Highlighted
jagadeeshan.s1
New Member.
2231 views

Juniper Pulse Secure VPN log integration

Does anyone has experience with Juniper Pulse Secure VPN device log collection?

Appreciate if you can share your experience on it.

We forwarded syslogs from Juniper Pulse device (v8.1) to ESM 5.5 via syslog-daemon smartconnector (7.1.6), and it's not parsing the logs in an appropriate way. It's parsing it as Unix source. Any thoughts on this?

Thnx!

Labels (3)
0 Likes
32 Replies
frankbijkersma Honored Contributor.
Honored Contributor.

Re: Juniper Pulse Secure VPN log integration

We have it working for versions 8.1 and below

Under log/monitoring we have the following custom filter which is applied to to the syslog destination

%date% %time% - %node% - [%sourceip%] <HardcodedDeviceName>::%user%(%realm%)[%role%] - %msg%

Replace <HardcodedDeviceName> with your deviceName

Only thing that does not parse is the ActiveSync passthrough logging.

0 Likes
kreed7 Absent Member.
Absent Member.

Re: Juniper Pulse Secure VPN log integration

Sounds easier than what I did. I just built a flex and pushed it into the syslog config through a custom subagent.

The main deal was stripping off part of the front of the message then pushing it to a chained key-value parser.

0 Likes
jagadeeshan.s1
New Member.

Re: Juniper Pulse Secure VPN log integration

ArcSight support confirmed that as of now Juniper Pulse Secure VPN v8.1R6 is not supported (SC 7.1.6).

JIRA request CON-16536.

0 Likes
jagadeeshan.s1
New Member.

Re: Juniper Pulse Secure VPN log integration

Frank, I'll try this out.

0 Likes
rommel Absent Member.
Absent Member.

Re: Juniper Pulse Secure VPN log integration

Would any kind soul be able to provide Categorization for Pulse Secure logs? Thank you for any assistance.

v/r,

rom

0 Likes
netanels211 Absent Member.
Absent Member.

Re: Juniper Pulse Secure VPN log integration

Jag Jag, I am facing the same issue with Pulse VPN 8.1.

Did you try and find it works?

Best Regards,

Netanel.

0 Likes
rommel Absent Member.
Absent Member.

Re: Juniper Pulse Secure VPN log integration

I created a CEF log format to be used while we wait for ArcSight to support the latest version.

CEF:0|Pulse|Pulse Secure|8.10|%id%|%id%|%syslogcode%|dvc=%localip% dvchost=%node% proto=%protocol% src=%sourceip% spt=%srcport% dst=%remoteip% dhost=%remotehost% dpt=%port% out=%sbytes% in=%rbytes% msg=%msg% requestMethod=%method% request=%uri% requestClientApplication=%userAgent% outcome=%result% cs1=%duration% cs1Label=Duration cs2=%realm% cs2Label=Realm spriv=%role% suser=%user%

Also, had to create a map file for the id to map to an event name. There are over 3k possible events which makes categorization an issue.

v/r,

rom

0 Likes
netanels211 Absent Member.
Absent Member.

Re: Juniper Pulse Secure VPN log integration

Hey Rommel, thanks for your answer.

I have few questions for you:

1. where did you use the CEF? I couldn't find the right place which I can change the log format that the Juniper sends.

2. Can you share with me the map file you had to create?

3. Does the "old" categorization not enough for the new Juniper version?

Thanks alot,

Netanel.

0 Likes
rommel Absent Member.
Absent Member.

Re: Juniper Pulse Secure VPN log integration

1. where did you use the CEF? I couldn't find the right place which I can change the log format that the Juniper sends.

Log/Monitoring->Filters. Create a new Filter with the Custom Radio button selected under Export Format. Paste it into the Format window. Applied that to Events, User Access and Admin Access.

2. Can you share with me the map file you had to create?

3. Does the "old" categorization not enough for the new Juniper version?

It is a new client, I never had samples of events to obtain categorization from. If you have some you can provide, would appreciate it

0 Likes
netanels211 Absent Member.
Absent Member.

Re: Juniper Pulse Secure VPN log integration

Thanks alot!

I will try it soon and let you know!

Netanel.

0 Likes
Regular Contributor.. malb7 Regular Contributor..
Regular Contributor..

Re: Juniper Pulse Secure VPN log integration

You need to request te unencrypted parser from HP support and make these modifications to make it work again. I've attached the package. unpack into FCP directory as a parser override and it should work.

Old logformat:

Dec 7 00:44:56 hostname.domain.local Juniper: 2015-12-07 00:44:56 - hostname - [192.168.5.106] USERccc(MDT)[MDT] - VPN Tunneling: Session ended for user with IPv4 address 192.168.2.8

Nieuw format:

Dec 9 16:37:39 hostname.domain.local 2015-12-09T16:37:39+01:00 PulseSecure: 2015-12-09 16:37:39 - hostname - [192.168.6.26] Userttt(DRC)[DRC] - Unsupported or wrong EAP protocol -1 used by 192.168.5.7

Modified regex:

regex=.*(?:Juniper|\\s?(\\d+-\\d+-\\d+T\\d+:\\d+:\\d+(?:-|\\+)\\d+:\\d+|\\d+-\\d+-\\d+T\\d+:\\d+:\\d+Z)\\s?PulseSecure😞 (\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}) - (\\S+) - \\[(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|\\S*\\:\\S*)\\] (.*?)\\((.*?)\\)\\[([^\\]]*)\\] - (.*)

0 Likes
netanels211 Absent Member.
Absent Member.

Re: Juniper Pulse Secure VPN log integration

Well it works Perfect!!!

MALB, when the parser you've just shared last modified by HP??

Best regards,

Netanel.

0 Likes
Regular Contributor.. malb7 Regular Contributor..
Regular Contributor..

Re: Juniper Pulse Secure VPN log integration

No, the shared parser was last modified by me... good to hear it worked for you as wel

0 Likes
netanels211 Absent Member.
Absent Member.

Re: Juniper Pulse Secure VPN log integration

Well, good to have yours also for another test.

Thanks a lot though.

Netanel.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.