Versa Networks

Versa Networks combines a full-featured SD-WAN (software-defined wide area network), integrated security, scalable routing, multi-tenancy, and analytics to meet WAN Edge requirements. Versa Analytics Node is responsible for receiving logs from Versa FlexVNF devices, storing logs locally, and streaming logs to third party collectors.

InsightIDR generates:

  • accessLog for firewall events
  • idpLog and dosThreatLog for third party alert events
  • urlfLog for web proxy events

To learn more about Versa Networks, refer to their documentation.

To set up Versa Networks:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure Versa Networks to send data to InsightIDR.
  3. Configure InsightIDR to collect data from the event source.
  4. Test the configuration.

You can also:

Visit the third-party vendor's documentation

For the most accurate information about preparing your event source product for integration with InsightIDR, we recommend that you visit the Versa Networks product documentation.

Requirements

Ensure that your system meets the following requirements:

  • You must indicate the instance of the log collector exporter or driver.
  • You must set up a local collector to be an analytics log collector node.
  • You must configure the log collector exporter to send logs to a remote system.
  • You must install the Notification Agent to receive email alerts and notifications from your analytics log collector node.

Configure Versa Networks to send data to InsightIDR

To enable communication between Versa Networks and InsightIDR, you must configure remote logging in Versa Networks.

Set up a local log collector

Configure log collectors on each of the Versa Analytics Nodes. The log collector is a TCP (Transmission Control Protocol) server responsible for terminating the TCP connections carrying the logs in IPFIX (Internet Protocol Flow Information Export) format from Versa Network's FlexVNF solution.

To set up a local collector:

  1. Specify a collector address and collector port for the analytics node in the clustersetup.conf file.
  2. Run the van_cluster_installer.py script to configure the local collector.

Set up and configure a remote log collector

To send logs to third party collectors, such as InsightIDR, configure the remote collectors on each of the Versa Analytics Nodes.

1. Configure the remote collector
  1. Ensure that the IP address listed is a local IP address.
  2. Ensure TCP port 514 is configured as the transport and destination values.
  3. Configure the types of logs that you want to export to the log collector.
  4. If you want to send email alerts and notifications to users, make sure to install the notification agent and allow the remote collector to send logs to the notification agent.
2. Configure a remote template
  1. Define the types of logs that a remote collector exports and configure the format of the logs.
  2. Enter the following information:
    • Name - Enter a name for the remote collector template.
    • Description - Enter a text description for the remote collector template.
    • Type - Select Syslog as the type of logs to send to the remote collector.
    • Format - Select KVP, key-value pair data, for the format in which to send the logs to the remote collector.
    • Include Priority - Click to include priorities.
    • Exclude Host Name - Click to exclude the host name from logs.
    • Exclude Timestamp - Click to exclude the timestamp from logs.
  3. Click Save.
  4. Verify that the template has been configured correctly.
3. Configure a log collector profile

Configure a remote profile to assign a name to an individual remote collector, a remote collector group, or a remote collector group list. Reference the profile you create when configuring a log exporter policy.

4. Configure log exporter policies
  1. Configure log exporter rules that match log types and tenants. You must select dos-log, idp-log, firewall-log, and urlf-log as your log types.
  2. Export the rules to the remote collector defined in one of your remote profiles.
  3. Ensure the rules’ match criteria is unique in the local collector. Otherwise, rules may be ignored.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. Go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Versa Networks in the event sources search bar.
    • In the Product Type filter, select Firewall.
  3. Select Versa Networks.
  4. Name the event source. The name you enter will be used for the log that the event data streams into in Log Search.
  5. Select a collector.
  6. Optionally, choose to send unparsed data.
  7. Set the Collection Method to Listen on network port.
  8. Click Save.

Test the configuration

The event types that InsightIDR parses are:

  • Firewall
  • Third Party Alerts
  • Web Proxy

To test that event data is flowing into InsightIDR:

  1. From the Data Collection Management page, open the Event Sources tab.
  2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
  3. Wait approximately 7 minutes, then open Log Search.

Next, verify that log entries are appearing in Log Search:

  1. From the left menu, go to Log Search.
  2. In the Log Search filter panel, search for the event source you named in step 4 of Configure InsightIDR to collect data from the event source. Versa Network logs should flow into these log sets:
    • Firewall
    • Third Party Alerts
    • Web Proxy
  3. Select the log sets and the logs within them.
  4. Set the time range to Last 10 minutes and click Run.

The Results table displays all events that flowed into InsightIDR in the last 10 minutes. Pay attention to the keys and values that are displayed, which are helpful when you want to build a query and search your logs.

Sample logs

In Log Search, the log that is generated uses the name of your event source by default. The log appears under the log sets: Firewall, Third Party Alerts, and Web Proxy. Here is a typical raw log entry that is created by each event source:

Firewall

accessLog

 
1
2024-05-28T13:30:11+0000 accessLog, applianceName=PHLJPAMT2BW, tenantName=Customer1, flowId=33556176, flowCookie=1716902906, flowStartMilliseconds=3664948, flowEndMilliseconds=3751042, sentOctets=2484, sentPackets=23, recvdOctets=0, recvdPackets=0, appId=476, eventType=end, tenantId=3, urlCategory=, action=allow, vsnId=0, applianceId=1, appRisk=1, appProductivity=3, appIdStr=rtcp, appFamily=media, appSubFamily=audio_video, rule=Allow_From_Trust_To_SDWAN, forwardForwardingClass=fc_be, reverseForwardingClass=fc_be, host=, deviceKey=Unknown, deviceName=Unknown, sourceIPv4Address=172.16.110.11, destinationIPv4Address=172.17.2.11, sourceTransportPort=24331, destinationTransportPort=24107, protocolId=6
Third party alert

idpLog

 
1
2017-11-26T22:37:11+0000 idpLog, applianceName=Branch1, tenantName=Customer1, flowId=33655871, flowCookie=1511734794, signatureId=1000000530, groupId=1, signatureRev=0, vsnId=0, applianceId=1, tenantId=1, moduleId=12, signaturePriority=2, idpAction=alert, signatureMsg=\"Microsoft DNS Server Denial of Service\", classMsg=\"Attempted Denial of Service\", threatType=attempted-dos, packetTime=11/26/2017-14:37:11.000000, HitCount=1, ipsProfile=Vulnerablity_Profile, ipsProfileRule=Rule1, ipsDirection=ToClient, ipsProtocol=UDP, ipsApplication=dns

dosThreatLog

 
1
2017-11-28T23:09:29+0000 dosThreatLog, applianceName=Site1Branch1, tenantName=Customer1, observationTimeMilliseconds=1511911030085, threatType=Flood, dosAttackName=UDP, tenantId=1, fromZone=(null), toZone=, dosAttacker=, dosVictim=, dosScanList=(null), dosScanPortsCount=0, dosAction=Drop, severityLevel=1, vsnId=0
Web proxy

urlfLog

 
1
2024-05-28T13:30:04+0000 urlfLog, applianceName=PNSKNJAB07W, tenantName=Customer1, flowId=35762909, flowCookie=1716903295, vsnId=0, applianceId=1, tenantId=2, urlReputation=trustworthy, urlCategory=proxy_avoid_and_anonymizers, httpUrl=google.com, urlfProfile=Enterprise_NSA_Web, urlfAction=reject, urlfActionMessage=, sourceIPv4Address=192.168.110.70, destinationIPv4Address=172.16.103.5, sourceTransportPort=53522, destinationTransportPort=443