-
Juniper SecureAnalytics LogManagerUsersGuide
Release
7.3.0
Modified: 2017-09-13
Copyright © 2017, Juniper Networks, Inc.
-
Juniper Networks, Inc.1133 InnovationWaySunnyvale, California 94089USA408-745-2000www.juniper.net
Copyright © 2017 Juniper Networks, Inc. All rights reserved.
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. and/or its affiliates inthe United States and other countries. All other trademarks may be property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Juniper Secure Analytics Log Manager Users Guide7.3.0Copyright © 2017 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.
ENDUSER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttp://www.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of thatEULA.
Copyright © 2017, Juniper Networks, Inc.ii
http://www.juniper.net/support/eula/
-
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Part 1 Log Manager
Chapter 1 About Log Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Log Manager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Navigate the Web-Based Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Supported Web Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Enabling Document Mode and Browser Mode in Internet Explorer . . . . . . . . . 4
Access Log Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
RESTful API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
User Interface Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Dashboard Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Log Activity Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Assets Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Log Manager Vulnerability Manager Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Admin Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Log Manager Common Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Viewing Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Sorting Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Refreshing and Pausing the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Investigating IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Investigate User Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Updating User Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Resize Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Configure Page Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 2 Dashboard Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Dashboard Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Log Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Most Recent Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
System Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Vulnerability Management Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
iiiCopyright © 2017, Juniper Networks, Inc.
-
System Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Adding Dashboard Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Using the Dashboard to Investigate Log Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Configuring Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Removing Dashboard Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Detaching a Dashboard Item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Renaming a Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Deleting a Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Managing System Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Adding Search-based Dashboard Items to the Add Items List . . . . . . . . . . . . . . . . 27
Chapter 3 Log Activity Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Log Activity Tab Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Log Activity Tab Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Searching Data by Using the Advanced Search Toolbar . . . . . . . . . . . . . . . . . 32
Quick Filter Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Right-Click Menu Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Status Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Log Activity Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Viewing Streaming Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Viewing Normalized Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Viewing Raw Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Viewing Grouped Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Event Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Event Details Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Modifying Event Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Managing PCAP Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Displaying the PCAP Data Column . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Viewing PCAP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Downloading the PCAP File to your Desktop System . . . . . . . . . . . . . . . . . . . 49
Exporting Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Chapter 4 Chart Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Chart Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Time Series Chart Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Chart Legends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Configuring Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Chapter 5 Data Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Searching for Items that Match your Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Saving Search Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Scheduled Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Advanced Search Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Accessing Advanced Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
AQL Search String Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
AQL Search String Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Reporting Account Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Insight Across Multiple Account Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Identify Suspicious Long-term Beaconing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
External Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Copyright © 2017, Juniper Networks, Inc.iv
Log Manager Users Guide
-
Asset Intelligence and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Network LOOKUP Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Rule LOOKUP Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Full TEXT SEARCH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Custom Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Quick Filter Search Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Using a Subsearch to Refine Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Deleting Search Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Using a Sub-search to Refine Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Managing Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Saving Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Viewing Managed Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Canceling a Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Deleting a Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Managing Search Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Viewing Search Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Creating a New Search Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Editing a Search Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Copying a Saved Search to another Group . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Removing a Group or a Saved Search from a Group . . . . . . . . . . . . . . . . . . . . 79
Chapter 6 Custom Event Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Required Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Custom Property Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Creating a Regex-Based Custom Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Creating a Calculation-Based Custom Property . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Modifying a Custom Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Copying a Custom Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Deleting a Custom Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Chapter 7 Rule Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Rule Permission Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Rules Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Event Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Rule Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Domain-specific rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Rule Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Reference Data Collection Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Viewing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Creating a Custom Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Rule Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Enabling and Disabling Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Editing a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Copying a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Deleting a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Rule Group Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Viewing a Rule Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Creating a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Assigning an Item to a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Editing a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
vCopyright © 2017, Juniper Networks, Inc.
Table of Contents
-
Copying an Item to another Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Deleting an Item from a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Deleting a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Editing Building Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Rule Page Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Rules Page Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Rule Response Page Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Chapter 8 Asset Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Asset Profile Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
About Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Assets Tab Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Using Assets Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Asset Tab List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Assets Tab Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Right-click Menu Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Viewing an Asset Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Adding or Editing an Asset Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Searching Asset Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Saving Asset Search Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Asset Search Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Viewing Search Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Creating a New Search Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Editing a Search Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Copying a Saved Search to another Group . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Removing a Group or a Saved Search from a Group . . . . . . . . . . . . . . . . . . . 123
Asset Profile Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Deleting Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Importing Asset Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Exporting Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Research Asset Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Assets Profile Page Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Asset Summary Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Network Interface Summary Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Vulnerability Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Services Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Services Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Windows Services Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Packages Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Windows Patches Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Properties Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Risk Policies Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Products Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Chapter 9 Report Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Report Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Time Zone Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Report Tab Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Copyright © 2017, Juniper Networks, Inc.vi
Log Manager Users Guide
-
Report Tab Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Reports Tab Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Time one Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Report Tab Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Report Tab Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Report Tab Sort Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Report Tab Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Report Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Chart Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Graph Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Creating Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Report Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Editing a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Viewing Generated Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Deleting Generated Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Manually Generating a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Duplicating a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Sharing a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Branding Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Report Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Report Groups Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Creating a Report Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Editing a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Assign a Report to a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Copying a Report to Another Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Removing a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Sharing Report Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
viiCopyright © 2017, Juniper Networks, Inc.
