Collect Juniper Junos logs
Supported in:
This document describes how you can collect Juniper Junos logs by using a Google Security Operations forwarder.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the JUNIPER_JUNOS ingestion label.
Configure structured logging for a Juniper Networks SRX device
Structured log format extracts information from log messages. The log format complies with the Syslog protocol.
- Sign in to Juniper SRX CLI using SSH to its management IP address.
- Type
CLIat the shell prompt and press enter. - Type
configureand press enter to get into the configuration mode of the device. - Enter the contact details or customer reference point.
To map the fields to the user account, run the following commands:
set system syslog host FORWARDER_IP_ADDRESS any info set system syslog host FORWARDER_IP_ADDRESS structured-dataReplace
FORWARDER_IP_ADDRESSwith the IP address of the Google Security Operations forwarder.To enable the structured logging for security logs, use the following commands:
set security log mode stream set security log source-address SRC_IP_ADDRESS set security log stream SYSLOG_STREAM_NAME host FORWARDER_IP_ADDRESS set security log stream SYSLOG_STREAM_NAME format sd-syslogReplace the following:
SRC_IP_ADDRESS: the IP address of the Juniper SRX device.SYSLOG_STREAM_NAME: the name which is assigned to the syslog server.FORWARDER_IP_ADDRESS: the IP address of the Google Security Operations forwarder.
Make sure that logging is enabled on all the security policies. To enable logging, run the following commands:
set security policies from-zone <zone-name1> to-zone <zone-name2> policy <policy-name> then log session-close set security policies from-zone <zone-name1> to-zone <zone-name2> policy <policy-name> then log session-initConfigure the hostname on the device using the following command:
set system host-name HOSTNAMEReplace
HOSTNAMEwith the assigned Juniper Networks SRX device.Enter
committo save the executed commands in the configuration.
Configure Google Security Operations forwarder and syslog to ingest Juniper Junos logs
- From the Google Security Operations menu, select Settings.
- Click Forwarders.
- Click Add new forwarder.
- In the Forwarder name field, type a name.
- Click Submit. The forwarder is added and the Add collector configuration window appears.
- In the Collector name field, type a name.
- Select Juniper Junos as the Log type.
- Select Syslog as the Collector type.
- Configure the following input parameters:
- Protocol: specify the protocol as UDP.
- Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
- Port: specify the target port where the collector resides and listens for syslog data.
- Click Submit.
For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type. If you encounter issues when you create forwarders, contact Google Security Operations support.
Field mapping reference
This parser extracts fields from Juniper JUNOS syslog messages, handling both key-value and non-key-value formats. It uses grok patterns to match various message structures, including firewall logs, SSH activity, and command executions, then maps the extracted fields to the UDM. The parser also handles CEF formatted logs using an include file and performs specific actions based on the message content, such as merging IP addresses and usernames into appropriate UDM fields.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
DPT |
target.port |
The destination port of the network connection, converted to an integer. |
DST |
target.ip |
The destination IP address of the network connection. |
FLAG |
additional.fields{}.key: "FLAG", additional.fields{}.value.string_value: Value of FLAG |
The TCP flag associated with the network connection. |
ID |
additional.fields{}.key: "ID", additional.fields{}.value.string_value: Value of ID |
The IP identification field. |
IN |
additional.fields{}.key: "IN", additional.fields{}.value.string_value: Value of IN |
The incoming network interface. |
LEN |
additional.fields{}.key: "LEN", additional.fields{}.value.string_value: Value of LEN |
The length of the IP packet. |
MAC |
principal.mac |
The MAC address extracted from the MAC field. |
OUT |
additional.fields{}.key: "OUT", additional.fields{}.value.string_value: Value of OUT |
The outgoing network interface. |
PREC |
additional.fields{}.key: "PREC", additional.fields{}.value.string_value: Value of PREC |
The Precedence field in the IP header. |
PROTO |
network.ip_protocol |
The IP protocol used in the network connection. |
RES |
additional.fields{}.key: "RES", additional.fields{}.value.string_value: Value of RES |
