SmartConnector for Juniper Pulse Secure Access Syslog (Legacy)

0 Likes
over 9 years ago
Comment List
Anonymous
  • can you please provide the ovverride ?

    This issue has been told to get fixed in the 7.2.1 release yet, but I see that even the 7.2.3 does not have the fix for it.

  • hi sudesh

    Yes version 7.2.3.7789 have some issue even though it says supported, at our end it was fixed after HP support provided a parser override.

    please check the latest Smartconnector v7.2.4 I see some parsing issue fixed update in the release notes.

    If still no solution then you can approach to get an override for your Smartconnector.

    regards

    KS

  • Does anyone found a solution for this?

    Upgraded the connector to the most latest version (i.e. 7.2.3.7789.0) since the Pulse Secure is officially supported by ArcSight.

    However, the logs are not getting parsed. Device vendor/product still shows as Unix/Unix. Sample entries as follows;

    Device Vendor : Unix

    Device Product : Unix

    Device Process Name : PulseSecure

    Device Custom String1.Module  : PulseSecure

    Name : 2016-07-03 11:32:12 - HostName - [127.0.0.1] System()[] - Removed expired user sessions from mail cache.  Number of cached sessions before cleanup: 0.  Number of sessions after cleanup: 0.

    Please share if any of you got a solution for this. Thanks.

    -Sudesh

  • For all syslog connectors, you select either Syslog File, Syslog Pipe, or Syslog Daemon from the list in the installer.  Information about the parameters is documented in the individual configuration guide for the particular syslog device.

    Ingrid

  • Hi Ingrid,

    Thanks for your reply. I don't see this type of connector in the list when adding a connector. Can you please provide documentation for this to how to set up ?

    Thanks and regards,

    Andras

  • FYI, we've introduced a new connector, Pulse Secure Pulse Connect Secure Syslog, which supports version 8.1 of the renamed product.

    That said, for the problem you're having with vendor and product being populated as unix, it would be helpful if you could supply logs for development to work with to rectify this problem.

  • Hi,

    I have upgraded the syslog connector that receives events from Juniper Pulse Secure Access 8.1r5 to 7.2.1 but in ESm I still see Device Vendor/Device Product as Unix/Unix while according to the event mapping it should be Juniper/PulseSecure.

    Is there any custom configuration needed either on Juniper or on Arcsight side to correct the above?

    Thanks and regards,

    Andras

  • Hi All,

    The events' Vendor/Product  from Juniper PulseSecure version 8.1r5 are shown as Unix/Unix instead of Juniper/PulseSecure in ESM/Logger.

    This is due to the pact that the headers have been changed. There is an FR in place for this bug, but until the fix is released, does anyone have an idea what workaround could solve to have the events shown as Juniper/PulseSecure ?

    Considering the fact that not only JuniperSSL devices are feeding the particular connector, putting a subparser in place may end up in showing non-juniper devices shown as Juniper/PulseSecure.

    Does anyone have any idea on this?

    Cheers,

    Andras

  • HI All

    Is there any way to configure the Juniper device over custom port ?? Unable to find the info in config guide

    Cheers

    Keshav SONI

Related Discussions
Recommended