Table of Contents
-
Copyright © 2017, Juniper Networks, Inc.viii
Log Manager Users Guide
-
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Part 1 Log Manager
Chapter 1 About Log Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: SupportedWeb Browsers for Log Manager Products . . . . . . . . . . . . . . . . . 4
Table 4: Default Login Information for Log Manager . . . . . . . . . . . . . . . . . . . . . . . . . 5
Table 5: Rest Api Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Table 6: Administration Management Tools Available in Log Manager . . . . . . . . . . 9
Table 7: Functions Available in the Messages Window . . . . . . . . . . . . . . . . . . . . . . 10
Table 8: Options to Close System Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Table 9: Refresh, Pause and Play Options on the Tab . . . . . . . . . . . . . . . . . . . . . . . 13
Table 10: IP Addresses Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Table 11: Menu Options for User Name Investigation . . . . . . . . . . . . . . . . . . . . . . . . 14
Table 12: Parameters to Update User Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 2 Dashboard Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Table 13: Log Activity Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Table 14: Chart types in the Log Activity Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Table 15: Configuring Charts Parameter Options. . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chapter 3 Log Activity Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Table 16: Log Activity Toolbar Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Table 17: Right-click Menu Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Table 18: Log Activity tab - Default (Normalized) Parameters . . . . . . . . . . . . . . . . 36
Table 19: Raw Event Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Table 20: Grouped Events Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Table 21: Grouped Event Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Table 22: Event Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Table 23: Event Details Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Chapter 4 Chart Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Table 24: Time Series Charts Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Table 25: Configuring Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Chapter 5 Data Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Table 26: Search Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Table 27: Enter Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Table 28: Examples of AQL Search Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Table 29: Quick Filter Syntax Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
ixCopyright © 2017, Juniper Networks, Inc.
-
Table 30: Manage Search Results Page Parameters . . . . . . . . . . . . . . . . . . . . . . . 74
Table 31: Manage Search Results Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Table 32: Search Group Window Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Table 33: Search Group Window Toolbar Functions . . . . . . . . . . . . . . . . . . . . . . . . 77
Chapter 6 Custom Event Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Table 34: Custom Property Definition Window Parameters (regex) . . . . . . . . . . . 83
Table 35: Custom Property Definition Window Parameters (Calculation) . . . . . . 84
Table 36: Custom Properties Window Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table 37: Custom Property Toolbar Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Chapter 7 Rule Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Table 38: Rules Page Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Table 39: Rules Page Toolbar Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Table 40: Event, Flow, and Common Rule Response Page Parameters . . . . . . . 104
Chapter 8 Asset Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Table 41: Asset Profile Page Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Table 42: Asset Profiles Page Toolbar Functions . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Table 43: Right-click Menu Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Table 44: Asset Profile Page Toolbar Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Table 45: Names & Description Pane Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 115
Table 46: CVSS andWeight Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Table 47: Owner Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Table 48: Saving Asset Search Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Table 49: Asset Search Groups Window Toolbar Functions . . . . . . . . . . . . . . . . . 121
Table 50: Research Vulnerability Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Table 51: Asset Summary Pane Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Table 52: Network Interface Summary Pane Parameters . . . . . . . . . . . . . . . . . . . 130
Table 53: Vulnerability Pane Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Table 54: Services Pane Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Table 55: Services Pane Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Table 56: Windows Services Pane Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Table 57: Packages Pane Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Table 58: Windows Patches Pane Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Table 59: Properties Pane Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Table 60: Risk Policies Pane Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Table 61: Products Pane Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Chapter 9 Report Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Table 62: Report Tab Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Table 63: Report Toolbar Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Table 64: Report Wizard Schedule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Table 65: Report Parameter Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Table 66: Distribution Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Table 67: Sharing Options and Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Copyright © 2017, Juniper Networks, Inc.x
Log Manager Users Guide
-
About the Documentation
• Documentation and Release Notes on page xi
• Documentation Conventions on page xi
• Documentation Feedback on page xiii
• Requesting Technical Support on page xiv
Documentation and Release Notes
To obtain the most current version of all Juniper Networks®technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Documentation Conventions
Table 1 on page xii defines notice icons used in this guide.
xiCopyright © 2017, Juniper Networks, Inc.
http://www.juniper.net/techpubs/http://www.juniper.net/books
-
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page xii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, type theconfigure command:
user@host> configure
Represents text that you type.Bold text like this
user@host> show chassis alarms
No alarms currently active
Represents output that appears on theterminal screen.
Fixed-width text like this
• A policy term is a named structurethat defines match conditions andactions.
• Junos OS CLI User Guide
• RFC 1997,BGPCommunities Attribute
• Introduces or emphasizes importantnew terms.
• Identifies guide names.
• Identifies RFC and Internet draft titles.
Italic text like this
Configure themachine’s domain name:
[edit]root@# set system domain-namedomain-name
Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.
Italic text like this
Copyright © 2017, Juniper Networks, Inc.xii
Log Manager Users Guide
-
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.
• Theconsoleport is labeledCONSOLE.
Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.
Text like this
stub ;Encloses optional keywords or variables.< > (angle brackets)
broadcast | multicast
(string1 | string2 | string3)
Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.
| (pipe symbol)
rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.
# (pound sign)
community namemembers [community-ids ]
Encloses a variable for which you cansubstitute one or more values.
[ ] (square brackets)
[edit]routing-options {static {route default {nexthop address;retain;
}}
}
Identifies a level in the configurationhierarchy.
Indention and braces ( { } )
Identifies a leaf statement at aconfiguration hierarchy level.
; (semicolon)
GUI Conventions
• In the Logical Interfaces box, selectAll Interfaces.
• To cancel the configuration, clickCancel.
Representsgraphicaluser interface(GUI)items you click or select.
Bold text like this
In the configuration editor hierarchy,select Protocols>Ospf.
Separates levels in a hierarchy of menuselections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
• Online feedback rating system—On any page of the Juniper Networks TechLibrary site
athttp://www.juniper.net/techpubs/index.html, simply click the stars to rate thecontent,
and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.
xiiiCopyright © 2017, Juniper Networks, Inc.
About the Documentation
http://www.juniper.net/techpubs/index.htmlhttp://www.juniper.net/techpubs/feedback/
-
• E-mail—Sendyourcommentsto [email protected]. Includethedocument
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the JuniperNetworksTechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides youwith the
following features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
• Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Casewith JTAC
You can open a case with JTAC on theWeb or by telephone.
