can you please provide the ovverride ?

This issue has been told to get fixed in the 7.2.1 release yet, but I see that even the 7.2.3 does not have the fix for it.

hi sudesh

Yes version 7.2.3.7789 have some issue even though it says supported, at our end it was fixed after HP support provided a parser override.

please check the latest Smartconnector v7.2.4 I see some parsing issue fixed update in the release notes.

If still no solution then you can approach to get an override for your Smartconnector.

regards

KS

Does anyone found a solution for this?

Upgraded the connector to the most latest version (i.e. 7.2.3.7789.0) since the Pulse Secure is officially supported by ArcSight.

However, the logs are not getting parsed. Device vendor/product still shows as Unix/Unix. Sample entries as follows;

Device Vendor : Unix

Device Product : Unix

Device Process Name : PulseSecure

Device Custom String1.Module  : PulseSecure

Name : 2016-07-03 11:32:12 - HostName - [127.0.0.1] System()[] - Removed expired user sessions from mail cache.  Number of cached sessions before cleanup: 0.  Number of sessions after cleanup: 0.

Please share if any of you got a solution for this. Thanks.

-Sudesh

For all syslog connectors, you select either Syslog File, Syslog Pipe, or Syslog Daemon from the list in the installer.  Information about the parameters is documented in the individual configuration guide for the particular syslog device.

Ingrid

Hi Ingrid,

Thanks for your reply. I don't see this type of connector in the list when adding a connector. Can you please provide documentation for this to how to set up ?

Thanks and regards,

Andras

FYI, we've introduced a new connector, Pulse Secure Pulse Connect Secure Syslog, which supports version 8.1 of the renamed product.

That said, for the problem you're having with vendor and product being populated as unix, it would be helpful if you could supply logs for development to work with to rectify this problem.

Hi,

I have upgraded the syslog connector that receives events from Juniper Pulse Secure Access 8.1r5 to 7.2.1 but in ESm I still see Device Vendor/Device Product as Unix/Unix while according to the event mapping it should be Juniper/PulseSecure.

Is there any custom configuration needed either on Juniper or on Arcsight side to correct the above?

Thanks and regards,

Andras

Moved answer to https://protect724.hp.com/message/73310#73310

Hi All,

The events' Vendor/Product  from Juniper PulseSecure version 8.1r5 are shown as Unix/Unix instead of Juniper/PulseSecure in ESM/Logger.

This is due to the pact that the headers have been changed. There is an FR in place for this bug, but until the fix is released, does anyone have an idea what workaround could solve to have the events shown as Juniper/PulseSecure ?

Considering the fact that not only JuniperSSL devices are feeding the particular connector, putting a subparser in place may end up in showing non-juniper devices shown as Juniper/PulseSecure.

Does anyone have any idea on this?

Cheers,

Andras

HI All

Is there any way to configure the Juniper device over custom port ?? Unable to find the info in config guide

Cheers

Keshav SONI