Juniper JSA Series Virtual Appliance User guide

Category
Software
Type
User guide

This manual is also suitable for

Juniper Secure Analycs WinCollect User
Guide
Published
2021-05-30
RELEASE
7.4.2
Juniper Networks, Inc.
1133 Innovaon Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc.
in the United States and other countries. All other trademarks, service marks, registered marks, or registered service
marks are the property of their respecve owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publicaon without noce.
Juniper Secure Analycs WinCollect User Guide
7.4.2
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The informaon in this document is current as of the date on the tle page.
YEAR 2000 NOTICE
Juniper Networks hardware and soware products are Year 2000 compliant. Junos OS has no known me-related
limitaons through the year 2038. However, the NTP applicaon is known to have some diculty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentaon consists of (or is intended for use
with) Juniper Networks soware. Use of such soware is subject to the terms and condions of the End User License
Agreement ("EULA") posted at hps://support.juniper.net/support/eula/. By downloading, installing or using such
soware, you agree to the terms and condions of that EULA.
ii
Table of Contents
About This Guide | vii
1
What's New in WinCollect
What's New in WinCollect | 2
2
WinCollect Overview
WinCollect Overview | 5
MSEVEN6 Protocol | 11
3
Installaon Prerequisites for WinCollect
Installaon Prerequisites for WinCollect | 13
Communicaon Between WinCollect Agents and JSA | 15
Hardware and Soware Requirements for the WinCollect Host | 18
Prerequisites for Upgrading WinCollect Agents | 22
4
WinCollect Installaons
WinCollect Installaons | 25
Installing and Upgrading the WinCollect Applicaon on JSA Appliances | 26
Creang an Authencaon Token for WinCollect Agents | 29
Adding Mulple Desnaons to WinCollect Agents | 30
Migrang WinCollect Agents Aer a JSA Hardware Upgrade | 31
Stand-alone Deployments and WinCollect Conguraon Console | 32
WinCollect Conguraon Console Overview | 32
Installing the Conguraon Console | 34
Silently Installing, Upgrading, and Uninstalling WinCollect Soware | 36
Seng an XPath Parameter During Automated Installaon | 36
iii
Migrang from Adapve Log Exporter to WinCollect | 38
Installing the WinCollect Agent on a Windows Host | 39
Installing a WinCollect Agent from the Command Prompt | 45
Uninstalling a WinCollect Agent from the Command Prompt | 53
Uninstalling a WinCollect Agent from the Control Panel | 53
5
Conguring WinCollect Agents Aer Installaon
Conguring WinCollect Agents Aer Installaon | 57
Manually Adding a WinCollect Agent | 58
Deleng a WinCollect Agent | 60
WinCollect Desnaons | 60
Adding Custom Entries to WinCollect Status Messages | 64
Forwarding Events Idener | 65
Conguring Stand-alone WinCollect Agents with the Conguraon Console | 65
Creang a WinCollect Credenal | 66
Adding a Desnaon to the WinCollect Conguraon Console | 66
Conguring a Desnaon with TLS in the WinCollect Conguraon Console | 68
Adding a Device to the WinCollect Conguraon Console | 69
Sending Encrypted Events to JSA | 69
Increasing UDP Payload Size | 70
Include Milliseconds in Event Log Timestamp | 71
Collecng Local Windows Logs | 71
Collecng Remote Windows Logs | 72
Changing conguraon with Templates in a Stand-alone Deployment | 73
Conguraon Opons for Systems with Restricted Policies for Domain Controller
Credenals | 78
iv
6
Log Sources for WinCollect Agents
Log Sources for WinCollect Agents | 86
Windows Event Logs | 86
Microso DHCP Log Source Conguraon Opons | 99
Microso Exchange Server Log Source Conguraon Opons | 100
DNS Debug Log Source Conguraon Opons | 103
Collecng DNS Analyc Logs by Using XPath | 106
File Forwarder Log Source Conguraon Opons | 107
Microso IAS Log Source Conguraon Opons | 110
WinCollect Microso IIS Log Source Conguraon Opons | 112
Microso ISA Log Conguraon Opons | 115
Juniper Steel-Belted Radius Log Source Conguraon Opons | 120
Microso SQL Server Log Source Conguraon Opons | 121
NetApp Data ONTAP Conguraon Opons | 126
Conguring a TLS Log Source | 128
Adding a Log Source to a WinCollect Agent | 129
Bulk Log Sources for Remote Event Collecon | 130
7
Troubleshoong
Troubleshoong | 134
Common Problems | 135
Replacing the Default Cercate in JSA Generates Invalid PEM Errors | 135
The Stascs Subsystem | 137
Event ID 1003 Splits the Message in JSA | 137
WinCollect Files are Not Restored During a Conguraon Restore | 139
Windows 10 (1803) Cannot Read the Security Bookmark File | 139
v
Resolving Log Source Error Aer WinCollect Update | 140
WinCollect Log File | 141
vi
About This Guide
Use this guide to understand how to can use JSA to manage and collect Windows-based events.
