Pulse Secure Collector

Pulse Secure Collector

Overview


 
There is an existing Sentinel Collector for VPN and Access Control devices which dates back to 2015. This whole product line has been sold to Pulse Secure in the mean time.

This collector now supports the current version of these products:

  • Pulse Secure Pulse Connect Secure 8.2 (SA image)

  • Pulse Secure Pulse Policy Secure 5.x (IC image)


These software images can be run on different appliances:

  • Pulse Secure PSA Series

  • Juniper Networks MAG Series

  • Virtual Machines


Configuration


 

Creating custom filter and format for Sentinel


 
The Pulse Secure includes standard, WELF, W3C and custom formats. Since the msg variable can contain both single and double quote characters that are not properly escaped when formatting log messages they can't be used as quote characters. This collector therefore uses ¦ (U+00AD, Broken Bar) as the quote character in a custom format.

  1. Go to System > Log/Monitoring > Events > Filters.

  2. Click New Filter Button.

  3. Enter Sentinel as Filter Name.

  4. Go to Export Format Section, select the Custom option.

  5. Enter the following string in the Format field. For Pulse Policy Secure use type=NETM, for Pulse Connect Secure use type=VPN. This value is used to set the ObserverCategory (rv32) and the ProductName (pn)
    PulseSecure_id=¦%id%¦ date=¦%date%¦ time=¦%time%¦ severity=¦%severity%¦ node=¦%node%¦ sourceip=¦%sourceip%¦ user=¦%user%¦ realm=¦%realm%¦ role=¦%role%¦ locIp=¦%localip%¦ protocol=¦%protocol%¦ remport=¦%port%¦ result=¦%result%¦ method=¦%method%¦ remip=¦%remoteip%¦ remHost=¦%remotehost%¦ srcport=¦%srcport%¦ type=NETM arg=¦%uri%¦ sent=¦%sbytes%¦ rcvd=¦%rbytes%¦ agent=¦%userAgent%¦ duration=¦%duration%¦ msg=¦%msg%¦

    NOTE: The above mentioned filter should be copied as single line into the device.

  6. Click Save Button.


Configure Pulse Secure to send event data to Sentinel



  1. Go to System > Log/Monitoring > Events > Settings.

  2. In Syslog Servers section , Enter Server name/IP.

  3. Choose any Facility. The syslog facility is not interpreted by this collector.

  4. Choose a transport protocol under Type.

  5. Choose the custom Filter created earlier.

  6. Click Add button.

  7. Click Save Changes button.

  8. Repeat the steps from step 1 to step 7 for User Access, Admin Access and Sensors logs. In step 1 after System > Log/Monitoring click on respective log (User Access, Admin Access and Sensors ).



Release Notes


 

2011.1r2



  • Added support for Guest Administration events. Set the new Guest Realm parameter accordingly.

  • Changed custom log format. Since the msg variable can contain both single and double quote characters that are not properly escaped when formatting log messages, they can't be used as quote characters. This collector now uses ¦ (U+00A6, Broken Bar) as the quote character in a custom format. You must therefore update your custom log format according to Configuring Syslog .

  • The collector was updated to hande the duration, rbytes, sbytes, uri, and useragent variables.

  • The Result code of transaction (result variable) is now stored in VendorOutcomeCode.

  • The collector keeps fields, that were parsed from headers, if parsing the message body or certain details fails later.

  • The roles variable holds a comma separated list of the initiator's roles - not the target's. Assigning its first value to TargetTrustName has therefore been removed.

  • The collector doesn't blindly try to parse anything that looks remotely like an IP address or DNS name from the msg variable anymore. Parsing data from msg variable can be done by supplying an event specific Record.prototype["parse-XXXNNNNN"] function.

  • The collector was updated to use the native DataTime and NVPParser parsers.

Tags (2)
Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2017-06-05 22:11
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.