Reserved field in the TCP header. |
SPT |
principal.port |
The source port of the network connection, converted to an integer. |
SRC |
principal.ip |
The source IP address of the network connection. |
TOS |
additional.fields{}.key: "TOS", additional.fields{}.value.string_value: Value of TOS |
The Type of Service field in the IP header. |
TTL |
network.dns.additional.ttl |
Time To Live value, converted to an unsigned integer. |
URGP |
additional.fields{}.key: "URGP", additional.fields{}.value.string_value: Value of URGP |
Urgent pointer field in the TCP header. |
WINDOW |
additional.fields{}.key: "WINDOW_SIZE", additional.fields{}.value.string_value: Value of WINDOW |
The TCP window size. |
action |
security_result.action |
The action taken by the firewall, extracted from the CEF message. |
agt |
observer.ip |
The IP address of the agent. |
amac |
target.mac |
The MAC address of the target, converted to lowercase and with hyphens replaced by colons. |
app |
target.application |
The application involved in the event. |
artz |
observer.zone |
The observer time zone. |
atz |
target.location.country_or_region |
The target time zone. |
categoryBehavior |
additional.fields{}.key: "Category Behavior", additional.fields{}.value.string_value: Value of categoryBehavior with slashes removed |
The category behavior. |
categoryDeviceGroup |
additional.fields{}.key: "Category Device Group", additional.fields{}.value.string_value: Value of categoryDeviceGroup with slashes removed |
The category device group. |
categoryObject |
additional.fields{}.key: "Category Object", additional.fields{}.value.string_value: Value of categoryObject with slashes removed |
The category object. |
categoryOutcome |
additional.fields{}.key: "Category Outcome", additional.fields{}.value.string_value: Value of categoryOutcome with slashes removed |
The category outcome. |
categorySignificance |
additional.fields{}.key: "category Significance", additional.fields{}.value.string_value: Value of categorySignificance |
The category significance. |
command |
target.process.command_line |
The command executed. |
cs1Label |
additional.fields{}.key: cs1Label, additional.fields{}.value.string_value: Value of corresponding CEF field |
Custom string field 1 label and value from the CEF message. |
cs2Label |
additional.fields{}.key: cs2Label, additional.fields{}.value.string_value: Value of corresponding CEF field |
Custom string field 2 label and value from the CEF message. |
cs3Label |
additional.fields{}.key: cs3Label, additional.fields{}.value.string_value: Value of corresponding CEF field |
Custom string field 3 label and value from the CEF message. |
cs4Label |
additional.fields{}.key: cs4Label, additional.fields{}.value.string_value: Value of corresponding CEF field |
Custom string field 4 label and value from the CEF message. |
cs5Label |
additional.fields{}.key: cs5Label, additional.fields{}.value.string_value: Value of corresponding CEF field |
Custom string field 5 label and value from the CEF message. |
cs6Label |
additional.fields{}.key: cs6Label, additional.fields{}.value.string_value: Value of corresponding CEF field |
Custom string field 6 label and value from the CEF message. |
dhost |
target.hostname |
Destination hostname. |
deviceCustomString1 |
additional.fields{}.key: cs1Label, additional.fields{}.value.string_value: Value of deviceCustomString1 |
Device custom string 1. |
deviceCustomString2 |
additional.fields{}.key: cs2Label, additional.fields{}.value.string_value: Value of deviceCustomString2 |
Device custom string 2. |
deviceCustomString3 |
additional.fields{}.key: cs3Label, additional.fields{}.value.string_value: Value of deviceCustomString3 |
Device custom string 3. |
deviceCustomString4 |
additional.fields{}.key: cs4Label, additional.fields{}.value.string_value: Value of deviceCustomString4 |
Device custom string 4. |
deviceCustomString5 |
additional.fields{}.key: cs5Label, additional.fields{}.value.string_value: Value of deviceCustomString5 |
Device custom string 5. |
deviceCustomString6 |
additional.fields{}.key: cs6Label, additional.fields{}.value.string_value: Value of deviceCustomString6 |
Device custom string 6. |
deviceDirection |
network.direction |
The direction of the network traffic. |
deviceEventClassId |
additional.fields{}.key: "eventId", additional.fields{}.value.string_value: Value of deviceEventClassId |
The device event class ID. |
deviceFacility |
observer.product.subproduct |
The device facility. |
deviceProcessName |
about.process.command_line |
The device process name. |
deviceSeverity |
security_result.severity |