vii
1
CHAPTER
What's New in WinCollect
What's New in WinCollect | 2
What's New in WinCollect
IN THIS SECTION
What's new in 7.3.0 | 2
What's new in 7.2.9 | 3
WinCollect
WinCollect is a Syslog event forwarder that administrators can use to forward events from Windows
logs to JSA. WinCollect can collect events from systems locally or be congured to remotely poll other
Windows systems for events.
Learn about the new features in each WinCollect release.
What's new in 7.3.0
NOTE: WinCollect 7.3.0 can only be installed on JSA 7.3.3 or later.
WinCollect 7.3.0 includes the following capabilies:
You can set the Status Server seng to Disabled to send only a heartbeat without status messages,
or set the value to None if you don't want to send a heartbeat or status messages.
You can add a secondary desnaon to receive events from your WinCollect agents if the primary
desnaon fails.
NOTE: This feature is available for stand-alone deployments. This will be available for
Managed agents in a future release of JSA.
2
What's new in 7.2.9
WinCollect 7.2.9 includes the following capabilies:
Event Forwarding Filtering.
Event Forwarding Sending to one log source support.
Digitally signed installers.
Millisecond Time format for Event Log collecon.
DHCP support for Spanish and Polish.
CP Support for Status Messages.
File Forwarder mul-line log support.
Removed MMC requirement from patch installer install.
RELATED DOCUMENTATION
WinCollect Overview | 5
3
2
CHAPTER
WinCollect Overview
WinCollect Overview | 5
MSEVEN6 Protocol | 11
WinCollect Overview
IN THIS SECTION
How Does WinCollect Work? | 5
WinCollect Managed Deployment | 5
WinCollect Stand-alone Deployment | 7
Seng Up a Managed WinCollect Deployment | 9
Seng Up a Stand-alone WinCollect Deployment | 10
WinCollect is a Syslog event forwarder that administrators can use to forward events from Windows
logs to JSA. WinCollect can collect events from systems locally or be congured to remotely poll other
Windows systems for events.
WinCollect is one of many soluons for Windows event collecon. For more informaon about
alternaves to WinCollect, see the
Conguring DSMs Guide
.
How Does WinCollect Work?
WinCollect uses the Windows Event Log API to gather events, and then WinCollect sends the events to
JSA.
WinCollect Managed Deployment
A managed WinCollect deployment has a JSA appliance that shares informaon with the WinCollect
agent installed on the Windows hosts that you want to monitor. The Windows host can either gather
informaon from itself, the local host, and, or remote Windows hosts. Remote hosts don't have the
5
WinCollect soware installed. The Windows host with WinCollect soware installed polls the remote
hosts, and then sends event informaon to JSA.
Figure 1: WinCollect Managed Deployment Example
NOTE: In a managed deployment, the WinCollect agents that are installed on Windows hosts can
be managed by any JSA console, Event Collector, or Event Processor.
In a managed deployment, WinCollect is designed to work with up to 500 Windows agents per Console
and managed host. For example, if you have a deployment with a Console, an Event Processor, and an
Event Collector, each can support up to 500 Windows agents, for a total of 1,500. If you want to
monitor more than 500 Windows agents per Console or managed host, use the stand-alone WinCollect
deployment.
For more informaon, see "Stand-alone Deployments and WinCollect Conguraon Console" on page
32
The managed WinCollect deployment has the following capabilies:
Central management from the JSA Console or managed host.
Automac local log source creaon at the me of installaon.
Event storage to ensure that no events are dropped.
Collects forwarded events from Microso Subscripons.
Filters events by using XPath queries or exclusion lters.
6
Supports virtual machine installaons.
