Collect Juniper NetScreen Firewall logs
This document explains how to set up Juniper NetScreen Firewall logs to be sent to Google Security Operations. The parser extracts fields using grok patterns, handling various syslog formats and JSON payloads. It then maps these extracted fields to the UDM, categorizing events as network connections, user logins, status updates, or generic events based on the presence of specific fields like IP addresses, usernames, and ports.
Before you begin
- Ensure that you have administrative access to your Juniper NetScreen Firewall.
- Ensure that you have a Google Security Operations instance.
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer ID from the Organization Details section.
Install the Bindplane agent
Windows installation
- Open the Command Prompt or PowerShell as an administrator.
Run the following command:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
Linux installation
- Open a terminal with root or sudo privileges.
Run the following command:
sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
Additional installation resources
- For additional installation options, consult this installation guide.
Configure the Bindplane agent to ingest Syslog and send to Google SecOps
Access the configuration file:
- Locate the
config.yaml
file. Typically, it's in the/etc/bindplane-agent/
directory on Linux or in the installation directory on Windows. - Open the file using a text editor (for example,
nano
,vi
, or Notepad).
- Locate the
Edit the
config.yaml
file as follows:receivers: tcplog: # Replace the port and IP address as required listen_address: "0.0.0.0:54525" exporters: chronicle/chronicle_w_labels: compression: gzip # Adjust the path to the credentials file you downloaded in Step 1 creds: '/path/to/ingestion-authentication-file.json' # Replace with your actual customer ID from Step 2 customer_id: <customer_id> endpoint: malachiteingestion-pa.googleapis.com # Add optional ingestion labels for better organization ingestion_labels: log_type: SYSLOG namespace: juniper_firewall raw_log_field: body service: pipelines: logs/source0__chronicle_w_labels-0: receivers: - tcplog exporters: - chronicle/chronicle_w_labels
Replace the port and IP address as required in your infrastructure.
Replace
<customer_id>
with the actual customer ID.Update
/path/to/ingestion-authentication-file.json
to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.
Restart the Bindplane agent to apply the changes
To restart the Bindplane agent in Linux, run the following command:
sudo systemctl restart bindplane-agent
To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:
net stop BindPlaneAgent && net start BindPlaneAgent
Configure Juniper Networks NetScreen firewall
- Sign in to the Juniper NetScreen web interface.
- Select Configuration > Report settings > Log settings.
- Select all the Event severity checkboxes.
- Click Apply.
- Select Configuration > Report settings > Syslog.
- Select the Enable syslog messages checkbox.
- In the Source interface list, select the NetScreen interface from which the syslog packets need to be sent.
- In the Syslog servers section, select the Enable checkbox and provide the following:
- IP/Hostname: enter the
Bindplane
IP address. - Port: enter the
Bindplane
port number. - MDR facility: select Local0 facility level.
- Facility: select Local0 facility level.
- IP/Hostname: enter the
- Click Apply.
UDM Mapping Table
Log Field | UDM Mapping | Logic |
---|---|---|
ACTION |
security_result.action_details |
Directly mapped from the ACTION field extracted via GROK and KV filters. |
APPLICATION |
principal.application |
Directly mapped from the APPLICATION field extracted via GROK and KV filters. |
application |
target.application |
Directly mapped from the application field extracted via GROK. |
attack-name |
security_result.threat_name |
Directly mapped from the attack-name field extracted via GROK. |
bytes-from-client |
network.sent_bytes |
Directly mapped from the bytes-from-client field extracted via GROK. |
bytes-from-server |
network.received_bytes |
Directly mapped from the bytes-from-server field extracted via GROK. |
command |
target.process.command_line |
Directly mapped from the command field extracted via GROK. |
destination-address |
target.ip |
Directly mapped from the destination-address field extracted via GROK. |
