Skip to content

Vendor - Pulse

Product - Secure Connect

Ref Link
Splunk Add-on https://splunkbase.splunk.com/app/3852/
JunOS TechLibrary https://docs.pulsesecure.net/WebHelp/Content/PCS/PCS_AdminGuide_8.2/Configuring%20Syslog.htm

Sourcetypes

sourcetype notes
pulse:connectsecure None
pulse:connectsecure:web None

Sourcetype and Index Configuration

key sourcetype index notes
pulse_connect_secure pulse:connectsecure netfw none
pulse_connect_secure_web pulse:connectsecure:web netproxy none

Filter type

  • MSG Parse: This filter parses message content

Setup and Configuration

  • Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
  • Review and update the splunk_metadata.csv file and set the index as required.
  • Follow vendor configuration steps per referenced Product Manual

Options

Note RFC6587 framing is not supported over TLS at this time

Variable default description
SC4S_LISTEN_PULSE_CONNECT_SECURE_UDP_PORT empty string Enable a UDP port for this specific vendor product using a comma-separated list of port numbers using legacy 3164 format
SC4S_LISTEN_PULSE_CONNECT_SECURE_RFC6587_PORT empty string Enable a TCP using IETF Framing (RFC6587) port for this specific vendor product using a comma-separated list of port numbers
SC4S_ARCHIVE_PULSE_CONNECT_SECURE no Enable archive to disk for this specific source
SC4S_DEST_PULSE_CONNECT_SECURE_HEC no When Splunk HEC is disabled globally set to yes to enable this specific source

Verification

Use the following search to validate events are present

index=<asconfigured> sourcetype=pulse:connectsecure* | stats count by host

Verify the timestamp and host values match as expected