Console can send soware updates to remote WinCollect agents without you reinstalling agents in
your network.
Forwards events on a set schedule (Store and Forward)
WinCollect Stand-alone Deployment
If you need to collect Windows events from more than 500 hosts, use the stand-alone WinCollect
deployment. A stand-alone deployment is a Windows host in unmanaged mode with WinCollect
soware installed. The Windows host can either gather informaon from itself, the local host, and, or
remote Windows hosts. Remote hosts don't have the WinCollect soware installed. The Windows host
with WinCollect soware installed polls the remote hosts, and then sends event informaon to JSA. To
save me when you congure more than 500 Windows hosts, you can use a soluon such as Juniper
Networks Endpoint Manager. Automaon can help you manage stand-alone instances.
Figure 2: WinCollect Stand-alone Deployment Example
You can also deploy stand-alone WinCollect to consolidate event data on one Windows host, where
WinCollect collects events to send to JSA.
Stand-alone WinCollect mode has the following capabilies:
You can congure each WinCollect agent by using the WinCollect Conguraon Console.
You can update WinCollect soware with the soware update installer.
Event storage to ensure that no events are dropped.
7
Collects forwarded events from Microso Subscripons.
Filters events by using XPath queries or exclusion lters.
Supports virtual machine installaons.
Sends events to JSA using TLS Syslog.
Automacally create a local log source at the me of agent installaon.
Capabilies of managed and stand-alone WinCollect deployments
Review the following table to understand which capabilies are available when using managed or
standalone WinCollect agents.
Table 1: Capabilies of managed WinCollect vs. stand-alone WinCollect
Capability Managed WinCollect Stand-alone WinCollect
Central management from
the JSA Console or managed
host.
Yes No
Automac local log source
creaon at the me of
installaon.
Yes Yes
Event storage to ensure that
no events are dropped.
Yes Yes
Collects forwarded events
from Microso
Subscripons.
Yes Yes
Filters events by using
XPath queries or exclusion
lters.
Yes Yes
Supports virtual machine
installaons
Yes Yes
8
Table 1: Capabilies of managed WinCollect vs. stand-alone WinCollect
(Connued)
Capability Managed WinCollect Stand-alone WinCollect
JSA Console can send
soware updates to
WinCollect agents.
Yes No
Forwards events on a set
schedule (Store and
Forward).
Yes No
You can congure each
WinCollect agent by using
the WinCollect
Conguraon Console.
No Yes
You can update WinCollect
soware with the soware
update installer
No Yes
Available with on-prem JSA Yes Yes
Seng Up a Managed WinCollect Deployment
For a managed deployment, follow these steps:
1. Understand the prerequisites for managed WinCollect, which ports to use, what hardware is
required, how to upgrade. For more informaon, see "Installaon Prerequisites for WinCollect" on
page 13.
2. Install the WinCollect applicaon on the JSA console that is used to monitor your Windows hosts.
For more informaon, see "Installing and Upgrading the WinCollect Applicaon on JSA Appliances"
on page 26.
3. Create an authencaon token so that the managed WinCollect agents can exchange data with JSA
appliances. For more informaon, see "Creang an Authencaon Token for WinCollect Agents" on
page 29.
9
4. Congure a forwarding desnaon host for the log source data.
5. Install managed WinCollect agents on the Windows hosts. For more informaon, see one of the
following opons:
"Installing the WinCollect Agent on a Windows Host" on page 39
"Installing a WinCollect Agent from the Command Prompt" on page 45, or
"Manually Adding a WinCollect Agent " on page 58
6. If you want to congure forwarded event or event subscripons, see Windows Event Subscripons
for WinCollect Agents..
7. If you want to use the legacy Log Source UI to bulk add log sources that will be remotely polled by a
single WinCollect agent, see "Bulk Log Sources for Remote Event Collecon" on page 130.
8. Tune your WinCollect log sources. For more informaon, see the Event Rate Tuning Prole parameter
in Windows Log Source Parameters.
9. If you want a managed WinCollect agent to send events to mulple JSA desnaons in case one
fails, see "Adding Mulple Desnaons to WinCollect Agents" on page 30.
Seng Up a Stand-alone WinCollect Deployment
For a stand-alone deployment, follow these steps:
1. Understand the prerequisites for stand-alone WinCollect, which ports to use, what hardware is
required, how to upgrade. For more informaon, see "Installaon Prerequisites for WinCollect" on
page 13.
