Custom parsing rules for Juniper MAG (partial) 7.4.X
We are running some Juniper MAG (MAG-SM360, 7.4RXX) for SSL VPN, sending SYSLOG events to the SIEM using WELF format (not the standard one).
We selected WELF as it's easier to write regex.
Although this product is listed as fully supported, I discovered the default ASP rules are not parsing these events correctly, or just discarding some useful information (like the assigned internal address, or hostname for example). I tried to "fix" them but realized it would take to much time.
Instead, I have created custom rules from scratch for the most common events:
Juniper - NWC30993: Closed connection.
Juniper - NWC30477: VPN Tunneling: User connected with SSL transport mode.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.