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
Copyright © 2017, Juniper Networks, Inc.xiv
Log Manager Users Guide
mailto:[email protected]?subject=http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttp://www.juniper.net/support/warranty/http://www.juniper.net/customers/support/http://www.juniper.net/techpubs/http://kb.juniper.net/http://www.juniper.net/customers/csc/software/http://kb.juniper.net/InfoCenter/http://www.juniper.net/company/communities/http://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/
-
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
xvCopyright © 2017, Juniper Networks, Inc.
About the Documentation
http://www.juniper.net/support/requesting-support.html
-
Copyright © 2017, Juniper Networks, Inc.xvi
Log Manager Users Guide
-
PART 1
Log Manager
• About Log Manager on page 3
• Dashboard Management on page 17
• Log Activity Investigation on page 29
• Chart Management on page 51
• Data Searches on page 57
• Custom Event Properties on page 81
• Rule Management on page 89
• Asset Profiles on page 107
• Report Management on page 137
1Copyright © 2017, Juniper Networks, Inc.
-
Copyright © 2017, Juniper Networks, Inc.2
Log Manager Users Guide
-
CHAPTER 1
About Log Manager
This chapter describes about the Log Manager in the following sections:
• Log Manager Overview on page 3
• SupportedWeb Browsers on page 4
• Access Log Manager on page 4
• RESTful API on page 5
• User Interface Tabs on page 7
• Log Manager Common Procedures on page 9
LogManager Overview
Log Manager is a network security management platform that provides situational
awareness and compliance support through security event correlation, analysis, and
reporting.
Navigate theWeb-Based Application
When you use Log Manager, use the navigation options available in the Log Manager
user interface instead of your web browser Back button.
RelatedDocumentation
Access Log Manager on page 4•
• Viewing Messages on page 10
• Investigate User Names on page 14
3Copyright © 2017, Juniper Networks, Inc.
-
SupportedWeb Browsers
For the features in Log Manager products to work properly, youmust use a supported
web browser.
When you access the Log Manager system, you are prompted for a user name and a
password. The user name and passwordmust be configured in advance by the
administrator.
Table 3 on page 4 lists the supported versions of web browsers.
Table 3: SupportedWeb Browsers for LogManager Products
Supported versionWeb browser
Mozilla Firefox • 38.0 Extended Support Release
Microsoft Internet Explorer, with document mode and browser modeenabled
• 10.0
• 11.0
• Enabling Document Mode and Browser Mode in Internet Explorer on page 4
Enabling Document Mode and Browser Mode in Internet Explorer
If you use Microsoft Internet Explorer to access Log Manager products, youmust enable
browser mode and document mode.
To enable the browser mode and document mode:
1. In your Internet Explorer web browser, press F12 to open the Developer Tools window.
2. Click Browser Mode and select the version of your web browser.
3. Click Document Mode.
• For Internet Explorer V9.0, select Internet Explorer 9.0 Standards.
• For Internet Explorer V10.0, select Internet Explorer 10.0 Standards.
RelatedDocumentation
Log Manager Overview on page 3•
• Viewing Messages on page 10
• Investigate User Names on page 14
Access LogManager
Log Manager is a web-based application. Log Manager uses default login information
for the URL, user name, and password.
Copyright © 2017, Juniper Networks, Inc.4
Log Manager Users Guide
-
Table 4 on page 5 describes when you log in to your Log Manager console.
Table 4: Default Login Information for LogManager
DefaultLogin information
https://, where is the IP address of the Log Managerconsole.
URL
adminUser name
The password that is assigned to Log Manager during the installation process.Password
A default license key provides you access to the system for 5 weeks.License key
RelatedDocumentation
Log Manager Overview on page 3•
• Viewing Messages on page 10
• Investigate User Names on page 14
RESTful API
Use the representational state transfer (REST) application programming interface (API)
tomakeHTTPSqueries and integrate JuniperSecureAnalytics (JSA)withother solutions.
Access and user role permissions
Youmust have administrative user role permissions in JSA to access and use RESTful
APIs. For more information about how tomanage user role permissions, see the Juniper
Secure Analytics Administration Guide.
Access to the REST API User Interfaces
Table 5 on page 5 provides descriptions and capabilities for the REST API interfaces.
Table 5: Rest Api Interfaces
DescriptionREST API
Query databases, searches, search IDs, and search results./api/ariel
Returns a list of all assets in the model. You can also list all available asset propertytypes and saved searches, and update an asset.
/api/asset_model
Review andmanage JSA Vulnerability Manager data./api/qvm
Log out and invalidate the current session./api/auth
Returns a list of API capabilities./api/help
Returns a list of all offenses./api/siem
5Copyright © 2017, Juniper Networks, Inc.
Chapter 1: About Log Manager
-
Table 5: Rest Api Interfaces (continued)
DescriptionREST API
View andmanage reference data collections./api/referecedata
Retrieve assets, vulnerabilities, networks, open services, networks, filters, or create orupdate remediation tickets. Review andmanage JSA vulnerability manager data.
/api/qvm
View, create, or start a remote scan that is related to a scan profile./api/scanner
The RESTAPI technical documentation interface provides a framework that you can use
togather the requiredcode that youneed to implement JSA functions intoother products.
1. Enter the following URL in your web browser to access the technical documentation
interface: https:///api_doc.
2. Click the header for the API that you want to access, for example, /ariel.
3. Click the subhead for the endpoint that you want to access, for example, /databases.
4. Click the Experimental or Provisional sub header.
NOTE: Note: The API endpoints are annotated as either experimental orstable.
Experimental
Indicates that theAPIendpointmightnotbe fully testedandmightchangeor be removed in the future without any notice.
Stable
Indicates that the API endpoint is fully tested and supported.
5. Click Try it out to receive properly formatted HTTPS responses.
6. Review and gather the information that you need to implement in your third-party
solution.
RelatedDocumentation
Access Log Manager on page 4•
• Viewing Messages on page 10
• Investigate User Names on page 14
Copyright © 2017, Juniper Networks, Inc.6
Log Manager Users Guide
https:///api_doc
-
User Interface Tabs
Functionality is divided into tabs. The Dashboard tab is displayed when you log in.