destination-port |
target.port |
Directly mapped from the destination-port field extracted via GROK. |
destination-zone |
additional.fields[].value.string_value |
Directly mapped from the destination-zone field extracted via GROK and KV filters. The key is set to destination-zone . |
destination_zone-name |
security_result.detection_fields[].value |
Directly mapped from the destination_zone-name field extracted via GROK. The key is set to dstzone . |
dst-nat-rule-name |
security_result.detection_fields[].value |
Directly mapped from the dst-nat-rule-name field extracted via GROK. The key is set to dst-nat-rule-name . |
dst-nat-rule-type |
security_result.detection_fields[].value |
Directly mapped from the dst-nat-rule-type field extracted via GROK. The key is set to dst-nat-rule-type . |
elapsed-time |
network.session_duration.seconds |
Directly mapped from the elapsed-time field extracted via GROK. |
encrypted |
security_result.detection_fields[].value |
Directly mapped from the encrypted field extracted via GROK. The key is set to encrypted . |
event_time |
metadata.event_timestamp |
The timestamp is extracted from the raw log using various GROK patterns, prioritizing event_time , then TIMESTAMP_ISO8601 , and finally SYSLOGTIMESTAMP . It is then converted to a timestamp object. |
host |
principal.hostname , intermediary.hostname |
If type is NetScreen , mapped to intermediary.hostname . Otherwise, mapped to principal.hostname . |
host_ip |
intermediary.ip |
Directly mapped from the host_ip field extracted via GROK. |
icmp-type |
network.icmp_type |
Directly mapped from the icmp-type field extracted via GROK. |
ident |
target.application |
Directly mapped from the ident field extracted via GROK and JSON filters. |
inbound-bytes |
network.received_bytes |
Directly mapped from the inbound-bytes field extracted via GROK. |
inbound-packets |
network.received_packets |
Directly mapped from the inbound-packets field extracted via GROK. |
ip |
principal.ip , intermediary.ip |
If type is NetScreen , mapped to intermediary.ip . Otherwise, mapped to principal.hostname . |
message |
security_result.description |
If the message is JSON and the log_message_data field is not present, the message field is used as the description. |
msg_data |
security_result.summary |
Directly mapped from the msg_data field extracted via GROK. |
nat-destination-address |
target.nat_ip |
Directly mapped from the nat-destination-address field extracted via GROK. |
nat-destination-port |
target.nat_port |
Directly mapped from the nat-destination-port field extracted via GROK. |
nat-source-address |
principal.nat_ip |
Directly mapped from the nat-source-address field extracted via GROK. |
nat-source-port |
principal.nat_port |
Directly mapped from the nat-source-port field extracted via GROK. |
outbound-bytes |
network.sent_bytes |
Directly mapped from the outbound-bytes field extracted via GROK. |
outbound-packets |
network.sent_packets |
Directly mapped from the outbound-packets field extracted via GROK. |
packets-from-client |
network.sent_packets |
Directly mapped from the packets-from-client field extracted via GROK. |
packets-from-server |
network.received_packets |
Directly mapped from the packets-from-server field extracted via GROK. |
packet-incoming-interface |
security_result.detection_fields[].value |
Directly mapped from the packet-incoming-interface field extracted via GROK. The key is set to packet-incoming-interface . |
pid |
target.process.pid |
Directly mapped from the pid field extracted via GROK and JSON filters. |
policy-name |
security_result.rule_name |
Directly mapped from the policy-name field extracted via GROK. |
PROFILE |
additional.fields[].value.string_value |
Directly mapped from the PROFILE field extracted via GROK and KV filters. The key is set to PROFILE . |
protocol-id , protocol-name |
network.ip_protocol |
Mapped from the protocol-id or protocol-name field extracted via GROK. The value is converted to the corresponding IP protocol enum. |
REASON |
additional.fields[].value.string_value |
Directly mapped from the REASON field extracted via GROK and KV filters. The key is set to REASON . |
reason |
security_result.description |
Directly mapped from the reason field extracted via GROK. |
rule-name |
security_result.rule_name |
