Collect Juniper Junos logs

Supported in:

Google SecOps SIEM

This document describes how you can collect Juniper Junos logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the JUNIPER_JUNOS ingestion label.

Configure structured logging for a Juniper Networks SRX device

Structured log format extracts information from log messages. The log format complies with the Syslog protocol.

Sign in to Juniper SRX CLI using SSH to its management IP address.
Type CLI at the shell prompt and press enter.
Type configure and press enter to get into the configuration mode of the device.
Enter the contact details or customer reference point.
To map the fields to the user account, run the following commands:
```
   set system syslog host FORWARDER_IP_ADDRESS any info

   set system syslog host FORWARDER_IP_ADDRESS structured-data
```
Replace FORWARDER_IP_ADDRESS with the IP address of the Google Security Operations forwarder.
To enable the structured logging for security logs, use the following commands:
```
   set security log mode stream

   set security log source-address SRC_IP_ADDRESS

   set security log stream SYSLOG_STREAM_NAME host FORWARDER_IP_ADDRESS

   set security log stream SYSLOG_STREAM_NAME format sd-syslog
```
Replace the following:
- SRC_IP_ADDRESS: the IP address of the Juniper SRX device.
- SYSLOG_STREAM_NAME: the name which is assigned to the syslog server.
- FORWARDER_IP_ADDRESS: the IP address of the Google Security Operations forwarder.

Make sure that logging is enabled on all the security policies. To enable logging, run the following commands:

   set security policies from-zone <zone-name1> to-zone <zone-name2> policy <policy-name> then log session-close

   set security policies from-zone <zone-name1> to-zone <zone-name2> policy <policy-name> then log session-init

Configure the hostname on the device using the following command:
```
   set system host-name HOSTNAME
```
Replace HOSTNAME with the assigned Juniper Networks SRX device.
Enter commit to save the executed commands in the configuration.

Configure Google Security Operations forwarder and syslog to ingest Juniper Junos logs

Select SIEM Settings > Forwarders.
Click Add new forwarder.
Enter a unique name in the Forwarder name field.
Click Submit and then click Confirm. The forwarder is added and the Add collector configuration window appears.
In the Collector name field, enter a unique name for the collector.
Select Juniper Junos as the Log type.
Select Syslog as the Collector type.
Configure the following input parameters:
- Protocol: specify the protocol as UDP.
- Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
Click Submit.

For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type. If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser extracts fields from Juniper JUNOS syslog messages, handling both key-value and non-key-value formats. It uses grok patterns to match various message structures, including firewall logs, SSH activity, and command executions, then maps the extracted fields to the UDM. The parser also handles CEF formatted logs using an include file and performs specific actions based on the message content, such as merging IP addresses and usernames into appropriate UDM fields.

