License:
This document and the software described in this document were developed using the NetIQ Plug-in SDK; see the Novell Developer License Agreement for terms of use. http://www.novell.com/developer/novell_developer_license_agreement.html

Download Pulse-Secure_Connect-and-Policy_2011.1r2-201703271631-nklasen.clz_.zip

Overview

 
There is an existing Sentinel Collector for VPN and Access Control devices which dates back to 2015. This whole product line has been sold to Pulse Secure in the mean time.

This collector now supports the current version of these products:

  • Pulse Secure Pulse Connect Secure 8.2 (SA image)
  • Pulse Secure Pulse Policy Secure 5.x (IC image)

These software images can be run on different appliances:

  • Pulse Secure PSA Series
  • Juniper Networks MAG Series
  • Virtual Machines

Configuration

 

Creating custom filter and format for Sentinel

 
The Pulse Secure includes standard, WELF, W3C and custom formats. Since the msg variable can contain both single and double quote characters that are not properly escaped when formatting log messages they can’t be used as quote characters. This collector therefore uses ¦ (U+00AD, Broken Bar) as the quote character in a custom format.

  1. Go to System > Log/Monitoring > Events > Filters.
  2. Click New Filter Button.
  3. Enter Sentinel as Filter Name.
  4. Go to Export Format Section, select the Custom option.
  5. Enter the following string in the Format field. For Pulse Policy Secure use type=NETM, for Pulse Connect Secure use type=VPN. This value is used to set the ObserverCategory (rv32) and the ProductName (pn)
    PulseSecure_id=¦%id%¦ date=¦%date%¦ time=¦%time%¦ severity=¦%severity%¦ node=¦%node%¦ sourceip=¦%sourceip%¦ user=¦%user%¦ realm=¦%realm%¦ role=¦%role%¦ locIp=¦%localip%¦ protocol=¦%protocol%¦ remport=¦%port%¦ result=¦%result%¦ method=¦%method%¦ remip=¦%remoteip%¦ remHost=¦%remotehost%¦ srcport=¦%srcport%¦ type=NETM arg=¦%uri%¦ sent=¦%sbytes%¦ rcvd=¦%rbytes%¦ agent=¦%userAgent%¦ duration=¦%duration%¦ msg=¦%msg%¦
    NOTE: The above mentioned filter should be copied as single line into the device.
  6. Click Save Button.

Configure Pulse Secure to send event data to Sentinel

  1. Go to System > Log/Monitoring > Events > Settings.
  2. In Syslog Servers section , Enter Server name/IP.
  3. Choose any Facility. The syslog facility is not interpreted by this collector.
  4. Choose a transport protocol under Type.
  5. Choose the custom Filter created earlier.
  6. Click Add button.
  7. Click Save Changes button.
  8. Repeat the steps from step 1 to step 7 for User Access, Admin Access and Sensors logs. In step 1 after System > Log/Monitoring click on respective log (User Access, Admin Access and Sensors ).

Release Notes

 

2011.1r2

  • Added support for Guest Administration events. Set the new Guest Realm parameter accordingly.
  • Changed custom log format. Since the msg variable can contain both single and double quote characters that are not properly escaped when formatting log messages, they can’t be used as quote characters. This collector now uses ¦ (U+00A6, Broken Bar) as the quote character in a custom format. You must therefore update your custom log format according to Configuring Syslog .
  • The collector was updated to hande the duration, rbytes, sbytes, uri, and useragent variables.
  • The Result code of transaction (result variable) is now stored in VendorOutcomeCode.
  • The collector keeps fields, that were parsed from headers, if parsing the message body or certain details fails later.
  • The roles variable holds a comma separated list of the initiator’s roles – not the target’s. Assigning its first value to TargetTrustName has therefore been removed.
  • The collector doesn’t blindly try to parse anything that looks remotely like an IP address or DNS name from the msg variable anymore. Parsing data from msg variable can be done by supplying an event specific Record.prototype[“parse-XXXNNNNN”] function.
  • The collector was updated to use the native DataTime and NVPParser parsers.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
Norbert Klasen
Jun 5, 2017
2:11 pm
Reads:
464
Score:
Unrated
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow