Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Issues configuring Juniper SSL / SSIM integration

Created: 16 May 2008 • Updated: 21 May 2010 | 2 comments
Hi - I've been trying to implement the Juniper SSL collector to gather events from our Juniper SSL appliance without success.  The install guide for the collector does not detail the installation steps and talks about the configuration of the Syslog Director (but does not provide any details on configuring it).
 
I was wondering if anyone has implemented this collector and point me in the right direction.
 
Thanks,
 

Comments 2 CommentsJump to latest comment

lukaszfr's picture

Hi,

I haven't heard about Juniper SSL collector, so which collector do you use exactly?
Old Juniper VPN collector or something else?

If your Juniper appliance sends syslog messages to SSIM, maybe you should try to use Generic Syslog collector, it is very basic collector which isn't based on any signatures or message types and contains only one "Catch-all" translation rule.

Regards,
Antilles

Gary Bishop's picture
This is an easy fix....Go to the Syslog Director and click on the "Advanced Options" link. Click on "Add" and select Juniper VPN and then enter "Juniper" for the string. Move it ahead of the generic syslog entry by clicking on the "move up" button or arrow (I don't have it in front of me)  Then just check the "enable" box on the Director Setting tab and you should be all set. Just do a couple of bad logins and wait a miniute or so and you should see those events srart popping..
 
Anytime you add a Syslog collector you need to check the advanced options to see if there is something to uniquely identify it. If not you need to define it, as in this case. If you don't know what a unique identifer to use then configure the generic syslog collector and let it "catch" the events then you can look through them and figure out something that is unique about them. Just be sure if you do enable the generic collector that it is LAST in the Advanced Options table or it will intercept anything that it sees...
 
Hope this helps!