You can easily navigate the tabs to locate the data or functionality you require.
• Dashboard Tab on page 7
• Log Activity Tab on page 7
• Assets Tab on page 8
• Log Manager Vulnerability Manager Tab on page 8
• Admin Tab on page 9
Dashboard Tab
The Dashboard tab is the default tab that is displayed when you log in.
TheDashboard tabprovidesaworkspaceenvironment thatsupportsmultipledashboards
onwhich youcandisplay your viewsof network security, activity, or data that LogManager
collects. Five default dashboards are available. Each dashboard contains items that
provide summary and detailed information about offenses that occur on your network.
Youcanalso createa customdashboard toallowyou to focuson your security or network
operations responsibilities. For more information about using the Dashboard tab, see
“Dashboard Management Overview” on page 17.
The Dashboard tab is the default tab that is displayed when you log in to Log Manager.
It provides a work space environment that provides summary and detailed information
on events occurring in your network.
RelatedDocumentation
Access Log Manager on page 4•
• Viewing Messages on page 10
• Investigate User Names on page 14
Log Activity Tab
The Log Activity tab will allow you to investigate event logs being sent to Log Manager
in real-time, perform powerful searches, and view log activity by using configurable
time-series charts.
The Log Activity tab will allow you to perform in-depth investigations on event data.
For more information, see “Log Activity Investigation” on page 29.
RelatedDocumentation
Access Log Manager on page 4•
• Viewing Messages on page 10
• Investigate User Names on page 14
7Copyright © 2017, Juniper Networks, Inc.
Chapter 1: About Log Manager
-
Assets Tab
Log Manager automatically discovers assets, servers, and hosts, operating on your
network. The Assets tab is visible when Log Manager Vulnerability Manager is installed
on your system.
For more information, see the Vulnerability Manager Users Guide.
Automatic discovery is based on passive flow data and vulnerability data, allowing Log
Manager to build an asset profile.
Asset profiles provide information about each known asset in your network, including
identity information, if available, andwhat services are running on eachasset. This profile
data is used for correlation purposes to help reduce false positives.
For example, an attack tries to use a specific service that is running on a specific asset.
In this situation, LogManager candeterminewhether theasset is vulnerable to thisattack
by correlating the attack to the asset profile. Using the Assets tab, you can view the
learned assets or search for specific assets to view their profiles.
For more information, see “Assets Profile Page Parameters” on page 127.
RelatedDocumentation
Access Log Manager on page 4•
• Viewing Messages on page 10
• Investigate User Names on page 14
LogManager Vulnerability Manager Tab
LogManager Vulnerability Manager is a LogManager component that you can purchase
separately. You use a license key to enable Log Manager Vulnerability Manager.
Log Manager Vulnerability Manager is a network-scanning platform that provides
awareness of the vulnerabilities that exist within the applications, systems, or devices
onyournetwork.After scans identify vulnerabilities, youcansearchand reviewvulnerability
data, remediate vulnerabilities, and rerun scans to evaluate the new level of risk.
When Log Manager Vulnerability Manager is enabled, you can perform vulnerability
assessment taskson theVulnerabilities tab. FromtheAssets tab, youcan runLogManager
Vulnerability Manager scans on selected assets.
For more information, see the Vulnerability Manager Users Guide.
RelatedDocumentation
Access Log Manager on page 4•
• Viewing Messages on page 10
• Investigate User Names on page 14
Copyright © 2017, Juniper Networks, Inc.8
Log Manager Users Guide
-
Admin Tab
Administrators use theAdmin tab to configure andmanage theusers, systems, networks,
plug-ins, and components. Users with administration privileges can access the Admin
tab.
Table 6 on page 9 describes the administration tools that administrators can access in
the Admin tab.
Table 6: AdministrationManagement Tools Available in LogManager
DescriptionAdmin tool
Configure system and user management options.System Configuration
Configure log sources, flow sources, and vulnerability options.
Configure log sources.
Data Sources
Configure remote networks and services groups.Remote Networks and ServicesConfiguration
Access plug-in components. This option is only displayed if there are plug-insthat are installed on your console.
Plug-ins
Manage the individual components of your Log Manager deployment.Deployment Editor
All configuration updates that youmake in the Admin tab are saved to a staging area.
Whenall changesarecomplete, youcandeploy theconfigurationupdates to themanaged
host in your deployment.
RelatedDocumentation
Access Log Manager on page 4•
• Viewing Messages on page 10
• Investigate User Names on page 14
LogManager Common Procedures
Various controls on the Log Manager user interface are common tomost user interface
tabs.
Information about these common procedures is described in the following sections:
• Viewing Messages on page 10
• Sorting Results on page 12
• Refreshing and Pausing the User Interface on page 12
• Investigating IP addresses on page 13
• Investigate User Names on page 14
9Copyright © 2017, Juniper Networks, Inc.
Chapter 1: About Log Manager
-
• System Time on page 14
• Updating User Preferences on page 14
• Resize Columns on page 15
• Configure Page Size on page 15
ViewingMessages
The Messages menu, which is on the upper right corner of the user interface, provides
access to a window in which you can read andmanage your system notifications.
For systemnotifications to showon theMessageswindow, theadministratormust create
a rule that is based on each notification message type and select the Notify check box
in the Custom RulesWizard.
The Messages menu indicates howmany unread system notifications you have in your
system. This indicator increments the number until you close system notifications. For
each systemnotification, theMessageswindowprovidesa summaryand thedate stamp
for when the system notification was created. You can hover your mouse pointer over a
notification to viewmore detail. Using the functions on the Messages window, you can
manage the system notifications.
Systemnotifications are also available on the Dashboard tab and on an optional pop-up
window that can be displayed on the lower left corner of the user interface. Actions that
you perform in the Messages window are propagated to the Dashboard tab and the
pop-up window. For example, if you close a system notification from the Messages
window, the system notification is removed from all system notification displays.
