Page Comparison

Table of Contents

maxLevel	2
minLevel	2
type	flat

...

It is important that the first rule come before the second rule in the order of rule processing on the relay.

Rule 1: Identify "traffic" type events

Source Port → 514
Source Message → "\\[Root]system-[^][0-9](traffic):"
Target Tag → firewall.juniper.isg.traffic
Check the Stop Processing checkbox

...

Rule 2: Tag all other events received from the Juniper IP as "system"

IP → <Juniper IP address>
Source Port → 514
Target Tag → all the rest as firewall.juniper.isg.system

...

Firewall Juniper SRX Series

...

Info
It is possible to change the port where the SRX log events are sent, but our examples below use the standard syslog UDP port 514.

Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"

Source Port → 514
Source Tag → RT_FLOW
Target Tag → firewall.juniper.srx.traffic (or firewall.juniper.srx.traffic.vXX)
Check the Stop Processing checkbox
Image Removed

Rule 2: Tag events containing the syslog tag RT_UTM as "utm"

Source Port → 514
Source Tag → RT_UTM
Target Tag → firewall.juniper.srx.utm
Check the Stop Processing checkbox

Image Removed

Rule 3: Tag events containing the syslog tag RT_IDP as "idp"

Source Port → 514
Source Tag → RT_IDP
Target Tag → firewall.juniper.srx.idp
Check the Stop Processing checkbox

...

Rule 4: Tag all other events received on port 514 as "system"

Source Port → 514
Target Tag → firewall.juniper.srx.system
Check the Sent without syslog tag checkbox

...

Note
The system log will show events from the *nix system.

...

If SRX is logging in structured-data format, the Devo Relay rules need to be defined in a different way.

Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"

Source Port → 13003
Source Data → ^.*? RT_FLOW - .*$
Target Tag → firewall.juniper.srx.traffic
Check the Stop Processing and Sent without syslog tag checkboxes

...

Rule 2: Tag events containing the syslog tag RT_UTM as "utm"

Source Port → 13003
Source Data → ^.*? RT_UTM - .*$
Target Tag → firewall.juniper.srx.utm
Check the Stop Processing and Sent without syslog tag checkboxes

...

Rule 3: Tag events containing the syslog tag RT_IDP as "idp"

Source Port → 13003
Source Data → ^.*? RT_IDP - .*$
Target Tag → firewall.juniper.srx.idp
Check the Stop Processing and Sent without syslog tag checkboxes

Image Removed

Rule 4: Tag all other events received on the same port as "system"

IP → <Juniper IP>
Source Port → 13003
Target Tag → firewall.juniper.srx.system
Check the Sent without syslog tag checkbox

...

SRX Rule Base - Add rule to log dropped packets

...

Versions Compared

Old Version 8

New Version 9

Key

Rule 1: Identify "traffic" type events

Rule 2: Tag all other events received from the Juniper IP as "system"

Firewall Juniper SRX Series

Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"

Rule 2: Tag events containing the syslog tag RT_UTM as "utm"

Rule 3: Tag events containing the syslog tag RT_IDP as "idp"

Rule 4: Tag all other events received on port 514 as "system"

Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"

Rule 2: Tag events containing the syslog tag RT_UTM as "utm"

Rule 3: Tag events containing the syslog tag RT_IDP as "idp"

Rule 4: Tag all other events received on the same port as "system"

SRX Rule Base - Add rule to log dropped packets