Directly mapped from the rule-name field extracted via GROK. |
SESSION_ID |
network.session_id |
Directly mapped from the SESSION_ID field extracted via GROK and KV filters. |
service-name |
security_result.detection_fields[].value |
Directly mapped from the service-name field extracted via GROK. The key is set to srvname . |
source-address |
principal.ip |
Directly mapped from the source-address field extracted via GROK. |
source-port |
principal.port |
Directly mapped from the source-port field extracted via GROK. |
source-zone |
additional.fields[].value.string_value |
Directly mapped from the source-zone field extracted via GROK and KV filters. The key is set to source-zone . |
source_zone-name |
security_result.detection_fields[].value |
Directly mapped from the source_zone-name field extracted via GROK. The key is set to srczone . |
src-nat-rule-name |
security_result.detection_fields[].value |
Directly mapped from the src-nat-rule-name field extracted via GROK. The key is set to src-nat-rule-name . |
src-nat-rule-type |
security_result.detection_fields[].value |
Directly mapped from the src-nat-rule-type field extracted via GROK. The key is set to src-nat-rule-type . |
subtype |
metadata.product_event_type |
Directly mapped from the subtype field extracted via GROK. |
threat-severity |
security_result.severity_details |
Directly mapped from the threat-severity field extracted via GROK. |
time |
metadata.event_timestamp |
Directly mapped from the time field extracted via GROK and JSON filters. Converted to timestamp object. |
username |
target.user.userid |
Directly mapped from the username field extracted via GROK. |
metadata.log_type |
Hardcoded to JUNIPER_FIREWALL . Hardcoded to JUNIPER_FIREWALL or NetScreen based on the type field. Hardcoded to JUNIPER_FIREWALL . Set to ALLOW or BLOCK based on logic in the parser. Set to LOW, MEDIUM, HIGH, INFORMATIONAL, or CRITICAL based on the subtype and severity_details fields. |
Changes
2025-02-20
Enhancement:
- Modified the mapping of
target.user.userid
toadditional.fields
whenuser_value
starts withRT_FLOW
.
2025-02-06
Enhancement:
- If
user_value
isUI_LOGIN_EVENT
, map it toadditional.fields
.
2025-01-15
Enhancement:
- If
user_name
hasRT_FLOW_SESSION_DENY
, map it tosecurity_result.action
asBLOCK
, otherwise change the mapping ofuser_name
fromtarget.user.userid
tosecurity_result.summary
. - Mapped
sec_desc
tosecurity_result.description
.
2024-10-31
Enhancement:
- Added a new Grok pattern to parse unparsed logs.
- Mapped
processid
totarget.process.id
- Mapped
TSr
andTSi
toadditional.fields
. - Added
gsub
function to mapRemote-IP
totarget.ip
. - Added
gsub
function to mapTSi
andLocal_IKE_ID
toadditional.fields
. - Added KV filter to
kv_data1
to parse unparsed fields.
2024-10-30
Enhancement:
- Added a new Grok pattern to parse new log pattern.
- Mapped
fw
tointermediary.ip
. - Mapped
msg1
tosecurity_result.summary
. - Mapped
desc
tometadata.description
.
2024-10-24
Enhancement:
- Added a new Grok pattern to parse logs in the new SYSLOG+KV format.
- Mapped
local_ip
toprincipal.ip
andprincipal.assest.ip
. - Mapped
remote_ip
totarget.ip
andtarget.asset.ip
.
2024-10-11
Enhancement:
- Mapped
hostn
toprincipal.hostname
. - Mapped
app
toprincipal.application
. - Mapped
pid
toprincipal.process.pid
. - Mapped
event_title
tometadata.product_event_type
. - Mapped
event_message
tometadata.description
. - Mapped
Local-ip
toprincipal.ip
andprincipal.asset.ip
. - Mapped
Gateway_Name
,vpn
,tunnel_id
,tunnel_if
,Local_IKE_ID
,Remote_IKE_ID
,AAA_username
,VR_id
,Traffic_selector
,Traffic_selector_Remote_ID
,Traffic_selector_local_ID
,SA_Type
,Reason
,threshold
,time-period
, anderror-message_data
toobserver.resource.attribute.labels
. - Mapped
target_ip
totarget.ip
andtarget.asset.ip
. - Mapped
data
totarget.ip
andtarget.asset.ip
.
2024-06-28
Enhancement:
- Modified the Grok patterns to parse unparsed logs.
- Added Grok patterns over the field
msg_data
to extract the fieldsuser_id
,principal_host
,file_path
,pid_2
, andserver_ip
. - Mapped
principal_host
toprincipal.hostname
. - Mapped
user_id
totarget.user.userid
. - Mapped
file_path
totarget.file.full_path
. - Mapped
pid_2
totarget.process.pid
. - Mapped
server_ip
totarget.ip
. - Mapped
event_time
tometadata.event_timestamp
correctly by removingrebase
if year is present.