For more information about Dashboard system notifications, see “Managing System
Notifications” on page 27.
Table 7 on page 10 describes the messages window functions.
Table 7: Functions Available in theMessagesWindow
DescriptionFunction
Click All to view all system notifications. This option is the default, therefore, you click All only if youselected another option and want to display all system notifications again.
All
Click Health to view only system notifications that have a severity level of Health.Health
Click Errors to view only system notifications that have a severity level of Error.Errors
ClickWarnings to view only the system notifications that have a severity level of Warning.Warnings
Click Information to view only the system notifications that have a severity level of information.Information
Copyright © 2017, Juniper Networks, Inc.10
Log Manager Users Guide
-
Table 7: Functions Available in theMessagesWindow (continued)
DescriptionFunction
Click Dismiss All to close all system notifications from your system. If you filtered the list of systemnotifications by using the Health, Errors, Warnings, or Information icons , the text on the View All iconchanges to one of the following options:
• Dismiss All Errors
• Dismiss All Health
• Dismiss All Warnings
• Dismiss All Info
Dismiss All
Click View All to view the system notification events in the Log Activity tab. If you filtered the list ofsystem notifications by using the Health, Errors, Warnings, or Information icons , the text on the ViewAll icon changes to one of the following options:
• View All Errors
• View All Health
• View AllWarnings
• View All Info
View All
Click the Dismiss icon beside a system notification to close the system notification from your system.Dismiss
To view themessage:
1. Log in to Log Manager.
2. On the upper right corner of the user interface, clickMessages.
3. On the Messages window, view the system notification details.
4. Optional. To refine the list of system notifications, click one of the following options:
• Errors
• Warnings
• Information
5. Optional. To close system notifications, choose one of the options from
Table 8 on page 11.
Table 8: Options to Close SystemNotifications
DescriptionOption
Click to close all system notifications.Dismiss All
11Copyright © 2017, Juniper Networks, Inc.
Chapter 1: About Log Manager
-
Table 8: Options to Close SystemNotifications (continued)
DescriptionOption
Click the Dismiss icon next to the system notification that you want to close.Dismiss
6. Optional. To view the system notification details, hover your mouse pointer over the
system notification.
Sorting Results
You sort the results in tables by clicking a column heading. An arrow at the top of the
column indicates the direction of the sort.
To sort the results:
1. Log in to Log Manager.
2. Click the column header once to sort the table in descending order; twice to sort the
table in ascending order.
Refreshing and Pausing the User Interface
You canmanually refresh, pause, and play the data that is displayed on tabs.
The Dashboard and Offenses tabs automatically refresh every 60 seconds.
The Log Activity tab automatically refreshes every 60 seconds if you are viewing the tab
in Last Interval (auto refresh) mode.
The timer, which is on the upper right corner of the interface, indicates the amount of
time until the tab is automatically refreshed.
WhenyouviewtheLogActivity tab inRealTime(streaming)orLastMinute (auto refresh)
mode, you can use the Pause icon to pause the current display.
You can also pause the current display in the Dashboard tab. Clicking anywhere inside a
dashboard item automatically pauses the tab. The timer flashes red to indicate that the
current display is paused.
To refresh and pause the user interface:
1. Log in to Log Manager.
2. Click the tab that you want to view.
3. Choose one of the options from Table 9 on page 13.
Copyright © 2017, Juniper Networks, Inc.12
Log Manager Users Guide
-
Table 9: Refresh, Pause and Play Options on the Tab
DescriptionOption
Click Refresh, on the right corner of the tab, to refresh the tab.Refresh
Click to pause the display on the tab.Pause
Click to restart the timer after the timer is paused.Play
Investigating IP addresses
You can use several methods to investigate information about IP addresses on the
Dashboard, Log Activity, and Network Activity tabs.
About this task
You can findmore information about an IP address by any of themethods that are listed
in Table 10 on page 13.
Table 10: IP Addresses Information
DescriptionOption
Searches for DNS entries that are based on the IP address.Information > DNS Lookup
Searches for the registered owner of a remote IP address. The default WHOIS server iswhois.arin.net.
Information >WHOIS Lookup
Performs aNetworkMapper (NMAP) scan of the selected IP address. This option is onlyavailable if NMAP is installed on your system. For more information about installingNMAP, see your vendor documentation.
Information > Port Scan
Displays asset profile information. This option is displayed if Juniper Secure Analytics(JSA) Vulnerability Manager is purchased and licensed. For more information, see JSAVulnerability Manager User Guide. This menu option is available if JSA acquired profiledata actively through a scan.
Information > Asset Profile
Searches for events that are associated with this IP address.Information > Search Events
Information > Switch Port Lookup
Select the Run QVM Scan option to scan a JSA Vulnerability Manager scan on this IPaddress. This option is only displayed when JSA Vulnerability Manager has beenpurchased and licensed. For more information, see the JSA Vulnerability Manager UserGuide.
Information Run >QVMScan
To investigate about the IP addresses:
1. Log in to JSA.
2. Click the tab that you want to view.
13Copyright © 2017, Juniper Networks, Inc.
Chapter 1: About Log Manager
-
3. Move your mouse pointer over an IP address to view the location of the IP address.
4. Right-click the IP address or asset name and select one of the following options:
Investigate User Names
You can right-click a user name to accessmoremenu options. Use these options to view
more information about the user name or IP address.
You can investigate user names when Log Manager Vulnerability Manager is purchased
and licensed. For more information, see the Vulnerability Manager Users Guide.
Table 11 on page 14 describes the menu options for user name investigation.
Table 11: Menu Options for User Name Investigation
DescriptionOption
Displays current assets that are associated to the selected user name. For more informationabout viewing assets, see “Assets Profile Page Parameters” on page 127.
