Collect Juniper NetScreen Firewall logs

This document explains how to set up Juniper NetScreen Firewall logs to be sent to Google Security Operations. The parser extracts fields using grok patterns, handling various syslog formats and JSON payloads. It then maps these extracted fields to the UDM, categorizing events as network connections, user logins, status updates, or generic events based on the presence of specific fields like IP addresses, usernames, and ports.

Before you begin

• Ensure that you have administrative access to your Juniper NetScreen Firewall.
• Ensure that you have a Google Security Operations instance.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

1. Open the Command Prompt or PowerShell as an administrator.

2. Run the following command:

   msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
   

Linux installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

   sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
   

Additional installation resources

• For additional installation options, consult this installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

1. Access the configuration file:

   1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
   2. Open the file using a text editor (for example, nano, vi, or Notepad).

2. Edit the config.yaml file as follows:

   receivers:
       tcplog:
           # Replace the port and IP address as required
           listen_address: "0.0.0.0:54525"
   
   exporters:
       chronicle/chronicle_w_labels:
           compression: gzip
           # Adjust the path to the credentials file you downloaded in Step 1
           creds: '/path/to/ingestion-authentication-file.json'
           # Replace with your actual customer ID from Step 2
           customer_id: <customer_id>
           endpoint: malachiteingestion-pa.googleapis.com
           # Add optional ingestion labels for better organization
           ingestion_labels:
               log_type: SYSLOG
               namespace: juniper_firewall
               raw_log_field: body
   
   service:
       pipelines:
           logs/source0__chronicle_w_labels-0:
               receivers:
                   - tcplog
               exporters:
                   - chronicle/chronicle_w_labels
   
   

3. Replace the port and IP address as required in your infrastructure.

4. Replace <customer_id> with the actual customer ID.

5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

• To restart the Bindplane agent in Linux, run the following command:

  sudo systemctl restart bindplane-agent
  

• To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

  net stop BindPlaneAgent && net start BindPlaneAgent
  

Configure Juniper Networks NetScreen firewall

1. Sign in to the Juniper NetScreen web interface.
2. Select Configuration > Report settings > Log settings.
3. Select all the Event severity checkboxes.
4. Click Apply.
5. Select Configuration > Report settings > Syslog.
6. Select the Enable syslog messages checkbox.
7. In the Source interface list, select the NetScreen interface from which the syslog packets need to be sent.
8. In the Syslog servers section, select the Enable checkbox and provide the following:
   1. IP/Hostname: enter the Bindplane IP address.
   2. Port: enter the Bindplane port number.
   3. MDR facility: select Local0 facility level.
   4. Facility: select Local0 facility level.
9. Click Apply.

