Custom parsing rules for Juniper MAG (partial) 7.4.X
We are running some Juniper MAG (MAG-SM360, 7.4RXX) for SSL VPN, sending SYSLOG events to the SIEM using WELF format (not the standard one).
We selected WELF as it's easier to write regex.
Although this product is listed as fully supported, I discovered the default ASP rules are not parsing these events correctly, or just discarding some useful information (like the assigned internal address, or hostname for example). I tried to "fix" them but realized it would take to much time.
Instead, I have created custom rules from scratch for the most common events:
Juniper - NWC30993: Closed connection.
Juniper - NWC30477: VPN Tunneling: User connected with SSL transport mode.