manualshive.com logo in svg

Juniper NETWORKS STRM - TECHNICAL NOTE REV 6-2008, Manual

The Juniper NETWORKS STRM - TECHNICAL NOTE REV 6-2008 manual is available for free download on our website. This comprehensive guide provides users with detailed information on how to utilize the features of this advanced networking product. Download the manual from 88.208.23.73:8080 to unlock the full potential of your Juniper NETWORKS STRM.

Share
Download
background image

Release 2008.2

8

Writing a Complete 

Extension Document

The example of an extension document included in this section provides 
information on how to parse one particular type of Cisco FWSM so that events are 
not sent with an incorrect event name. For example, if you wish to resolve the word 

session

, which is embedded in the middle of the event name:

Nov 17 09:28:26 129.15.126.6 %FWSM-session-0-302015: Built UDP 

connection for faddr 38.116.157.195/80 gaddr 

129.15.127.254/31696 laddr 10.194.2.196/2157 duration 0:00:00 

bytes 57498 (TCP FINs)

This condition causes the DSM to not recognize any events and all the events are 
un-parsed and associated with the generic logger. 

Although only a portion of the text string (

302015

) is used for the QID search, the 

entire text string (

%FWSM-session-0-302015

) identifies the event as coming from 

a Cisco FWSM. Since the entire text string is invalid, the DSM assumes that the 
event is invalid. 

A FWSM device has a large number of event types, many with unique formats. 
The following extension document example, indicates how to parse one event 
type.

The pattern IDs do not have to match the field names that they are parsing. Even 
though the following example duplicates the pattern, the 

SourceIp

 field and the 

SourceIpPreNAT

 field could use the exact same pattern in this case (this may not 

be true in all FWSM events). 

<?xml version="1.0" encoding="UTF-8"?>

 

<device-extension xmlns="event_parsing/device_extension">

<pattern id="EventNameFWSM" xmlns=""><![CDATA[%FWSM[a-zA-Z\-]*\d-(\d{1,6})]]></pattern>

 

<pattern id="SourceIp" xmlns=""><![CDATA[gaddr 

(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/([\d]{1,5})]]></pattern>

 

<pattern id="SourceIpPreNAT" xmlns=""><![CDATA[gaddr 

(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/([\d]{1,5})]]></pattern>

 

<pattern id="SourceIpPostNAT" xmlns=""><![CDATA[laddr 

(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/([\d]{1,5})]]></pattern>

 

<pattern id="DestinationIp" xmlns=""><![CDATA[faddr 

(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/([\d]{1,5})]]></pattern>

 

<pattern id="Protocol" case-insensitive="true" 

xmlns=""><![CDATA[(tcp|udp|icmp|gre)]]></pattern>

 

<pattern id="Protocol_6" case-insensitive="true" xmlns=""><![CDATA[ protocol=6]]></pattern>

 

<pattern id="EventNameId" xmlns=""><![CDATA[(\d{1,6})]]></pattern>

<match-group order="1" description="FWSM Test" device-type-id-override="6" xmlns="">

 

 <matcher field="EventName" order="1" pattern-id="EventNameFWSM" capture-group="1"/>

 

 <matcher field="SourceIp" order="1" pattern-id="SourceIp" capture-group="1" />

 

 <matcher field="SourcePort" order="1" pattern-id="SourceIp" capture-group="2" />

 

 <matcher field="SourceIpPreNAT" order="1" pattern-id="SourceIpPreNAT" capture-group="1" />

 

 <matcher field="SourceIpPostNAT" order="1" pattern-id="SourceIpPostNAT" capture-group="1" />

 

 <matcher field="SourcePortPreNAT" order="1" pattern-id="SourceIpPreNAT" capture-group="2" />

 

 <matcher field="SourcePortPostNAT" order="1" pattern-id="SourceIpPostNAT" capture-group="2" />

 

 <matcher field="DestinationIp" order="1" pattern-id="DestinationIp" capture-group="1" />

 

Summary of Contents for NETWORKS STRM - TECHNICAL NOTE REV 6-2008

Page 1: ...to various device types Using an extension document you can resolve parsing issues such as Fixing an event that has missing or incorrect fields for example if the username is not being parsed Completi...

Page 2: ...ch groups may appear in the extension document Table 1 Pattern Parameters Parameter Description id Required Specify a regular string that is unique within the extension document case insensitive Optio...

Page 3: ...st be a valid device type ID represented as an integer A list of device type IDs is presented in Table 6 If not specified this parameter defaults to the device type of the device to which the extensio...

Page 4: ...nted with a straight group capture You can combine multiple groups together with extra text to form a value This parameter enables that behavior This parameter changes the meaning of the capture group...

Page 5: ...ource MAC address for the message SourcePortPreNAT Specify the source port for the message before NAT occurs SourcePortPostNAT Specify the source port for the message after NAT occurs DestinationIp Sp...

Page 6: ...port based protocols UserName Specify the user name associated with the event HostName Specify the host name associated with the event This field is usually only associated with identity events GroupN...