UDM mapping table

Log Field	UDM Mapping	Logic
`DPT`	`target.port`	The destination port of the network connection, converted to an integer.
`DST`	`target.ip`	The destination IP address of the network connection.
`FLAG`	`additional.fields{}.key`: "FLAG", `additional.fields{}.value.string_value`: Value of `FLAG`	The TCP flag associated with the network connection.
`ID`	`additional.fields{}.key`: "ID", `additional.fields{}.value.string_value`: Value of `ID`	The IP identification field.
`IN`	`additional.fields{}.key`: "IN", `additional.fields{}.value.string_value`: Value of `IN`	The incoming network interface.
`LEN`	`additional.fields{}.key`: "LEN", `additional.fields{}.value.string_value`: Value of `LEN`	The length of the IP packet.
`MAC`	`principal.mac`	The MAC address extracted from the `MAC` field.
`OUT`	`additional.fields{}.key`: "OUT", `additional.fields{}.value.string_value`: Value of `OUT`	The outgoing network interface.
`PREC`	`additional.fields{}.key`: "PREC", `additional.fields{}.value.string_value`: Value of `PREC`	The Precedence field in the IP header.
`PROTO`	`network.ip_protocol`	The IP protocol used in the network connection.
`RES`	`additional.fields{}.key`: "RES", `additional.fields{}.value.string_value`: Value of `RES`	Reserved field in the TCP header.
`SPT`	`principal.port`	The source port of the network connection, converted to an integer.
`SRC`	`principal.ip`	The source IP address of the network connection.
`TOS`	`additional.fields{}.key`: "TOS", `additional.fields{}.value.string_value`: Value of `TOS`	The Type of Service field in the IP header.
`TTL`	`network.dns.additional.ttl`	Time To Live value, converted to an unsigned integer.
`URGP`	`additional.fields{}.key`: "URGP", `additional.fields{}.value.string_value`: Value of `URGP`	Urgent pointer field in the TCP header.
`WINDOW`	`additional.fields{}.key`: "WINDOW_SIZE", `additional.fields{}.value.string_value`: Value of `WINDOW`	The TCP window size.
`action`	`security_result.action`	The action taken by the firewall, extracted from the CEF message.
`agt`	`observer.ip`	The IP address of the agent.
`amac`	`target.mac`	The MAC address of the target, converted to lowercase and with hyphens replaced by colons.
`app`	`target.application`	The application involved in the event.
`artz`	`observer.zone`	The observer time zone.
`atz`	`target.location.country_or_region`	The target time zone.
`categoryBehavior`	`additional.fields{}.key`: "Category Behavior", `additional.fields{}.value.string_value`: Value of `categoryBehavior` with slashes removed	The category behavior.
`categoryDeviceGroup`	`additional.fields{}.key`: "Category Device Group", `additional.fields{}.value.string_value`: Value of `categoryDeviceGroup` with slashes removed	The category device group.
`categoryObject`	`additional.fields{}.key`: "Category Object", `additional.fields{}.value.string_value`: Value of `categoryObject` with slashes removed	The category object.
`categoryOutcome`	`additional.fields{}.key`: "Category Outcome", `additional.fields{}.value.string_value`: Value of `categoryOutcome` with slashes removed	The category outcome.
`categorySignificance`	`additional.fields{}.key`: "category Significance", `additional.fields{}.value.string_value`: Value of `categorySignificance`	The category significance.
`command`	`target.process.command_line`	The command executed.
`cs1Label`	`additional.fields{}.key`: `cs1Label`, `additional.fields{}.value.string_value`: Value of corresponding CEF field	Custom string field 1 label and value from the CEF message.
`cs2Label`	`additional.fields{}.key`: `cs2Label`, `additional.fields{}.value.string_value`: Value of corresponding CEF field	Custom string field 2 label and value from the CEF message.
`cs3Label`	`additional.fields{}.key`: `cs3Label`, `additional.fields{}.value.string_value`: Value of corresponding CEF field	Custom string field 3 label and value from the CEF message.
`cs4Label`	`additional.fields{}.key`: `cs4Label`, `additional.fields{}.value.string_value`: Value of corresponding CEF field	Custom string field 4 label and value from the CEF message.
`cs5Label`	`additional.fields{}.key`: `cs5Label`, `additional.fields{}.value.string_value`: Value of corresponding CEF field	Custom string field 5 label and value from the CEF message.
`cs6Label`	`additional.fields{}.key`: `cs6Label`, `additional.fields{}.value.string_value`: Value of corresponding CEF field	Custom string field 6 label and value from the CEF message.
`dhost`	`target.hostname`	Destination hostname.
`deviceCustomString1`	`additional.fields{}.key`: `cs1Label`, `additional.fields{}.value.string_value`: Value of `deviceCustomString1`	Device custom string 1.
`deviceCustomString2`	`additional.fields{}.key`: `cs2Label`, `additional.fields{}.value.string_value`: Value of `deviceCustomString2`	Device custom string 2.
`deviceCustomString3`	`additional.fields{}.key`: `cs3Label`, `additional.fields{}.value.string_value`: Value of `deviceCustomString3`	Device custom string 3.
`deviceCustomString4`	`additional.fields{}.key`: `cs4Label`, `additional.fields{}.value.string_value`: Value of `deviceCustomString4`	Device custom string 4.
`deviceCustomString5`	`additional.fields{}.key`: `cs5Label`, `additional.fields{}.value.string_value`: Value of `deviceCustomString5`	Device custom string 5.
`deviceCustomString6`	`additional.fields{}.key`: `cs6Label`, `additional.fields{}.value.string_value`: Value of `deviceCustomString6`	Device custom string 6.
`deviceDirection`	`network.direction`	The direction of the network traffic.
`deviceEventClassId`	`additional.fields{}.key`: "eventId", `additional.fields{}.value.string_value`: Value of `deviceEventClassId`	The device event class ID.
`deviceFacility`	`observer.product.subproduct`	The device facility.
`deviceProcessName`	`about.process.command_line`	The device process name.
`deviceSeverity`	`security_result.severity`	The device severity.
`deviceTimeZone`	`observer.zone`	The device time zone.
`deviceVendor`	`metadata.vendor_name`	The device vendor.
`deviceVersion`	`metadata.product_version`	The device version.
`dpt`	`target.port`	The destination port.
`dst`	`target.ip`	The destination IP address.
`duser`	`target.user.user_display_name`	The destination user.
`eventId`	`additional.fields{}.key`: "eventId", `additional.fields{}.value.string_value`: Value of `eventId`	Event ID.
`event_time`	`metadata.event_timestamp`	The time the event occurred, parsed from the message.
`firewall_action`	`security_result.action_details`	The firewall action taken.
`host`	`principal.hostname`, `intermediary.hostname`	The hostname of the device generating the log. Used for both principal and intermediary in different cases.
`msg`	`security_result.summary`	The message associated with the event, used as a summary for the security result.
`name`	`metadata.product_event_type`	The name of the event.
`process_name`	`additional.fields{}.key`: "process_name", `additional.fields{}.value.string_value`: Value of `process_name`	The name of the process.
`p_id`	`target.process.pid`	The process ID, converted to a string.
`sha256`	`principal.process.file.sha256`	The SHA256 hash of a file, extracted from the SSH2 key information.
`shost`	`principal.hostname`	Source hostname.
`source_address`	`principal.ip`	The source IP address.
`source_port`	`principal.port`	The source port, converted to an integer.
`src`	`principal.ip`	The source IP address.
`src_ip`	`principal.ip`	The source IP address.
`src_port`	`principal.port`	The source port, converted to an integer.
`ssh2`	`security_result.detection_fields{}.key`: "ssh2", `security_result.detection_fields{}.value`: Value of `ssh2`	SSH2 key information.
`subtype`	`metadata.product_event_type`	The subtype of the event.
`task_summary`	`security_result.description`	The task summary, used as the description for the security result.
`timestamp`	`metadata.event_timestamp`	The timestamp of the event.
`user`	`target.user.userid`	The user associated with the event.
`username`	`principal.user.userid`	The username associated with the event.
`user_name`	`principal.user.userid`	The username.
	`metadata.vendor_name`	Hardcoded to "Juniper Firewall". Hardcoded to "Juniper Firewall". Hardcoded to "JUNIPER_JUNOS". Determined by parser logic based on log content. Defaults to "STATUS_UPDATE" if not a CEF message and no other specific event type is identified. Set to "NETWORK_HTTP" for CEF messages. If no `desc` field is present, this field is populated with the `message_description` extracted from the raw log message.

