Collect Juniper Junos logs

Supported in:

This document describes how you can collect Juniper Junos logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the JUNIPER_JUNOS ingestion label.

Configure structured logging for a Juniper Networks SRX device

Structured log format extracts information from log messages. The log format complies with the Syslog protocol.

  1. Sign in to Juniper SRX CLI using SSH to its management IP address.
  2. Type CLI at the shell prompt and press enter.
  3. Type configure and press enter to get into the configuration mode of the device.
  4. Enter the contact details or customer reference point.
  5. To map the fields to the user account, run the following commands:

       set system syslog host FORWARDER_IP_ADDRESS any info
    
       set system syslog host FORWARDER_IP_ADDRESS structured-data
    
    

    Replace FORWARDER_IP_ADDRESS with the IP address of the Google Security Operations forwarder.

  6. To enable the structured logging for security logs, use the following commands:

       set security log mode stream
    
       set security log source-address SRC_IP_ADDRESS
    
       set security log stream SYSLOG_STREAM_NAME host FORWARDER_IP_ADDRESS
    
       set security log stream SYSLOG_STREAM_NAME format sd-syslog
    
    

    Replace the following:

    • SRC_IP_ADDRESS: the IP address of the Juniper SRX device.

    • SYSLOG_STREAM_NAME: the name which is assigned to the syslog server.

    • FORWARDER_IP_ADDRESS: the IP address of the Google Security Operations forwarder.

  7. Make sure that logging is enabled on all the security policies. To enable logging, run the following commands:

       set security policies from-zone <zone-name1> to-zone <zone-name2> policy <policy-name> then log session-close
    
       set security policies from-zone <zone-name1> to-zone <zone-name2> policy <policy-name> then log session-init
    
    
  8. Configure the hostname on the device using the following command:

       set system host-name HOSTNAME
    
    

    Replace HOSTNAME with the assigned Juniper Networks SRX device.

  9. Enter commit to save the executed commands in the configuration.

Configure Google Security Operations forwarder and syslog to ingest Juniper Junos logs

  1. Select SIEM Settings > Forwarders.
  2. Click Add new forwarder.
  3. Enter a unique name in the Forwarder name field.
  4. Click Submit and then click Confirm. The forwarder is added and the Add collector configuration window appears.
  5. In the Collector name field, enter a unique name for the collector.
  6. Select Juniper Junos as the Log type.
  7. Select Syslog as the Collector type.
  8. Configure the following input parameters:
    • Protocol: specify the protocol as UDP.
    • Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
    • Port: specify the target port where the collector resides and listens for syslog data.
  9. Click Submit.

For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation. For information about requirements for each forwarder type, see Forwarder configuration by type. If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser extracts fields from Juniper JUNOS syslog messages, handling both key-value and non-key-value formats. It uses grok patterns to match various message structures, including firewall logs, SSH activity, and command executions, then maps the extracted fields to the UDM. The parser also handles CEF formatted logs using an include file and performs specific actions based on the message content, such as merging IP addresses and usernames into appropriate UDM fields.

