Configure Juniper Firewall Collection
Collecting Juniper Firewall logs enables Alert Logic to run our common firewall analytics on data from your Juniper Firewall devices. These analytics identify suspicious communication with internet hosts which Alert Logic considers threat actors. Significant security findings from your Juniper Firewall devices will result in the creation of incidents that can be managed in the Alert Logic console.
You must complete the following to send data from your Juniper Firewall device(s) to Alert Logic:
Download and install the remote collector
To send data from your Juniper Firewall device(s) to Alert Logic, you must first download and install the remote collector in the same network as the Juniper Firewall device(s).
To download and install the remote collector:
- Review the requirements for the remote collector as outlined in Requirements for the Alert Logic Remote Collector and ensure all requirements are met.
- Complete the following instructions for Linux or Windows, making sure to choose a host in the same network as the Juniper Firewall device(s).
- While installing the remote collector, note the IP of the host where the collector is installed. This IP will be needed when configuring the Juniper Firewall device.
Configure Juniper Firewall device
Once the remote collector is installed, the Juniper Firewall device needs to be configured to send data to the collector.
To configure the Juniper Firewall device:
- Log into your SRX device's CLI. Your current configuration will be displayed on the screen.
- Configure the remote syslog server via the following commands:
set system syslog host <IP of remote collector> any any
set system syslog host <IP of remote collector> authorization any
set system syslog host <IP of remote collector> port 1515
set system syslog host <IP of remote collector> source-address <IP of firewall>
set system syslog host <IP of remote collector> structured-data
commit - Run the following command to validate your inputs have been committed:
run show configuration
Verify log collection
Once you have installed the remote collector and configured the Juniper Firewall device, it is recommended to verify that log collection is successful. It may take up to 15 minutes for Alert Logic to begin receiving logs.
- Log in to the Alert Logic console and use one of the following links to access the Search console with criteria already entered:
- Uncomment either of the two commented lines with SQL parameters and replace either $COLLECTOR_ID or $COLLECTOR_IP with your preferred identifier for the remote collector.
- Click Search.
- Verify logs display for the remote collector.