Changes

2024-05-02

Enhancement-
Added Grok patterns to support new SYSLOG + KV format logs.

2023-10-25

Enhancement-
Added Grok patterns to parse unparsed logs.
Mapped "source_port" to "principal.port".
Mapped "source_address" to "principal.ip".
Mapped "user_name" to "target.user.userid".
Mapped "application_name" to "target.application".
Mapped "p_id" to "target.process.pid".
Added "invalid_pattern" check before KV mapping.
Added a Grok pattern to map "security_result.description" when "description_present" is false.

2023-08-17

Enhancement-
Added Grok pattern to parsed unparsed logs.
Mapped "msg" to "security_result.summary".
Mapped "src_ip" to "principal.ip".
Mapped "user" to "target.user.userid".
Mapped "username" to "principal.user.userid".
Mapped "command" to "target.process.command_line".
Mapped "src_port" to "principal.port".
Mapped "ssh2" to "security_result.detection_fields".
Mapped "sha256" to "principal.process.file.sha256".
Mapped "desc" to "sec_result.summary".
Mapped "mac-address" to "principal.mac".
Mapped "host" to "principal.hostname" if event_type is "STATUS_UPDATE".

2023-01-15

Enhancement-
Modified Grok pattern to support unparsed logs containing type "UI_CMDLINE_READ_LINE", "UI_COMMIT_PROGRESS", "UI_CHILD_START",
"UI_CFG_AUDIT_OTHER", "UI_LOGIN_EVENT", "UI_CHILD_STATUS", "UI_LOGOUT_EVENT", "UI_LOAD_EVENT",
"JTASK_IO_CONNECT_FAILED", "UI_AUTH_EVENT", "UI_NETCONF_CMD", "UI_COMMIT_NO_MASTER_PASSWORD", "UI_CFG_AUDIT_SET", "UI_JUNOSCRIPT_CMD",
"SNMPD_AUTH_FAILURE", "UI_CFG_AUDIT_NEW", "UI_COMMIT" , "LIBJNX_LOGIN_ACCOUNT_LOCKED", "UI_COMMIT_COMPLETED",
"PAM_USER_LOCK_LOGIN_REQUESTS_DENIED", "RTPERF_CPU_USAGE_OK", "RTPERF_CPU_THRESHOLD_EXCEEDED", "LIBJNX_LOGIN_ACCOUNT_UNLOCKED",
"JSRPD_SET_OTHER_INTF_MON_FAIL", "JSRPD_SET_SCHED_MON_FAILURE", "UI_CHILD_WAITPID", "UI_DBASE_LOGIN_EVENT".

2022-05-02

New default parser.