UDM Mapping Table

Log Field	UDM Mapping	Logic
ACTION	security_result.action_details	Directly mapped from the ACTION field extracted via GROK and KV filters.
APPLICATION	principal.application	Directly mapped from the APPLICATION field extracted via GROK and KV filters.
application	target.application	Directly mapped from the application field extracted via GROK.
attack-name	security_result.threat_name	Directly mapped from the attack-name field extracted via GROK.
bytes-from-client	network.sent_bytes	Directly mapped from the bytes-from-client field extracted via GROK.
bytes-from-server	network.received_bytes	Directly mapped from the bytes-from-server field extracted via GROK.
command	target.process.command_line	Directly mapped from the command field extracted via GROK.
destination-address	target.ip	Directly mapped from the destination-address field extracted via GROK.
destination-port	target.port	Directly mapped from the destination-port field extracted via GROK.
destination-zone	additional.fields[].value.string_value	Directly mapped from the destination-zone field extracted via GROK and KV filters. The key is set to destination-zone.
destination_zone-name	security_result.detection_fields[].value	Directly mapped from the destination_zone-name field extracted via GROK. The key is set to dstzone.
dst-nat-rule-name	security_result.detection_fields[].value	Directly mapped from the dst-nat-rule-name field extracted via GROK. The key is set to dst-nat-rule-name.
dst-nat-rule-type	security_result.detection_fields[].value	Directly mapped from the dst-nat-rule-type field extracted via GROK. The key is set to dst-nat-rule-type.
elapsed-time	network.session_duration.seconds	Directly mapped from the elapsed-time field extracted via GROK.
encrypted	security_result.detection_fields[].value	Directly mapped from the encrypted field extracted via GROK. The key is set to encrypted.
event_time	metadata.event_timestamp	The timestamp is extracted from the raw log using various GROK patterns, prioritizing event_time, then TIMESTAMP_ISO8601, and finally SYSLOGTIMESTAMP. It is then converted to a timestamp object.
host	principal.hostname, intermediary.hostname	If type is NetScreen, mapped to intermediary.hostname. Otherwise, mapped to principal.hostname.
host_ip	intermediary.ip	Directly mapped from the host_ip field extracted via GROK.
icmp-type	network.icmp_type	Directly mapped from the icmp-type field extracted via GROK.
ident	target.application	Directly mapped from the ident field extracted via GROK and JSON filters.
inbound-bytes	network.received_bytes	Directly mapped from the inbound-bytes field extracted via GROK.
inbound-packets	network.received_packets	Directly mapped from the inbound-packets field extracted via GROK.
ip	principal.ip, intermediary.ip	If type is NetScreen, mapped to intermediary.ip. Otherwise, mapped to principal.hostname.
message	security_result.description	If the message is JSON and the log_message_data field is not present, the message field is used as the description.
msg_data	security_result.summary	Directly mapped from the msg_data field extracted via GROK.
nat-destination-address	target.nat_ip	Directly mapped from the nat-destination-address field extracted via GROK.
nat-destination-port	target.nat_port	Directly mapped from the nat-destination-port field extracted via GROK.
nat-source-address	principal.nat_ip	Directly mapped from the nat-source-address field extracted via GROK.
nat-source-port	principal.nat_port	Directly mapped from the nat-source-port field extracted via GROK.
outbound-bytes	network.sent_bytes	Directly mapped from the outbound-bytes field extracted via GROK.
outbound-packets	network.sent_packets	Directly mapped from the outbound-packets field extracted via GROK.
packets-from-client	network.sent_packets	Directly mapped from the packets-from-client field extracted via GROK.
packets-from-server	network.received_packets	Directly mapped from the packets-from-server field extracted via GROK.
packet-incoming-interface	security_result.detection_fields[].value	Directly mapped from the packet-incoming-interface field extracted via GROK. The key is set to packet-incoming-interface.
pid	target.process.pid	Directly mapped from the pid field extracted via GROK and JSON filters.
policy-name	security_result.rule_name	Directly mapped from the policy-name field extracted via GROK.
PROFILE	additional.fields[].value.string_value	Directly mapped from the PROFILE field extracted via GROK and KV filters. The key is set to PROFILE.
protocol-id, protocol-name	network.ip_protocol	Mapped from the protocol-id or protocol-name field extracted via GROK. The value is converted to the corresponding IP protocol enum.
REASON	additional.fields[].value.string_value	Directly mapped from the REASON field extracted via GROK and KV filters. The key is set to REASON.
reason	security_result.description	Directly mapped from the reason field extracted via GROK.
rule-name	security_result.rule_name	Directly mapped from the rule-name field extracted via GROK.
SESSION_ID	network.session_id	Directly mapped from the SESSION_ID field extracted via GROK and KV filters.
service-name	security_result.detection_fields[].value	Directly mapped from the service-name field extracted via GROK. The key is set to srvname.
source-address	principal.ip	Directly mapped from the source-address field extracted via GROK.
source-port	principal.port	Directly mapped from the source-port field extracted via GROK.
source-zone	additional.fields[].value.string_value	Directly mapped from the source-zone field extracted via GROK and KV filters. The key is set to source-zone.
source_zone-name	security_result.detection_fields[].value	Directly mapped from the source_zone-name field extracted via GROK. The key is set to srczone.
src-nat-rule-name	security_result.detection_fields[].value	Directly mapped from the src-nat-rule-name field extracted via GROK. The key is set to src-nat-rule-name.
src-nat-rule-type	security_result.detection_fields[].value	Directly mapped from the src-nat-rule-type field extracted via GROK. The key is set to src-nat-rule-type.
subtype	metadata.product_event_type	Directly mapped from the subtype field extracted via GROK.
threat-severity	security_result.severity_details	Directly mapped from the threat-severity field extracted via GROK.
time	metadata.event_timestamp	Directly mapped from the time field extracted via GROK and JSON filters. Converted to timestamp object.
username	target.user.userid	Directly mapped from the username field extracted via GROK.
	metadata.log_type	Hardcoded to JUNIPER_FIREWALL. Hardcoded to JUNIPER_FIREWALL or NetScreen based on the type field. Hardcoded to JUNIPER_FIREWALL. Set to ALLOW or BLOCK based on logic in the parser. Set to LOW, MEDIUM, HIGH, INFORMATIONAL, or CRITICAL based on the subtype and severity_details fields.

Changes

2025-02-20

Enhancement:

• Modified the mapping of target.user.userid to additional.fields when user_value starts with RT_FLOW.

2025-02-06

Enhancement:

• If user_value is UI_LOGIN_EVENT, map it to additional.fields.

2025-01-15

Enhancement:

• If user_name has RT_FLOW_SESSION_DENY, map it to security_result.action as BLOCK, otherwise change the mapping of user_name from target.user.userid to security_result.summary.
• Mapped sec_desc to security_result.description.