UDM mapping table

Log Field UDM Mapping Logic
DPT target.port The destination port of the network connection, converted to an integer.
DST target.ip The destination IP address of the network connection.
FLAG additional.fields{}.key: "FLAG", additional.fields{}.value.string_value: Value of FLAG The TCP flag associated with the network connection.
ID additional.fields{}.key: "ID", additional.fields{}.value.string_value: Value of ID The IP identification field.
IN additional.fields{}.key: "IN", additional.fields{}.value.string_value: Value of IN The incoming network interface.
LEN additional.fields{}.key: "LEN", additional.fields{}.value.string_value: Value of LEN The length of the IP packet.
MAC principal.mac The MAC address extracted from the MAC field.
OUT additional.fields{}.key: "OUT", additional.fields{}.value.string_value: Value of OUT The outgoing network interface.
PREC additional.fields{}.key: "PREC", additional.fields{}.value.string_value: Value of PREC The Precedence field in the IP header.
PROTO network.ip_protocol The IP protocol used in the network connection.
RES additional.fields{}.key: "RES", additional.fields{}.value.string_value: Value of RES Reserved field in the TCP header.
SPT principal.port The source port of the network connection, converted to an integer.
SRC principal.ip The source IP address of the network connection.
TOS additional.fields{}.key: "TOS", additional.fields{}.value.string_value: Value of TOS The Type of Service field in the IP header.
TTL network.dns.additional.ttl Time To Live value, converted to an unsigned integer.
URGP additional.fields{}.key: "URGP", additional.fields{}.value.string_value: Value of URGP Urgent pointer field in the TCP header.
WINDOW additional.fields{}.key: "WINDOW_SIZE", additional.fields{}.value.string_value: Value of WINDOW The TCP window size.
action security_result.action The action taken by the firewall, extracted from the CEF message.
agt observer.ip The IP address of the agent.
amac target.mac The MAC address of the target, converted to lowercase and with hyphens replaced by colons.
app target.application The application involved in the event.
artz observer.zone The observer time zone.
atz target.location.country_or_region The target time zone.
categoryBehavior additional.fields{}.key: "Category Behavior", additional.fields{}.value.string_value: Value of categoryBehavior with slashes removed The category behavior.
categoryDeviceGroup additional.fields{}.key: "Category Device Group", additional.fields{}.value.string_value: Value of categoryDeviceGroup with slashes removed The category device group.
categoryObject additional.fields{}.key: "Category Object", additional.fields{}.value.string_value: Value of categoryObject with slashes removed The category object.
categoryOutcome additional.fields{}.key: "Category Outcome", additional.fields{}.value.string_value: Value of categoryOutcome with slashes removed The category outcome.
categorySignificance additional.fields{}.key: "category Significance", additional.fields{}.value.string_value: Value of categorySignificance The category significance.
command target.process.command_line The command executed.
cs1Label additional.fields{}.key: cs1Label, additional.fields{}.value.string_value: Value of corresponding CEF field Custom string field 1 label and value from the CEF message.
cs2Label additional.fields{}.key: cs2Label, additional.fields{}.value.string_value: Value of corresponding CEF field Custom string field 2 label and value from the CEF message.
cs3Label additional.fields{}.key: cs3Label, additional.fields{}.value.string_value: Value of corresponding CEF field Custom string field 3 label and value from the CEF message.
cs4Label additional.fields{}.key: cs4Label, additional.fields{}.value.string_value: Value of corresponding CEF field Custom string field 4 label and value from the CEF message.
cs5Label additional.fields{}.key: cs5Label, additional.fields{}.value.string_value: Value of corresponding CEF field Custom string field 5 label and value from the CEF message.
cs6Label additional.fields{}.key: cs6Label, additional.fields{}.value.string_value: Value of corresponding CEF field Custom string field 6 label and value from the CEF message.
dhost target.hostname Destination hostname.
deviceCustomString1 additional.fields{}.key: cs1Label, additional.fields{}.value.string_value: Value of deviceCustomString1 Device custom string 1.
deviceCustomString2 additional.fields{}.key: cs2Label, additional.fields{}.value.string_value: Value of deviceCustomString2 Device custom string 2.
deviceCustomString3 additional.fields{}.key: cs3Label, additional.fields{}.value.string_value: Value of deviceCustomString3 Device custom string 3.
deviceCustomString4 additional.fields{}.key: cs4Label, additional.fields{}.value.string_value: Value of deviceCustomString4 Device custom string 4.
deviceCustomString5 additional.fields{}.key: cs5Label, additional.fields{}.value.string_value: Value of deviceCustomString5 Device custom string 5.
deviceCustomString6 additional.fields{}.key: cs6Label, additional.fields{}.value.string_value: Value of deviceCustomString6 Device custom string 6.
deviceDirection network.direction The direction of the network traffic.
deviceEventClassId additional.fields{}.key: "eventId", additional.fields{}.value.string_value: Value of deviceEventClassId The device event class ID.
deviceFacility observer.product.subproduct The device facility.
deviceProcessName about.process.command_line The device process name.
deviceSeverity security_result.severity The device severity.
deviceTimeZone observer.zone The device time zone.
deviceVendor metadata.vendor_name The device vendor.
deviceVersion metadata.product_version The device version.
dpt target.port The destination port.
dst target.ip The destination IP address.
duser target.user.user_display_name The destination user.
eventId additional.fields{}.key: "eventId", additional.fields{}.value.string_value: Value of eventId Event ID.
event_time metadata.event_timestamp The time the event occurred, parsed from the message.
firewall_action security_result.action_details The firewall action taken.
host principal.hostname, intermediary.hostname The hostname of the device generating the log. Used for both principal and intermediary in different cases.
msg security_result.summary The message associated with the event, used as a summary for the security result.
name metadata.product_event_type The name of the event.
process_name additional.fields{}.key: "process_name", additional.fields{}.value.string_value: Value of process_name The name of the process.
p_id target.process.pid The process ID, converted to a string.
sha256 principal.process.file.sha256 The SHA256 hash of a file, extracted from the SSH2 key information.
shost principal.hostname Source hostname.
source_address principal.ip The source IP address.
source_port principal.port The source port, converted to an integer.
src principal.ip The source IP address.
src_ip principal.ip The source IP address.
src_port principal.port The source port, converted to an integer.
ssh2 security_result.detection_fields{}.key: "ssh2", security_result.detection_fields{}.value: Value of ssh2 SSH2 key information.
subtype metadata.product_event_type The subtype of the event.
task_summary security_result.description The task summary, used as the description for the security result.
timestamp metadata.event_timestamp The timestamp of the event.
user target.user.userid The user associated with the event.
username principal.user.userid The username associated with the event.
user_name principal.user.userid The username.
metadata.vendor_name Hardcoded to "Juniper Firewall". Hardcoded to "Juniper Firewall". Hardcoded to "JUNIPER_JUNOS". Determined by parser logic based on log content. Defaults to "STATUS_UPDATE" if not a CEF message and no other specific event type is identified. Set to "NETWORK_HTTP" for CEF messages. If no desc field is present, this field is populated with the message_description extracted from the raw log message.

