Upgraded the connector to the most latest version (i.e. 7.2.3.7789.0) since the Pulse Secure is officially supported by ArcSight.
However, the logs are not getting parsed. Device vendor/product still shows as Unix/Unix. Sample entries as follows;
Device Vendor : Unix
Device Product : Unix
Device Process Name : PulseSecure
Device Custom String1.Module : PulseSecure
Name : 2016-07-03 11:32:12 - HostName - [127.0.0.1] System()[] - Removed expired user sessions from mail cache. Number of cached sessions before cleanup: 0. Number of sessions after cleanup: 0.
Please share if any of you got a solution for this. Thanks.
For all syslog connectors, you select either Syslog File, Syslog Pipe, or Syslog Daemon from the list in the installer. Information about the parameters is documented in the individual configuration guide for the particular syslog device.
Thanks for your reply. I don't see this type of connector in the list when adding a connector. Can you please provide documentation for this to how to set up ?
FYI, we've introduced a new connector, Pulse Secure Pulse Connect Secure Syslog, which supports version 8.1 of the renamed product.
That said, for the problem you're having with vendor and product being populated as unix, it would be helpful if you could supply logs for development to work with to rectify this problem.
I have upgraded the syslog connector that receives events from Juniper Pulse Secure Access 8.1r5 to 7.2.1 but in ESm I still see Device Vendor/Device Product as Unix/Unix while according to the event mapping it should be Juniper/PulseSecure.
Is there any custom configuration needed either on Juniper or on Arcsight side to correct the above?
The events' Vendor/Product from Juniper PulseSecure version 8.1r5 are shown as Unix/Unix instead of Juniper/PulseSecure in ESM/Logger.
This is due to the pact that the headers have been changed. There is an FR in place for this bug, but until the fix is released, does anyone have an idea what workaround could solve to have the events shown as Juniper/PulseSecure ?
Considering the fact that not only JuniperSSL devices are feeding the particular connector, putting a subparser in place may end up in showing non-juniper devices shown as Juniper/PulseSecure.