Hello Sentinel gurus!

I've been having this long running problem whereby records coming into
Sentinel 7.1 from a standard Juniper IDP Series 6.1r1 collector are not
parsing. For example, some of these records have a severity listed as
Major but within Sentinel every event is listed as having severity of

[image: http://i58.tinypic.com/mr2vra.png]

-If above picture does not show try http://tinypic.com/r/mr2vra/8-

According to the 'Collector plugin documentation'
(http://tinyurl.com/n2k56e4) (of which i'm now very familiar with) the
collector should be parsing the data for the IDP Series 3.x,4.x and 5.x
Log like:

> 20090521-678 2009/05/21 12:50:58
> devlab-start:1 IDS 9 0 0
> 0 UDP ATTACK-IDP_ATTACK_MATCH NONE 1242910258,49662 no no no HIGH no no
> no no

OR via NSM output (we are not using this method):
> 20091126, 440, 2009/11/26 06:31:27, 2009/11/26 06:29:38, global, 0,
> juniper-idp,
>, predefined, WORM:SLAMMER:INFECT-ATTEMPT, (NULL), eth1,
>, 2822,
>, 0, (NULL), (NULL),, 1434,, 0, udp,
> SYSTEM, 0, Recommended,
> idp, 9, 0, dismiss, major, no, 'interface=eth1', (NULL), (NULL), (NULL),
> 0, 0, 0, 0, 0, 0, 0,
> 0, no, 31, Not Set

The raw log files as stored within Sentinel all look like this:
> {"s_AppId":"Jnpr","i_syslog_priority":"26","CONNEC TION_METHOD":"SYSLOG","i_Hour":"15","i_RXBufferLen gth":"821","CONNECTION_MODE":"map","s_Process":nul l,"s_RV25":"7A12A0F0-0659-1032-94DF-005056A87CFA","s_RV24":"3237CDB0-0649-1032-9AA7-1BC602F73627","i_Type":"2","i_Second":"15","s_RV23 ":"3237CDB0-0649-1032-9873-1BC602F73627","s_RV22":"3237CDB0-0649-1032-984E-1BC602F73627","s_Version":"2011.1r3","s_RXBufferSt ring":"Aug
> 15 15:58:15 Jnpr Syslog 10365 1 [syslog@juniper.net
> dayId=\"20140815\" recordId=\"6\" timeRecv=\"2014\/08\/15 15:58:15\"
> timeGen=\"2014\/08\/15 15:58:14\" domain=\"\" devDomVer2=\"0\"
> device_ip=\"\" cat=\"Predefined\"
> attack=\"DB:MYSQL:MAXDB-GET-OF\" srcZn=\"NULL\" srcIntf=\"\u0005eth3\"
> srcAddr=\"[-removed-]\" srcPort=\"51952\" natSrcAddr=\"NULL\"
> natSrcPort=\"0\" dstZn=\"NULL\" dstIntf=\"NULL\" dstAddr=\"[-removed-]\"
> dstPort=\"80\" natDstAddr=\"NULL\" natDstPort=\"0\" protocol=\"TCP\"
> ruleDomain=\"\" ruleVer=\"501\" policy=\"[-removed-]\" rulebase=\"IDS\"
> ruleNo=\"10\" action=\"NONE\" severity=\"MAJOR\" alert=\"no\"
> elaspedTime=\"0\" inbytes=\"0\" outbytes=\"0\" totBytes=\"0\"
> inPak=\"0\" outPak=\"0\" totPak=\"0\" repCount=\"0\" packetData=\"yes\"
> varEnum=\"31\" misc=\"'interface=eth3','vlan-id=3' [Simulation Mode]\"
> user=\"NULL\" app=\"NULL\" uri=\"NULL\"]

The 'Juniper IDP Series 5.1 Admin Guide' (http://tinyurl.com/mzf95do)
shows an example syslog output record which matches up with what the
s_RXBufferString data looks like, so I feel that the records coming from
the IDP syslog and into the collector are correct.

Does anyone have any experience with this? We've tried all sorts of
things short of downloading Eclipse and the Collector SDK (we are not
developers) but nothing seems to make any difference to how this data
looks once it's presented in Sentinel.

Thanks in advance.

jasonpwalker's Profile: https://forums.netiq.com/member.php?userid=7988
View this thread: https://forums.netiq.com/showthread.php?t=51703