Page 7: ...ation on creating extension documents including Writing a Complete Extension Document Uploading Extension Documents Solving Specific Parsing Issues send identity Specifies the sending of identity chan...

Page 8: ...ld could use the exact same pattern in this case this may not be true in all FWSM events xml version 1 0 encoding UTF 8 device extension xmlns event_parsing device_extension pattern id EventNameFWSM x...

Page 9: ...l The FWSM uses the Cisco Pix QID and therefore includes the device type id override 6 parameter in the match group the Pix firewall s device type ID is 6 see Table 6 If the QID information is not spe...

Page 10: ...ce of TCP UDP ICMP or GRE the pattern is marked with the case insensitive parameter so that any occurrence matches Note You must search for the protocol when writing extension documents as STRM may no...

Page 11: ...The following is an example of a straight substitution that parses the source IP address and then overrides the result and sets the IP address to 10 100 100 100 ignoring the IP address in the payload...

Page 12: ...llowing example is similar to the above single event example except that this example matches all event codes starting with 7 and followed by one to five digits pattern id EventNameId xmlns CDATA 7 d...

Page 13: ...x login messages 12 WindowsAuthServer Windows Security Event Log 13 IIS Windows IIS Webserver logs 14 Iptables Linux iptables Firewall 15 Proventia ISS Proventia Device 16 Classify Q1Labs Classify Eng...

Page 14: ...niper Infranet Controller 60 PDSN Sprint PoC PDSN 61 RNC Sprint PoC RNC 62 BTS Sprint PoC BTS 63 ACS Cisco ACS 64 JuniperRouter Juniper Router 65 Sprint Sprint PoC 66 CallManager Cisco Call Manager 67...

Page 15: ...Nortel Switched Firewall 6000 105 Q1Labs QRadar Q1Labs QRadar 106 3Com 8800 Series Switch 3Com 8800 Series Switch 107 Nortel VPN Gateway Nortel VPN Gateway 108 NortelTPS Nortel Threat Protection Intru...

Page 16: ...trademarks or registered service marks in this document are the property of Juniper Networks or their respective owners All specifications are subject to change without notice Juniper Networks assumes...

Reviews:

No comments

Related manuals for NETWORKS STRM - TECHNICAL NOTE REV 6-2008

American DJ myDMX 2.0 User Instructions preview
myDMX 2.0
Brand: American DJ Pages: 21
Drobo How-To Manual preview
How-To
Brand: Drobo Pages: 6
Novell PRIVILEGED USER MANAGER 2.2 Quick Start Manual preview
PRIVILEGED USER MANAGER 2.2
Brand: Novell Pages: 37
Blackberry ENTERPRISE SOLUTION ERASING FI Overview preview
ENTERPRISE SOLUTION ERASING FI
Brand: Blackberry Pages: 10
GRASS VALLEY AURORA INGEST 7 Datasheet preview
AURORA INGEST 7
Brand: GRASS VALLEY Pages: 4
GRASS VALLEY Aurora Browse Upgrade Instructions preview
Aurora Browse
Brand: GRASS VALLEY Pages: 42
F-SECURE POLICY MANAGER 8.0 Administrator'S Manual preview
POLICY MANAGER 8.0
Brand: F-SECURE Pages: 221
Sybase ADAPTIVE SERVER IQ 12.4.0 Release Manual preview
ADAPTIVE SERVER IQ 12.4.0
Brand: Sybase Pages: 52
MACROMEDIA DREAMWEAVER 8-GETTING STARTED WITH... Getting Started preview
DREAMWEAVER 8-GETTING STARTED WITH...
Brand: MACROMEDIA Pages: 326
MACROMEDIA FLASH 8-USING FLASH Use Manual preview
FLASH 8-USING FLASH
Brand: MACROMEDIA Pages: 678
MACROMEDIA FLASHLITE2 ACTIONSCRIPT-LANGUAGE Reference preview
FLASHLITE2 ACTIONSCRIPT-LANGUAGE
Brand: MACROMEDIA Pages: 780
MACROMEDIA 38000382 - Macromedia JRun - Mac Getting Started Manual preview
38000382 - Macromedia JRun - Mac
Brand: MACROMEDIA Pages: 132
TANDBERG MOVI 4.0 - ADMINISTRATOR GUIDE 09-2010 Administrator'S Manual preview
MOVI 4.0 - ADMINISTRATOR GUIDE 09-2010
Brand: TANDBERG Pages: 22
Canon VB-M40 Administrator'S Manual preview
VB-M40
Brand: Canon Pages: 104
Palm HandPHONE SMS User Manual preview
HandPHONE SMS
Brand: Palm Pages: 21
Palm SMS User Manual preview
SMS
Brand: Palm Pages: 24
Palm Mail User Manual preview
Mail
Brand: Palm Pages: 32
Palm MultiMail Deluxe Desktop Link User Manual preview
MultiMail Deluxe Desktop Link
Brand: Palm Pages: 36

Brands by name

Popular brands

Load more brands