin console, the dashboard is displayed. You are able to display a variety of customized
R

dashboards at any given time. The dashboard is intended to provide a high-level overview of what
information the STRM device is collecting. You can use the navigation tabs to drill down to various
TE

configuration elements on the device. We discuss several of these elements next.

IN

www.juniper.net 17
IPS Logging and Reporting

LY
N
O
SE
U
AL

The Administration Console

N

The STRM device includes a Web-based administration interface used to manage the various
administration settings for the STRM device. Any and all changes made in the administration console
R

must be deployed for them to take effect. The administration console provides multiple options for
deploying changes. The Deployment Editor option opens the STRM deployment editor
TE

interface. Deploy applies the configuration “delta” to the STRM device installation. When
configuration settings are changed, they are held in a staging mode until deployed. Generally,
deploying only the changes made to an existing configuration set is faster—thus, it is the default
action.
IN

The STRM device uses the network hierarchy to categorize and contextualize network traffic.
Defining the network hierarchy requires an in-depth understanding of the network architecture the
STRM device will manage. Generally, the STRM device’s network hierarchy represents the logical
network architecture rather than the physical network architecture. The STRM device uses IP
addresses as the unique identifier for all network components, internal hosts, and external hosts.
The network hierarchy uses a tree organizational format that is common throughout the STRM
system.

18 www.juniper.net
 IPS Logging and Reporting

LY
N
O
SE
U
AL

The Log Activity Interface

N

The Log Activity interface allows you to investigate events being sent to STRM in real-time. You
can perform powerful searches and view log activity using configurable time-series charts. The Log
R

Activity interface allows you to perform in-depth investigations on events. It is also useful for
quickly identifying false positives and tuning the STRM system.
TE

Some common uses for the Log Activity interface include the following:
• Searching, viewing, and sorting events by a variety of parameters;
• Real-time reporting;
IN

• Forensic investigations; and

• Troubleshooting of log sources and network problems.
By default, the Log Activity interface displays the Real-Time (streaming) view.

www.juniper.net 19
IPS Logging and Reporting

LY
N
O
SE
U
AL

Log Activity Time Options

N

If the Manage Time Series option has been enabled in the user’s role permissions, the user will
have the ability to configure and view time series data charts that the user will have. Some of the
R

time range options that can be viewed are the following:

• Real Time (streaming: Displays log events as they arrive at the Event Processor;
TE

• Last Interval(auto refresh): Last minute of log events (Note: This

information can be delayed up to one minute from the time the log event has reached
the Event Processor); and
IN

• Last X Minutes/ Hours / Days (where X equals a specific value): Select a time
interval going back in the past a specific amount of time, such as 15 minutes.
The slide demonstrates how to select different time options using the View drop-down menu.

20 www.juniper.net
 IPS Logging and Reporting

LY
N
O
SE
U
AL

Real Time (streaming) Mode

N

When you first select the Log Activity tab, the events are displayed as either Default
(Normalized) or Raw Events format. The log activity will auto-display the following:
R

• A rolling view of the last 1,000 log events;

TE

• A scrolling view that updates every half second;

• Real-time monitoring of IP addresses, users, and so forth;
• Testing of log source extensions and custom rules; and
IN

• A view of log events in real-time being correlated to an offense.

Additionally, you can pause the automatic updates of log messaging by clicking the pause button, as
highlighted on the slide.

www.juniper.net 21
IPS Logging and Reporting

LY
N
O
SE
U
AL

Other Display Options

N

You can display data from the Log Activity page based on several criteria, as shown on the
slide. When you select one of these options, the Log Activity page refreshes and data is
R

redisplayed in a new format based on the criteria you selected. Note that any applied filters are
retained. We discuss filters later in the material.
TE

These alternate display options are useful for finding the unique values when multiple variables are
displayed in a group. We discuss grouping next.
IN

22 www.juniper.net
 IPS Logging and Reporting

LY
N
O
SE
U
AL

Event Details
N

You can double-click an event to open the event details. The event details provide additional
information that can be useful for log investigation. We examine these details on the next slide.
R
TE
IN

www.juniper.net 23
IPS Logging and Reporting

LY
N
O
SE
U
AL

What Is In the Details?

N

As we mentioned on the previous slide, you can open the details of any particular event by
double-clicking the event. A display opens with detailed information of the event, including the
R

following:
• Event Information: Details such as the name, description, and magnitude;
TE

• Source and Destination Information: Port, IP address, Network Address

Translation (NAT), and media access control (MAC) address;
• Payload Information: Details including the original event;
IN

• Additional Information: The log source and all matching rules; and
• Identity Information: Hostname, Username, and so forth.

24 www.juniper.net
 IPS Logging and Reporting

LY
N
O
SE
U
AL

Add the SRX as a Log Source

N

STRM supports auto discovery, which is a feature that automatically adds the SRX device as a log
source when it detects syslog data being sent, as shown on the slide. This feature saves
R

administrators time because they do not need to configure the SRX device as a log source on the
STRM system. The administrator simply must configure the STRM device as a syslog server on the
TE

SRX device so that the SRX device forwards traffic to the STRM device. The slide highlights the steps
for configuring the SRX device as a log source for STRM log activity.
IN

www.juniper.net 25
IPS Logging and Reporting

LY
N
O
SE
U
AL

SRX Syslog Configuration

N

The slide shows various syslog configuration examples, including a number of the default settings.
Syslog operations can be enabled or modified at the [edit system syslog] hierarchy level and
R

the [edit routing-options options syslog] hierarchy level. General syslog

configuration options include the following:
TE

• host name or IP address: Sends syslog messages to a remote host—in this case,
the STRM device;
• archive: Configures how to archive system logging files (default is to keep 10 archive
files with a maximum size of 128 K each);
IN

• console: Configures the types of syslog messages to log to the system console;
• facility: Displays the class of log messages;
• severity: Displays the severity level of log messages;
• file filename: Configures the name of the log file; and
• files number: Displays the maximum number of system log files.

26 www.juniper.net
 IPS Logging and Reporting

LY
N
O
SE
U
AL

Configure Log Mode

N

By default, configuring the syslog server at the [edit syslog] hierarchy only sends logs that the
Routing Engine (RE) sees. However, Junos Security devices, such as the SRX Series, generate logs
R

from the flow modules, so the risk of loss, latency, and load is increased by sending logs to the STRM
device from the RE.
TE

SRX devices can send logs in one of two modes, either event or stream. By configuring an SRX
device to send logs in stream mode, you are instructing the device to allow the Services Processing
Card (SPC) or flow module to send logs to the STRM device itself. The slide demonstrates how to
configure logging modes from the [edit security] hierarchy.
IN

In addition to configuring the log mode, you can also configure the format from the [edit
security] hierarchy. For the STRM device to properly format the logs as security logs, you must
specify the format as sd-syslog, as shown on the slide.

www.juniper.net 27
IPS Logging and Reporting

LY
N
O
SE
U
AL

STRM Performs Log Source Auto Discovery

N

The final step in adding an SRX device as a log source is to simply verify that the SRX device has
been discovered automatically by the STRM device. As long as you configure the SRX device correctly
R

and commit the configuration, the STRM device will automatically add the SRX device when logging
activity is detected.
TE
IN

28 www.juniper.net