Juniper SA (ive)

fisk12 — Sun, 16 Jan 2011 21:28:48 GMT

Is anyone having splunk monitoring their juniper secure access machines? And if so, can can you tell me some about how you have done it?

Re: Juniper SA (ive)

jaoui — Mon, 17 Oct 2011 22:43:43 GMT

have you had any luck? I'm just starting to try to pull information out of our IVE's logs

Re: Juniper SA (ive)

jaoui — Mon, 28 Sep 2020 09:59:46 GMT

Hey, I started working through this one and so far I have this for one of my searches:

("Login succeeded" OR "Logout from" OR "Session timed out" OR "Max session timeout" OR "Remote address for user") | rex field=_raw "[(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})]\s+(?\w+)((?[^)]+))[(?[^]]*)" | rex field=_raw "(session:(?[^)]+))" | transaction user src keepevicted=true startswith="Login succeeded" endswith=("Session timed out" OR "Logout from" OR "Max session timeout" OR "Remote address for user") | search NOT ("Logout from" OR "Session timed out" OR "Max session timeout" OR "Remote address for user") | eval user = lower(user) | table _time user realm src sessionid host | sort user

this is starting to give me a printout of the currently logged in users. I have to tweak it a bit cuz i think it's not catching some logout/login conditions but here it is if it helps anyone else

topic Re: Juniper SA (ive) in Getting Data In

Juniper SA (ive)

Re: Juniper SA (ive)

Re: Juniper SA (ive)