2024-10-31

Enhancement:

• Added a new Grok pattern to parse unparsed logs.
• Mapped processid to target.process.id
• Mapped TSr and TSi to additional.fields.
• Added gsub function to map Remote-IP to target.ip.
• Added gsub function to map TSi and Local_IKE_ID to additional.fields.
• Added KV filter to kv_data1 to parse unparsed fields.

2024-10-30

Enhancement:

• Added a new Grok pattern to parse new log pattern.
• Mapped fw to intermediary.ip.
• Mapped msg1 to security_result.summary.
• Mapped desc to metadata.description.

2024-10-24

Enhancement:

• Added a new Grok pattern to parse logs in the new SYSLOG+KV format.
• Mapped local_ip to principal.ip and principal.assest.ip.
• Mapped remote_ip to target.ip and target.asset.ip.

2024-10-11

Enhancement:

• Mapped hostn to principal.hostname.
• Mapped app to principal.application.
• Mapped pid to principal.process.pid.
• Mapped event_title to metadata.product_event_type.
• Mapped event_message to metadata.description.
• Mapped Local-ip to principal.ip and principal.asset.ip.
• Mapped Gateway_Name, vpn, tunnel_id, tunnel_if, Local_IKE_ID, Remote_IKE_ID, AAA_username, VR_id, Traffic_selector, Traffic_selector_Remote_ID, Traffic_selector_local_ID, SA_Type, Reason, threshold, time-period, and error-message_data to observer.resource.attribute.labels.
• Mapped target_ip to target.ip and target.asset.ip.
• Mapped data to target.ip and target.asset.ip.

2024-06-28

Enhancement:

• Modified the Grok patterns to parse unparsed logs.
• Added Grok patterns over the field msg_data to extract the fields user_id, principal_host, file_path, pid_2, and server_ip.
• Mapped principal_host to principal.hostname.
• Mapped user_id to target.user.userid.
• Mapped file_path to target.file.full_path.
• Mapped pid_2 to target.process.pid.
• Mapped server_ip to target.ip.
• Mapped event_time to metadata.event_timestamp correctly by removing rebase if year is present.

2024-01-22

Bug fix:

• Added new Grok patterns to parse message field with key-value data.
• Mapped ACTION to security_result.action_details.
• Mapped SESSION_ID to network.session_id.
• Mapped APPLICATION to principal.application.
• Mapped pingCtlOwnerIndex, pingCtlTestName, usp_lsys_max_num_rpd, usp_lsys_max_num, urlcategory_risk, application_sub_category, source-zone, destination-zone, NESTED-APPLICATION, CATEGORY, REASON, PROFILE, source_rule, retrans_timer and arp_unicast_mode to additional.fields.
• Mapped time to metadata.event_timestamp.

2023-12-31

Bug fix:

• Added support for a new pattern of JSON logs.
• Mapped time to metadata.event_timestamp.
• Mapped host to principal.hostname.
• Mapped ident to target.application.
• Mapped pid to target.process.pid.
• Added Grok patterns to parse message field.

2023-12-15

Enhancement:

• Mapped internal-protocol to network.ip_protocol .
• Mapped state to security_result.detection_fields.
• Mapped internal-ip to principal.ip.
• Mapped reflexive-ip to target.ip.
• Mapped internal-port to principle.port.
• Mapped reflexive-port to target.port.
• Mapped local-address to principal.ip.
• Mapped remote-address to target.ip.
• Added KV filter with source as task_summary.
• Mapped dns-server-address to principal.ip.
• Mapped domain-name to principal.administrative_domain.
• Mapped argument1 to network.direction.
• Mapped state to security_result.detection_fields.
• Mapped test-owner to additional.fields.
• Mapped local-initiator to additional.fields.
• Mapped test-name to additional.fields.
• Mapped SPI to additional.fields.
• Mapped AUX-SPI to additional.fields.
• Mapped Type to additional.fields.
• Mapped error-message to security_result.summary.

2023-11-02

Enhancement:

• Added a new Grok pattern to parse logs of new SYSLOG+KV format.

2023-08-24

Enhancement:

• Added gsub function to remove special characters.

2023-08-02

Enhancement:

• Modified Grok pattern to support new log formats for NetScreen type.
• Added support for type RT_FLOW_SESSION_CREATE_LS, RT_FLOW_SESSION_CLOSE_LS and RT_FLOW_SESSION_DENY_LS.
• Mapped sent to network.sent_bytes.
• Mapped rcvd to network.received_bytes.