View Assets
Displays all assets that are associated to the selected user name over the previous 24 hours.View User History
Displays the events that are associated to the selected user name. Formore information aboutthe List of Events window, see “Log Activity Monitoring” on page 34.
View Events
For more information about customizing the right-click menu, see the Juniper Secure
Analytics Administration Guide.
System Time
The right corner of the Log Manager user interface displays system time, which is the
time on the console.
Theconsole timesynchronizesLogManager systemswithin theLogManagerdeployment.
Theconsole time isused todeterminewhat timeeventswere received fromotherdevices
for correct time synchronization correlation.
In a distributed deployment, the console might be in a different time zone from your
desktop computer.
When you apply time-based filters and searches on the LogActivity andNetwork Activity
tabs, youmust use the console system time to specify a time range.
Updating User Preferences
You can update your user details through themain Log Manager user interface.
To update user details:
1. To access your user information, click Preferences.
Copyright © 2017, Juniper Networks, Inc.14
Log Manager Users Guide
-
2. As required, update the parameters from Table 12 on page 15.
Table 12: Parameters to Update User Details
DescriptionOption
Displays your user name. You cannot edit this field.Username
Type a new password. The passwordmust meet the following criteria:
• Minimum of six characters
• Maximum of 255 characters
The following special characters are not accepted:
• apostrophe ('),
• dollar sign ($), and
• exclamation mark (!)
Password
Type the password again for confirmation.Password (Confirm)
Type your email address. The email address must meet the following requirements:
• Valid email address
• Minimum of 10 characters
• Maximum of 255 characters
Email Address
JSA is available in the following languages: English, Simplified Chinese, Traditional Chinese,Japanese, Korean, French, German, Italian, Spanish, Russian and Portuguese (Brazil).
If a locale is not listed, the user interface is not translated into the associated language. However,other associated cultural conventions, such as, character type, collation, format of date and time,currency unit are supported.
Locale
Select this check box if you want to enable pop-up system notifications to be displayed on youruser interface.
EnablePopupNotifications
Resize Columns
You can resize the columns on several tabs in Log Manager.
Place the pointer of your mouse over the line that separates the columns and drag the
edge of the column to the new location. You can also resize columns by double-clicking
the line that separates the columns to automatically resize the column to the width of
the largest field.
NOTE: Column resizing does not work inMicrosoft Internet Explorer, Version7.0 web browsers when tabs are displaying records in streamingmode.
Configure Page Size
Users with administrative privileges can configure the maximum number of results that
display in the tables on various tabs in Log Manager.
15Copyright © 2017, Juniper Networks, Inc.
Chapter 1: About Log Manager
-
Copyright © 2017, Juniper Networks, Inc.16
Log Manager Users Guide
-
CHAPTER 2
Dashboard Management
This chapter describes about the dashboard management in the following sections:
• Dashboard Management Overview on page 17
• Log Activity on page 18
• Most Recent Reports on page 19
• System Summary on page 19
• Vulnerability Management Items on page 20
• System Notification on page 20
• Adding Dashboard Items on page 22
• Using the Dashboard to Investigate Log Activity on page 22
• Configuring Charts on page 23
• Removing Dashboard Items on page 25
• Detaching a Dashboard Item on page 25
• Renaming a Dashboard on page 26
• Deleting a Dashboard on page 26
• Managing System Notifications on page 27
• Adding Search-based Dashboard Items to the Add Items List on page 27
DashboardManagement Overview
The Dashboard tab is the default view when you log in.
It provides a work space environment that supports multiple dashboards on which you
can display your views of network security, activity, or data that is collected.
It provides a work space environment on which you can display your views of the data
that is collected.
Dashboards allows you to organize your dashboard items into functional views, which
enable you to focus on specific areas of your network.
Use the Dashboard tab to monitor your security event behavior.
17Copyright © 2017, Juniper Networks, Inc.
-
You can customize your dashboard. The content that is displayed on the Dashboard tab
is user-specific. Changes that are made within a Log Manager session affect only your
system.
To customize your Dashboard tab, you can perform the following tasks:
• Add and remove dashboard items from your dashboards.
• Move and position items tomeet your requirements. When you position items, each
item is automatically resized in proportion to the dashboard.
• Add custom dashboard items that are based on any data.
For example, you can add a dashboard item that provides a time series graph or a bar
chart that represents top 10 network activity.
To create custom items, you can create saved searches on the Log Activity tab and
choose how you want the results that are represented in your dashboard. Each
dashboard chart displays real-time up-to-the-minute data. Time series graphs on the
dashboard refresh every five minutes.
RelatedDocumentation
Vulnerability Management Items on page 20•
• System Notification on page 20
• Adding Dashboard Items on page 22
Log Activity
The Log Activity dashboard itemswill allow you tomonitor and investigate events in real
time.
NOTE: Hidden or closed events are not included in the values that aredisplayed in the Dashboard tab.
Table 13 on page 18 describes the log activity items.
Table 13: Log Activity Items
DescriptionDashboard item
You can display a custom dashboard item that is based on saved search criteria from the Log Activity tab.Event search items are listed in the Add Item >Network Activity > Event Searchesmenu. The name of theevent search itemmatches the name of the saved search criteria the item is based on.
Log Manager includes default saved search criteria that is preconfigured to display event search items onyour Dashboard tabmenu. You can addmore event search dashboard items to your Dashboard tabmenu.For more information, see Adding search-based dashboard items to the Add Items list.
OnaLogActivitydashboard item, search resultsdisplay real time last-minutedataonachart. Thesupportedchart types are time series, table, pie, and bar. The default chart type is bar. These charts are configurable.
Time series charts are interactive. You canmagnify and scan through a time line to investigate log activity.
Event Searches
Copyright © 2017, Juniper Networks, Inc.18
Log Manager Users Guide
-
Table 13: Log Activity Items (continued)
DescriptionDashboard item
The Events By Severity dashboard item displays the number of active events that are grouped by severity.This itemwill allow you to see the number of events that are received by the level of severity assigned.Severity indicates theamount of threat anoffense sourceposes in relation tohowprepared thedestinationis for the attack. The range of severity is 0 (low) to 10 (high). The supported chart types are Table, Pie, andBar.
EventsBySeverity
The Top Log Sources dashboard item displays the top five log sources that sent events to Log Managerwithin the last five minutes.
The number of events that are sent from the specified log source is indicated in the pie chart. This itemwill allow you to view potential changes in behavior, for example, if a firewall log source that is typicallynot in the top 10 list now contributes to a large percentage of the overall message count, you shouldinvestigate this occurrence. The supported chart types are Table, Pie, and Bar.
Top Log Sources
RelatedDocumentation
Vulnerability Management Items on page 20•
• System Notification on page 20
• Adding Dashboard Items on page 22
Most Recent Reports
The Most Recent Reports dashboard item displays the top recently generated reports.
The display provides the report title, the time, and date the report was generated, and
the format of the report.
RelatedDocumentation
Vulnerability Management Items on page 20•
• System Notification on page 20
• Adding Dashboard Items on page 22
SystemSummary
The System Summary dashboard item provides a high-level summary of activity within
the past 24 hours.
Within the summary item, you can view the following information:
• Current Flows Per Second—Displays the flow rate per second.
• Flows (Past 24 Hours)—Displays the total number of active flows that are seen within
the last 24 hours.
• Current Events Per Second—Displays the event rate per second.
• NewEvents(Past24Hours)—Displays the total numberof newevents thatare received
within the last 24 hours.
19Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Dashboard Management
-
• Updated Offenses (Past 24 Hours)—Displays the total number of offenses that have
been either created or modified with new evidence within the last 24 hours.
• Data Reduction Ratio—Displays the ratio of data reduced based on the total events
that are detectedwithin the last 24 hours and the number ofmodified offenses within
the last 24 hours.
RelatedDocumentation
Dashboard Management Overview on page 17•
• Log Activity on page 18
• Most Recent Reports on page 19
Vulnerability Management Items
Vulnerability Management dashboard items are only displayed when Log Manager
Vulnerability Manager is purchased and licensed.
For more information, see the Vulnerability Manager Users Guide.
You can display a custom dashboard item that is based on saved search criteria from
theVulnerabilities tab.Search itemsare listed in theAddItem>VulnerabilityManagement
> Vulnerability Searchesmenu. The name of the search itemmatches the name of the
saved search criteria the item is based on.
Log Manager includes default saved search criteria that is pre-configured to display
search items on your Dashboard tabmenu. You can addmore search dashboard items
to your Dashboard tabmenu.
The supported chart types are table, pie, and bar. The default chart type is bar. These
charts are configurable.
RelatedDocumentation
Log Activity on page 18•
• Most Recent Reports on page 19
• System Summary on page 19
SystemNotification
The Systems Notification dashboard item displays event notifications that are received
by your system.
For notifications to show in the System Notification dashboard item, the Administrator
must create a rule that is based on each notificationmessage type and select the Notify
check box in the Custom RulesWizard.
For more information about how to configure event notifications and create event rules,
see the Log Manager Administration Guide.
Copyright © 2017, Juniper Networks, Inc.20
Log Manager Users Guide
-
On the System Notifications dashboard item, you can view the following information:
• Flag—Displays a symbol to indicate severity level of the notification. Point to the
symbol to viewmore detail about the severity level.
• Health icon
• Information icon (?)
• Error icon (X)
• Warning icon (!)
• Created—Displays the amount of time elapsed since the notification was created.
On the System Notifications dashboard item, you can view the following information:
• Flag—Displays a symbol to indicate severity level of the notification. Point to the
symbol to viewmore detail about the severity level.
• Health icon
• Information icon (?)
• Error icon (X)
• Warning icon (!)
• Created—Displays the amount of time elapsed since the notification was created.
• Description—Displays information about the notification.
• Dismiss icon (x)—Will allow you to close a system notification.
You can point your mouse over a notification to viewmore details:
• Host IP—Displays the host IP address of the host that originated the notification.
• Severity—Displays the severity level of the incident that created this notification.
• Low Level Category—Displays the low-level category that is associated with the
incident that generated this notification. For example: Service Disruption.
• Payload—Displays the payload content that is associated with the incident that
generated this notification.
• Created—Displays the amount of time elapsed since the notification was created.
• Description—Displays information about the notification.
• Dismiss icon (x)—Will allow you to close a system notification.
When you add the System Notifications dashboard item, system notifications can also
display as pop-up notifications in the Log Manager user interface. These pop-up
notifications are displayed in the lower right corner of the user interface, regardless of
the selected tab.
21Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Dashboard Management
-
Pop-up notifications are only available for users with administrative permissions and are
enabled by default. To disable pop-up notifications, select User Preferences and clear
the Enable Pop-up Notifications check box.
In the System Notifications pop-up window, the number of notifications in the queue is
highlighted. For example, if (1 - 12) is displayed in the header, the current notification is 1
of 12 notifications to be displayed.
The System Notifications pop-up window provides the following options:
• Next icon (>)—Displays the next notification message. For example, if the current
notification message is 3 of 6, click the icon to view 4 of 6.
• Close icon (X)—Closes this notification pop-up window.
• (details)—Displays more information about this system notification.
RelatedDocumentation
Log Activity on page 18•
• Most Recent Reports on page 19
• System Summary on page 19
Adding Dashboard Items
You can addmultiple dashboard items to your Dashboard tab.