Changes

2024-05-02

  • Enhancement-
  • Added Grok patterns to support new SYSLOG + KV format logs.

2023-10-25

  • Enhancement-
  • Added Grok patterns to parse unparsed logs.
  • Mapped "source_port" to "principal.port".
  • Mapped "source_address" to "principal.ip".
  • Mapped "user_name" to "target.user.userid".
  • Mapped "application_name" to "target.application".
  • Mapped "p_id" to "target.process.pid".
  • Added "invalid_pattern" check before KV mapping.
  • Added a Grok pattern to map "security_result.description" when "description_present" is false.

2023-08-17

  • Enhancement-
  • Added Grok pattern to parsed unparsed logs.
  • Mapped "msg" to "security_result.summary".
  • Mapped "src_ip" to "principal.ip".
  • Mapped "user" to "target.user.userid".
  • Mapped "username" to "principal.user.userid".
  • Mapped "command" to "target.process.command_line".
  • Mapped "src_port" to "principal.port".
  • Mapped "ssh2" to "security_result.detection_fields".
  • Mapped "sha256" to "principal.process.file.sha256".
  • Mapped "desc" to "sec_result.summary".
  • Mapped "mac-address" to "principal.mac".
  • Mapped "host" to "principal.hostname" if event_type is "STATUS_UPDATE".

2023-01-15

  • Enhancement-
  • Modified Grok pattern to support unparsed logs containing type "UI_CMDLINE_READ_LINE", "UI_COMMIT_PROGRESS", "UI_CHILD_START",
  • "UI_CFG_AUDIT_OTHER", "UI_LOGIN_EVENT", "UI_CHILD_STATUS", "UI_LOGOUT_EVENT", "UI_LOAD_EVENT",
  • "JTASK_IO_CONNECT_FAILED", "UI_AUTH_EVENT", "UI_NETCONF_CMD", "UI_COMMIT_NO_MASTER_PASSWORD", "UI_CFG_AUDIT_SET", "UI_JUNOSCRIPT_CMD",
  • "SNMPD_AUTH_FAILURE", "UI_CFG_AUDIT_NEW", "UI_COMMIT" , "LIBJNX_LOGIN_ACCOUNT_LOCKED", "UI_COMMIT_COMPLETED",
  • "PAM_USER_LOCK_LOGIN_REQUESTS_DENIED", "RTPERF_CPU_USAGE_OK", "RTPERF_CPU_THRESHOLD_EXCEEDED", "LIBJNX_LOGIN_ACCOUNT_UNLOCKED",
  • "JSRPD_SET_OTHER_INTF_MON_FAIL", "JSRPD_SET_SCHED_MON_FAILURE", "UI_CHILD_WAITPID", "UI_DBASE_LOGIN_EVENT".

2022-05-02

  • New default parser.