2024-01-22
Bug fix:
- Added new Grok patterns to parse
message
field with key-value data. - Mapped
ACTION
tosecurity_result.action_details
. - Mapped
SESSION_ID
tonetwork.session_id
. - Mapped
APPLICATION
toprincipal.application
. - Mapped
pingCtlOwnerIndex
,pingCtlTestName
,usp_lsys_max_num_rpd
,usp_lsys_max_num
,urlcategory_risk
,application_sub_category
,source-zone
,destination-zone
,NESTED-APPLICATION
,CATEGORY
,REASON
,PROFILE
,source_rule
,retrans_timer
andarp_unicast_mode
toadditional.fields
. - Mapped
time
tometadata.event_timestamp
.
2023-12-31
Bug fix:
- Added support for a new pattern of JSON logs.
- Mapped
time
tometadata.event_timestamp
. - Mapped
host
toprincipal.hostname
. - Mapped
ident
totarget.application
. - Mapped
pid
totarget.process.pid
. - Added Grok patterns to parse
message
field.
2023-12-15
Enhancement:
- Mapped
internal-protocol
tonetwork.ip_protocol
. - Mapped
state
tosecurity_result.detection_fields
. - Mapped
internal-ip
toprincipal.ip
. - Mapped
reflexive-ip
totarget.ip
. - Mapped
internal-port
toprinciple.port
. - Mapped
reflexive-port
totarget.port
. - Mapped
local-address
toprincipal.ip
. - Mapped
remote-address
totarget.ip
. - Added KV filter with source as
task_summary
. - Mapped
dns-server-address
toprincipal.ip
. - Mapped
domain-name
toprincipal.administrative_domain
. - Mapped
argument1
tonetwork.direction
. - Mapped
state
tosecurity_result.detection_fields
. - Mapped
test-owner
toadditional.fields
. - Mapped
local-initiator
toadditional.fields
. - Mapped
test-name
toadditional.fields
. - Mapped
SPI
toadditional.fields
. - Mapped
AUX-SPI
toadditional.fields
. - Mapped
Type
toadditional.fields
. - Mapped
error-message
tosecurity_result.summary
.
2023-11-02
Enhancement:
- Added a new Grok pattern to parse logs of new
SYSLOG+KV
format.
2023-08-24
Enhancement:
- Added gsub function to remove special characters.
2023-08-02
Enhancement:
- Modified Grok pattern to support new log formats for NetScreen type.
- Added support for type
RT_FLOW_SESSION_CREATE_LS
,RT_FLOW_SESSION_CLOSE_LS
andRT_FLOW_SESSION_DENY_LS
. - Mapped
sent
tonetwork.sent_bytes
. - Mapped
rcvd
tonetwork.received_bytes
.
2023-05-05
Enhancement:
- Mapped
rule-name
tosecurity_result.rule_id
. - Mapped
rulebase-name
tosecurity_result.detection_fields
. - Mapped
export-id
tosecurity_result.detection_fields
. - Mapped
repeat-count
tosecurity_result.detection_fields
. - Mapped
packet-log-id
tosecurity_result.detection_fields
. - Mapped
alert
tois_alert
when the value isyes
. - Mapped
outbound-packets
tonetwork.sent_packets
. - Mapped
inbound-packets
tonetwork.received_packets
. - Mapped
outbound-bytes
tonetwork.sent_bytes
. - Mapped
inbound-bytes
tonetwork.received_bytes
.
2023-03-08
Enhancement:
- Mapped
application
totarget.application
. - Mapped
reason
tosecurity_result.description
. - Mapped
application-characteristics
tosecurity_result.summary
. - Mapped
application-risk
tosecurity_result.severity_details
. - Mapped
application-category
tosecurity_result.detection_fields
. - Mapped
application-sub-category
tosecurity_result.detection_fields
. - Mapped
dst-nat-rule-name
tosecurity_result.detection_fields
. - Mapped
dst-nat-rule-type
tosecurity_result.detection_fields
. - Mapped
src-nat-rule-name
tosecurity_result.detection_fields
. - Mapped
src-nat-rule-type
tosecurity_result.detection_fields
. - Mapped
encrypted
tosecurity_result.detection_fields
. - Mapped
nested-application
tosecurity_result.detection_fields
. - Mapped
packet-incoming-interface
tosecurity_result.detection_fields
. - Mapped
session-id-32
tonetwork.session_id
. - Mapped
packets-from-client
tonetwork.sent_packets
. - Mapped
packets-from-server
tonetwork.received_packets
. - Mapped
bytes-from-client
tonetwork.sent_bytes
. - Mapped
bytes-from-server
tonetwork.received_bytes
. - Mapped
elapsed-time
tonetwork.session_duration.seconds
. - Mapped
nat-destination-address
totarget.nat_ip
. - Mapped
nat-destination-port
totarget.nat_port
. - Mapped
source-destination-address
toprincipal.nat_ip
. - Mapped
source-destination-port
toprincipal.nat_port
.