2. Install stand-alone WinCollect agents on the Windows hosts. For more informaon, see "Installing
the WinCollect Agent on a Windows Host" on page 39.
3. If you want to add new log sources to your agent or modify exisng log sources, install the
WinCollect stand-alone conguraon console. For more informaon, see "Installing the
Conguraon Console" on page 34 or "Silently Installing, Upgrading, and Uninstalling WinCollect
Soware" on page 36.
4. Congure the desnaon where the Windows hosts send Windows events. For more informaon,
see "Creang an Authencaon Token for WinCollect Agents" on page 29.
5. If you want to use the stand-alone WinCollect agent to collect events from other devices using
remote polling, create a credenal in the WinCollect stand-alone conguraon console, so that
WinCollect can log in to the remote devices. See "Creang a WinCollect Credenal" on page 66.
10
6. If you want to add addional log sources to the stand-alone WinCollect agent, do so using the
WinCollect stand-alone conguraon console. For more informaon, see "Adding a Device to the
WinCollect Conguraon Console" on page 69.
MSEVEN6 Protocol
MSEVEN6 is a Microso event protocol that collects more informaon from an event log, such as the
task, keyword, and opcode. It also provides a beer message formang than other event protocols do.
The MSEVEN protocol uses port 445. The NETBIOS ports (137 - 139) can be used for hostname
resoluon. When the WinCollect agent polls a remote event log by using MSEVEN6, the inial
communicaon with the remote computer occurs on port 135 (dynamic port mapper), which assigns the
connecon to a dynamic port. The default port range for dynamic ports is between port 49152 and port
65535, but might be dierent depending on the server type. For example, the default port range for
Microso Exchange servers is 6005 – 58321.
XPath queries always use the MSEVEN6 event protocol.
In managed mode, you can change the protocol by eding the Event Log Poll Protocol eld and selecng
the desired protocol. For upgrades, depending on which version of WinCollect you are upgrading from,
the log source connues to use MSEVEN. Use the Log Source Management app to congure mulple
log sources to the desired protocol.
In a stand-alone WinCollect deployment, you can set a global Default Event Log Poll Protocol. The
default value is MSEVEN6. To congure a single Microso Windows Event Log device to use the global
Default Event Log Poll Protocol, select Default from the Basic Conguraons page of the device.
Otherwise, select MSEVEN6 or MSEVEN to override the global Default Event Log Poll Protocol.
In a stand-alone WinCollect deployment, you can include milliseconds in the me stamp for Event Logs.
This opon is only compable in a stand-alone WinCollect deployment that uses the MSEVEN6
protocol. It is not supported by the MSEVEN protocol.
11
3
CHAPTER
Installaon Prerequisites for
WinCollect
Installaon Prerequisites for WinCollect | 13
Communicaon Between WinCollect Agents and JSA | 15
Hardware and Soware Requirements for the WinCollect Host | 18
Prerequisites for Upgrading WinCollect Agents | 22
Installaon Prerequisites for WinCollect
IN THIS SECTION
Supported Versions | 13
Distribuon Opons for WinCollect Agents | 13
Before you can install WinCollect agents, you must verify that your deployment meets the installaon
requirements.
Supported Versions
Administrators should be aware that supported soware versions for WinCollect is the Latest version (n)
and latest minus one (n-1). This means that the two newest versions of WinCollect are the versions for
which JSA Support will provide full support with any support ckets (cases) that are opened. Customers
using older versions of WinCollect will receive minimal, best eort, support.. To prevent issues, it is
important that administrators keep WinCollect deployments updated when new versions are posted to
hps://support.juniper.net/support/.
NOTE: WinCollectdoes not support agents installed on Windows servers that use Network
Address Translaon (NAT). If you place an Event Collector in the same NAT environment as the
managed agents, the agents can use the Event Collector as a conguraon server, status server,
and to send events. However, the Event Collector must be congured to use NAT.
Distribuon Opons for WinCollect Agents
WinCollect agents can be distributed in a remote collecon conguraon or installed on the local host.
Local collecon--The WinCollect agent collects events only for the host on which it is installed. You
can use this collecon method on a Windows host that is busy or has limited resources, for example,
domain controllers.
13
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153

Juniper JSA Series Virtual Appliance User guide

Category
Software
Type
User guide
This manual is also suitable for

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI