Table of Contents | ||||||
---|---|---|---|---|---|---|
|
...
It is important that the first rule come before the second rule in the order of rule processing on the relay.
Rule 1: Identify "traffic" type events
Source Port → 514
Source Message → "\\[Root]system-[^][0-9](traffic):"
Target Tag → firewall.juniper.isg.traffic
Check the Stop Processing checkbox
...
Rule 2: Tag all other events received from the Juniper IP as "system"
IP → <Juniper IP address>
Source Port → 514
Target Tag → all the rest as firewall.juniper.isg.system
...
Firewall Juniper SRX Series
...
Info |
---|
It is possible to change the port where the SRX log events are sent, but our examples below use the standard syslog UDP port 514. |
Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"
Source Port → 514
Source Tag → RT_FLOW
Target Tag → firewall.juniper.srx.traffic (or firewall.juniper.srx.traffic.vXX)
Check the Stop Processing checkbox
Rule 2: Tag events containing the syslog tag RT_UTM as "utm"
Source Port → 514
Source Tag → RT_UTM
Target Tag → firewall.juniper.srx.utm
Check the Stop Processing checkbox
Rule 3: Tag events containing the syslog tag RT_IDP as "idp"
Source Port → 514
Source Tag → RT_IDP
Target Tag → firewall.juniper.srx.idp
Check the Stop Processing checkbox
...
Rule 4: Tag all other events received on port 514 as "system"
Source Port → 514
Target Tag → firewall.juniper.srx.system
Check the Sent without syslog tag checkbox
...
Note |
---|
The system log will show events from the *nix system. |
...
If SRX is logging in structured-data format, the Devo Relay rules need to be defined in a different way.
Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"
Source Port → 13003
Source Data → ^.*? RT_FLOW - .*$
Target Tag → firewall.juniper.srx.traffic
Check the Stop Processing and Sent without syslog tag checkboxes
...
Rule 2: Tag events containing the syslog tag RT_UTM as "utm"
Source Port → 13003
Source Data → ^.*? RT_UTM - .*$
Target Tag → firewall.juniper.srx.utm
Check the Stop Processing and Sent without syslog tag checkboxes
...
Rule 3: Tag events containing the syslog tag RT_IDP as "idp"
Source Port → 13003
Source Data → ^.*? RT_IDP - .*$
Target Tag → firewall.juniper.srx.idp
Check the Stop Processing and Sent without syslog tag checkboxes
Rule 4: Tag all other events received on the same port as "system"
IP → <Juniper IP>
Source Port → 13003
Target Tag → firewall.juniper.srx.system
Check the Sent without syslog tag checkbox
...
SRX Rule Base - Add rule to log dropped packets
...