There is an existing Sentinel Collector for VPN and Access Control devices which dates back to 2015. This whole product line has been sold to Pulse Secure in the mean time.
This collector now supports the current version of these products:
- Pulse Secure Pulse Connect Secure 8.2 (SA image)
- Pulse Secure Pulse Policy Secure 5.x (IC image)
These software images can be run on different appliances:
- Pulse Secure PSA Series
- Juniper Networks MAG Series
- Virtual Machines
Creating custom filter and format for Sentinel
The Pulse Secure includes standard, WELF, W3C and custom formats. Since the msg variable can contain both single and double quote characters that are not properly escaped when formatting log messages they can’t be used as quote characters. This collector therefore uses ¦ (U+00AD, Broken Bar) as the quote character in a custom format.
- Go to System > Log/Monitoring > Events > Filters.
- Click New Filter Button.
- Enter Sentinel as Filter Name.
- Go to Export Format Section, select the Custom option.
- Enter the following string in the Format field. For Pulse Policy Secure use type=NETM, for Pulse Connect Secure use type=VPN. This value is used to set the ObserverCategory (rv32) and the ProductName (pn)
PulseSecure_id=¦%id%¦ date=¦%date%¦ time=¦%time%¦ severity=¦%severity%¦ node=¦%node%¦ sourceip=¦%sourceip%¦ user=¦%user%¦ realm=¦%realm%¦ role=¦%role%¦ locIp=¦%localip%¦ protocol=¦%protocol%¦ remport=¦%port%¦ result=¦%result%¦ method=¦%method%¦ remip=¦%remoteip%¦ remHost=¦%remotehost%¦ srcport=¦%srcport%¦ type=NETM arg=¦%uri%¦ sent=¦%sbytes%¦ rcvd=¦%rbytes%¦ agent=¦%userAgent%¦ duration=¦%duration%¦ msg=¦%msg%¦
NOTE: The above mentioned filter should be copied as single line into the device.
- Click Save Button.
Configure Pulse Secure to send event data to Sentinel
- Go to System > Log/Monitoring > Events > Settings.
- In Syslog Servers section , Enter Server name/IP.
- Choose any Facility. The syslog facility is not interpreted by this collector.
- Choose a transport protocol under Type.
- Choose the custom Filter created earlier.
- Click Add button.
- Click Save Changes button.
- Repeat the steps from step 1 to step 7 for User Access, Admin Access and Sensors logs. In step 1 after System > Log/Monitoring click on respective log (User Access, Admin Access and Sensors ).
- Added support for Guest Administration events. Set the new Guest Realm parameter accordingly.
- Changed custom log format. Since the msg variable can contain both single and double quote characters that are not properly escaped when formatting log messages, they can’t be used as quote characters. This collector now uses ¦ (U+00A6, Broken Bar) as the quote character in a custom format. You must therefore update your custom log format according to Configuring Syslog .
- The collector was updated to hande the duration, rbytes, sbytes, uri, and useragent variables.
- The Result code of transaction (result variable) is now stored in VendorOutcomeCode.
- The collector keeps fields, that were parsed from headers, if parsing the message body or certain details fails later.
- The roles variable holds a comma separated list of the initiator’s roles – not the target’s. Assigning its first value to TargetTrustName has therefore been removed.
- The collector doesn’t blindly try to parse anything that looks remotely like an IP address or DNS name from the msg variable anymore. Parsing data from msg variable can be done by supplying an event specific Record.prototype[“parse-XXXNNNNN”] function.
- The collector was updated to use the native DataTime and NVPParser parsers.