The device severity. |
deviceTimeZone |
observer.zone |
The device time zone. |
deviceVendor |
metadata.vendor_name |
The device vendor. |
deviceVersion |
metadata.product_version |
The device version. |
dpt |
target.port |
The destination port. |
dst |
target.ip |
The destination IP address. |
duser |
target.user.user_display_name |
The destination user. |
eventId |
additional.fields{}.key: "eventId", additional.fields{}.value.string_value: Value of eventId |
Event ID. |
event_time |
metadata.event_timestamp |
The time the event occurred, parsed from the message. |
firewall_action |
security_result.action_details |
The firewall action taken. |
host |
principal.hostname, intermediary.hostname |
The hostname of the device generating the log. Used for both principal and intermediary in different cases. |
msg |
security_result.summary |
The message associated with the event, used as a summary for the security result. |
name |
metadata.product_event_type |
The name of the event. |
process_name |
additional.fields{}.key: "process_name", additional.fields{}.value.string_value: Value of process_name |
The name of the process. |
p_id |
target.process.pid |
The process ID, converted to a string. |
sha256 |
principal.process.file.sha256 |
The SHA256 hash of a file, extracted from the SSH2 key information. |
shost |
principal.hostname |
Source hostname. |
source_address |
principal.ip |
The source IP address. |
source_port |
principal.port |
The source port, converted to an integer. |
src |
principal.ip |
The source IP address. |
src_ip |
principal.ip |
The source IP address. |
src_port |
principal.port |
The source port, converted to an integer. |
ssh2 |
security_result.detection_fields{}.key: "ssh2", security_result.detection_fields{}.value: Value of ssh2 |
SSH2 key information. |
subtype |
metadata.product_event_type |
The subtype of the event. |
task_summary |
security_result.description |
The task summary, used as the description for the security result. |
timestamp |
metadata.event_timestamp |
The timestamp of the event. |
user |
target.user.userid |
The user associated with the event. |
username |
principal.user.userid |
The username associated with the event. |
user_name |
principal.user.userid |
The username. |
metadata.vendor_name |
Hardcoded to "Juniper Firewall". Hardcoded to "Juniper Firewall". Hardcoded to "JUNIPER_JUNOS". Determined by parser logic based on log content. Defaults to "STATUS_UPDATE" if not a CEF message and no other specific event type is identified. Set to "NETWORK_HTTP" for CEF messages. If no desc field is present, this field is populated with the message_description extracted from the raw log message. |
Changes
2024-05-02
- Enhancement-
- Added Grok patterns to support new SYSLOG + KV format logs.
2023-10-25
- Enhancement-
- Added Grok patterns to parse unparsed logs.
- Mapped "source_port" to "principal.port".
- Mapped "source_address" to "principal.ip".
- Mapped "user_name" to "target.user.userid".
- Mapped "application_name" to "target.application".
- Mapped "p_id" to "target.process.pid".
- Added "invalid_pattern" check before KV mapping.
- Added a Grok pattern to map "security_result.description" when "description_present" is false.
2023-08-17
- Enhancement-
- Added Grok pattern to parsed unparsed logs.
- Mapped "msg" to "security_result.summary".
- Mapped "src_ip" to "principal.ip".
- Mapped "user" to "target.user.userid".
- Mapped "username" to "principal.user.userid".
- Mapped "command" to "target.process.command_line".
- Mapped "src_port" to "principal.port".
- Mapped "ssh2" to "security_result.detection_fields".
- Mapped "sha256" to "principal.process.file.sha256".
- Mapped "desc" to "sec_result.summary".
- Mapped "mac-address" to "principal.mac".
- Mapped "host" to "principal.hostname" if event_type is "STATUS_UPDATE".
2023-01-15
- Enhancement-
- Modified Grok pattern to support unparsed logs containing type "UI_CMDLINE_READ_LINE", "UI_COMMIT_PROGRESS", "UI_CHILD_START",
- "UI_CFG_AUDIT_OTHER", "UI_LOGIN_EVENT", "UI_CHILD_STATUS", "UI_LOGOUT_EVENT", "UI_LOAD_EVENT",
- "JTASK_IO_CONNECT_FAILED", "UI_AUTH_EVENT", "UI_NETCONF_CMD", "UI_COMMIT_NO_MASTER_PASSWORD", "UI_CFG_AUDIT_SET", "UI_JUNOSCRIPT_CMD",
- "SNMPD_AUTH_FAILURE", "UI_CFG_AUDIT_NEW", "UI_COMMIT" , "LIBJNX_LOGIN_ACCOUNT_LOCKED", "UI_COMMIT_COMPLETED",
- "PAM_USER_LOCK_LOGIN_REQUESTS_DENIED", "RTPERF_CPU_USAGE_OK", "RTPERF_CPU_THRESHOLD_EXCEEDED", "LIBJNX_LOGIN_ACCOUNT_UNLOCKED",
- "JSRPD_SET_OTHER_INTF_MON_FAIL", "JSRPD_SET_SCHED_MON_FAILURE", "UI_CHILD_WAITPID", "UI_DBASE_LOGIN_EVENT".
2022-05-02
- New default parser.