To add dashboard items:
1. Click the Dashboard tab.
2. From the toolbar, click Add Item.
3. Select the item you want to add. See “Adding Dashboard Items” on page 22.
RelatedDocumentation
System Summary on page 19•
• Vulnerability Management Items on page 20
• System Notification on page 20
Using the Dashboard to Investigate Log Activity
Search-based dashboard items provide a link to the Log Activity tab, allowing you to
further investigate log activity.
Copyright © 2017, Juniper Networks, Inc.22
Log Manager Users Guide
-
To investigate flows from a Log Activity dashboard item:
1. Click the View in Log Activity link. The Log Activity tab is displayed, displaying results
and two charts that match the parameters of your dashboard item.
The chart types that are displayed on the Log activity tab depend on which chart is
configured in the dashboard item.
Table 14 on page 23 describes the chart types in the log activity tab using the
dashboard.
Table 14: Chart types in the Log Activity Tab
DescriptionChart type
The Log Activity tab displays a bar chart, pie chart, and table of details.Bar, Pie, and Table
The Log Activity tab displays charts according to the following criteria:Time Series
1. If your time range is less than or equal to 1 hour, a time series chart, a bar chart, and a table ofevent details are displayed.
2. If your time range is more than 1 hour, a time series chart is displayed and you are prompted toclickUpdateDetails. This action starts the search that populates the event details and generatesthebar chart.When the search completes, the bar chart and table of event details are displayed.
RelatedDocumentation
Vulnerability Management Items on page 20•
• System Notification on page 20
• Adding Dashboard Items on page 22
Configuring Charts
You can configure Log Activity, Network Activity, and Connections (if applicable)
dashboard items to specify the chart type and howmany data objects youwant to view.
Table 15 on page 23 describes the configuring charts parameter options.
Table 15: Configuring Charts Parameter Options.
descriptionoption
From the list, select the object type that you want to graph on the chart. Options include allnormalized and custom event or flow parameters included in your search parameters.
Value to Graph
23Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Dashboard Management
-
Table 15: Configuring Charts Parameter Options. (continued)
descriptionoption
From the list, select the chart type that you want to view. Options include:
1. Bar Chart—Displays data in a bar chart. This option is only available for grouped events.
2. Pie Chart—Displays data in a pie chart. This option is only available for grouped events.
3. Table—Displays data in a table. This option is only available for grouped events.
4. Time Series—Displays an interactive line chart that represents the records that are matched bya specified time interval.
Chart Type
From the list, select the number of objects you want you view in the chart. Options include 5 and10. The default is 10.
Display Top
Select this check box to enable time series capture. When you select this check box, the chartfeature begins to accumulate data for time series charts. By default, this option is disabled.
Capture Time Series Data
From the list, select the time range that you want to view.Time Range
Your custom chart configurations are retained, so that they are displayed as configured
each time that you access the Dashboard tab.
JSA Log Manager collects data so that when you perform a time series saved search,
there is a cache of event or flow data available to display the data for the previous time
period. Accumulated parameters are indicated by an asterisk (*) in the Value to Graph
list. If you select a value to graph that is not accumulated (no asterisk), time series data
is not available.
To configure charts:
1. Click the Dashboard tab.
2. From the ShowDashboard list, select the dashboard that contains the item youwant
to customize.
3. On the header of the dashboard item you want to configure, click the Settings icon.
4. Configure the chart parameters that are described in Table 14 on page 23.
RelatedDocumentation
System Notification on page 20•
• Adding Dashboard Items on page 22
• Using the Dashboard to Investigate Log Activity on page 22
Copyright © 2017, Juniper Networks, Inc.24
Log Manager Users Guide
-
Removing Dashboard Items
You can remove items from a dashboard and add the item again at any time.
When you remove an item from the dashboard, the item is not removed completely.
To remove the dashboard items:
1. Click the Dashboard tab.
2. From the ShowDashboard list, select the dashboard fromwhich you want to remove
an item.
3. On the dashboard item header, click the red [x] icon to remove the item from the
dashboard.
RelatedDocumentation
Adding Dashboard Items on page 22•
• Using the Dashboard to Investigate Log Activity on page 22
• Configuring Charts on page 23
Detaching a Dashboard Item
You can detach an item from your dashboard and display the item in a newwindow on
your desktop system.
When you detach a dashboard item, the original dashboard item remains on the
Dashboard tab,while a detachedwindowwith aduplicate dashboard item remains open
and refreshes during scheduled intervals. If you close the Log Manager application, the
detachedwindowremainsopen formonitoringandcontinues to refreshuntil youmanually
close the window or shut down your computer system.
To detach a dashboard item:
1. Click the Dashboard tab.
2. From the ShowDashboard list, select the dashboard fromwhich you want to detach
an item.
3. On the dashboard itemheader, click the green icon to detach the dashboard itemand
open it in separate window.
RelatedDocumentation
Adding Dashboard Items on page 22•
• Configuring Charts on page 23
• Removing Dashboard Items on page 25
25Copyright © 2017, Juniper Networks, Inc.
Chapter 2: Dashboard Management
-
Renaming a Dashboard
You can rename a dashboard and update the description.
To rename a dashboard:
1. Click the Dashboard tab.
2. From the ShowDashboard list, select the dashboard that you want to edit.
3. On the toolbar, click the Rename Dashboard icon.
4. In the Name field, type a new name for the dashboard. Themaximum length is 65
characters.
5. In theDescription field, typeanewdescriptionof thedashboard. Themaximumlength
is 255 characters.
6. ClickOK.
RelatedDocumentation
Adding Dashboard Items on page 22•
• Configuring Charts on page 23
• Detaching a Dashboard Item on page 25
Deleting a Dashboard
You can delete a dashboard.
After you delete a dashboard, the Dashboard tab refreshes and the first dashboard that
is listed in the Show Dashboard list is displayed. The dashboard that you deleted is no
longer displayed in the Show Dashboard list.
To delete a dashboard:
1. Click the Dashboard tab.
2. From the ShowDashboard list, select the dashboard that you want to delete.
3. On t