2023-05-05

Enhancement:

• Mapped rule-name to security_result.rule_id.
• Mapped rulebase-name to security_result.detection_fields.
• Mapped export-id to security_result.detection_fields.
• Mapped repeat-count to security_result.detection_fields.
• Mapped packet-log-id to security_result.detection_fields.
• Mapped alert to is_alert when the value is yes.
• Mapped outbound-packets to network.sent_packets.
• Mapped inbound-packets to network.received_packets.
• Mapped outbound-bytes to network.sent_bytes.
• Mapped inbound-bytes to network.received_bytes.

2023-03-08

Enhancement:

• Mapped application to target.application.
• Mapped reason to security_result.description.
• Mapped application-characteristics to security_result.summary.
• Mapped application-risk to security_result.severity_details.
• Mapped application-category to security_result.detection_fields.
• Mapped application-sub-category to security_result.detection_fields.
• Mapped dst-nat-rule-name to security_result.detection_fields.
• Mapped dst-nat-rule-type to security_result.detection_fields.
• Mapped src-nat-rule-name to security_result.detection_fields.
• Mapped src-nat-rule-type to security_result.detection_fields.
• Mapped encrypted to security_result.detection_fields.
• Mapped nested-application to security_result.detection_fields.
• Mapped packet-incoming-interface to security_result.detection_fields.
• Mapped session-id-32 to network.session_id.
• Mapped packets-from-client to network.sent_packets.
• Mapped packets-from-server to network.received_packets.
• Mapped bytes-from-client to network.sent_bytes.
• Mapped bytes-from-server to network.received_bytes.
• Mapped elapsed-time to network.session_duration.seconds.
• Mapped nat-destination-address to target.nat_ip.
• Mapped nat-destination-port to target.nat_port.
• Mapped source-destination-address to principal.nat_ip.
• Mapped source-destination-port to principal.nat_port.

2023-01-18

Bug fix:

• Made the condition case insensitive to map BLOCK to security_result.action, when action is drop/DROP.
• Mapped msg_data to security_result.description when no_app_name is false.
• Mapped threat-severity to security_result.severity.
• Mapped the field message to metadata.description.
• Mapped app_name to target.application.
• Mapped pid to target.process.pid.
• Mapped desc to metadata.description.
• Mapped username to principal.user.userid.
• Mapped command to target.process.command_line.
• Mapped action to security_result.action_details.
• Mapped sec_description to security_result.description.
• Mapped application-name to network.application_protocol.

2023-01-15

Enhancement:

• Modified Grok pattern to support unparsed logs containing type UI_CMDLINE_READ_LINE, UI_COMMIT_PROGRESS, UI_CHILD_START, UI_CFG_AUDIT_OTHER, UI_LOGIN_EVENT, UI_CHILD_STATUS, UI_LOGOUT_EVENT, UI_LOAD_EVENT, JTASK_IO_CONNECT_FAILED, UI_AUTH_EVENT, UI_NETCONF_CMD, UI_COMMIT_NO_MASTER_PASSWORD, UI_CFG_AUDIT_SET, UI_JUNOSCRIPT_CMD, SNMPD_AUTH_FAILURE, UI_CFG_AUDIT_NEW, UI_COMMIT , LIBJNX_LOGIN_ACCOUNT_LOCKED, UI_COMMIT_COMPLETED, PAM_USER_LOCK_LOGIN_REQUESTS_DENIED, RTPERF_CPU_USAGE_OK, RTPERF_CPU_THRESHOLD_EXCEEDED, LIBJNX_LOGIN_ACCOUNT_UNLOCKED, JSRPD_SET_OTHER_INTF_MON_FAIL, JSRPD_SET_SCHED_MON_FAILURE, UI_CHILD_WAITPID, UI_DBASE_LOGIN_EVENT.

2022-11-07

Enhancement:

• Mapped subtype to metadata.product_event_type.
• Mapped attack-name to security_result.threat_name.
• Mapped policy-name to security_result.rule_name.
• Mapped action to security_result.action, where value drop is mapped to BLOCK others to ALLOW.
• Mapped source-interface-name to security_result.detection_fields.
• Mapped destination-interface-name to security_result.detection_fields.
• Mapped source-zone-name to security_result.detection_fields.
• Mapped destination-zone-name to security_result.detection_fields.
• Mapped service-name to security_result.detection_fields.
• Mapped application-name to security_result.detection_fields.
• Mapped metadata.product_name
• Mapped metadata.vendor_name

2022-10-04

Enhancement:

• Mapped attack-name to security_result.rule_name.
• Converted SDM mappings to following fields of UDM:-
• Mapped source-address to principal.ip.
• Mapped destination-address to target.ip.
• Mapped source-port to principal.port.
• Mapped host to principal.hostname.
• Mapped bytes-from-server to network.received_bytes.
• Mapped policy-name to security_result.rule_name.
• Mapped protocol-id to network.ip_protocol.

Need more help? Get answers from Community members and Google SecOps professionals.