2023-01-18
Bug fix:
- Made the condition case insensitive to map
BLOCK
tosecurity_result.action
, whenaction
isdrop/DROP
. - Mapped
msg_data
tosecurity_result.description
whenno_app_name
is false. - Mapped
threat-severity
tosecurity_result.severity
. - Mapped the field
message
tometadata.description
. - Mapped
app_name
totarget.application
. - Mapped
pid
totarget.process.pid
. - Mapped
desc
tometadata.description
. - Mapped
username
toprincipal.user.userid
. - Mapped
command
totarget.process.command_line
. - Mapped
action
tosecurity_result.action_details
. - Mapped
sec_description
tosecurity_result.description
. - Mapped
application-name
tonetwork.application_protocol
.
2023-01-15
Enhancement:
- Modified Grok pattern to support unparsed logs containing type
UI_CMDLINE_READ_LINE
,UI_COMMIT_PROGRESS
,UI_CHILD_START
,UI_CFG_AUDIT_OTHER
,UI_LOGIN_EVENT
,UI_CHILD_STATUS
,UI_LOGOUT_EVENT
,UI_LOAD_EVENT
,JTASK_IO_CONNECT_FAILED
,UI_AUTH_EVENT
,UI_NETCONF_CMD
,UI_COMMIT_NO_MASTER_PASSWORD
,UI_CFG_AUDIT_SET
,UI_JUNOSCRIPT_CMD
,SNMPD_AUTH_FAILURE
,UI_CFG_AUDIT_NEW
,UI_COMMIT
,LIBJNX_LOGIN_ACCOUNT_LOCKED
,UI_COMMIT_COMPLETED
,PAM_USER_LOCK_LOGIN_REQUESTS_DENIED
,RTPERF_CPU_USAGE_OK
,RTPERF_CPU_THRESHOLD_EXCEEDED
,LIBJNX_LOGIN_ACCOUNT_UNLOCKED
,JSRPD_SET_OTHER_INTF_MON_FAIL
,JSRPD_SET_SCHED_MON_FAILURE
,UI_CHILD_WAITPID
,UI_DBASE_LOGIN_EVENT
.
2022-11-07
Enhancement:
- Mapped
subtype
tometadata.product_event_type
. - Mapped
attack-name
tosecurity_result.threat_name
. - Mapped
policy-name
tosecurity_result.rule_name
. - Mapped
action
tosecurity_result.action
, where valuedrop
is mapped to BLOCK others to ALLOW. - Mapped
source-interface-name
tosecurity_result.detection_fields
. - Mapped
destination-interface-name
tosecurity_result.detection_fields
. - Mapped
source-zone-name
tosecurity_result.detection_fields
. - Mapped
destination-zone-name
tosecurity_result.detection_fields
. - Mapped
service-name
tosecurity_result.detection_fields
. - Mapped
application-name
tosecurity_result.detection_fields
. - Mapped
metadata.product_name
- Mapped
metadata.vendor_name
2022-10-04
Enhancement:
- Mapped attack-name to security_result.rule_name.
- Converted SDM mappings to following fields of UDM:-
- Mapped
source-address
toprincipal.ip
. - Mapped
destination-address
totarget.ip
. - Mapped
source-port
toprincipal.port
. - Mapped
host
toprincipal.hostname
. - Mapped
bytes-from-server
tonetwork.received_bytes
. - Mapped
policy-name
tosecurity_result.rule_name
. - Mapped
protocol-id
tonetwork.ip_protocol
.
Need more help? Get answers from Community members and Google SecOps professionals.