Juniper STRM 500 , 2009.1.iso  , problem " events are working and showing up, but no OFFENCES and no SURVIELLANCE Graph is generated"

GameOver123
GameOver123 used Ask the Experts™
on
Hi Team :

I 've got  a project in hand of juniper. ISG was gr8 experience but stuck with STRM 500 Appliance. It is licensed and GUI is up and running , even devices are added from admin section and log sources are defined with success also.

 But there are 2 problems.

 I am having EVENTS but no OFFENSES and NETWORK SURVEILLANCE is not making any graph.

 
Attached are 3 reference screenshots.

 

 I have done soft reset and hard reset of sim model also,  any other suggestions...

 [ i want to know how to add sentry , i beileve there is a default sentry already present for all rules and packages] isnt it ?

 telll me .... this is going to a great experience and i want to prove it against MARS .... !

 waiting...for suggestions, advice and solutions ? ???

 
STRM-frontpage.jpg
STRM-Look-EVENTS.jpg
STRM-more-events-view.jpg
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Couple of things to explain here.

STRM can deal with 2 main types of information sent to it, namely, logs and flow records.

You already have logs being sent to the device, which is good.  However, there are no flows being sent.

With the default installation, there are several rules and sentries already added and enabled on the system.  If you do have any offenses created, then there have no anomalous or undesired traffic sent to the device that have triggered any offenses.

To rectify this, we can either amend the default rules or create new rules that will trigger once we see the undesired traffic

We can access the rules from 2 areas, under the event viewer and rules or at the offense manager and then rules.

Also, note that sentries are applied to flow traffic being sent to the device and also flows will populate the network surveillance window.  If you are not sending flows to the device, then we will not see any activity under network surveillance and also no sentries will be looked.

Please note that the STRM is NOT a plug and play device, like, most SEIM devices, we must train teh device to learn what is normal and abnormal in our network and then fine tune the rules and sentries to only "fire" when we want them to.  This process can be longwinded but is definitely worthwhile to get the most from your deveice.

STRM is NOT the best (or the cheapest) log management server but it does do logging and flow/network monitoring very well, which seems to set it aside from the competitors.

HTH
TolomirAdministrator
Top Expert 2005

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial