...
Table of Contents |
---|
maxLevel | 2 |
---|
minLevel | 2 |
---|
type | flat |
---|
|
The tags beginning with firewall.
...
juniper
identify log events generated by the following Juniper technologies:
Juniper Integrated Services Gateway / Secure Services Gateway
Juniper SRX-series Firewalls
Juniper Network & Security Manager
...
The full tag must have at least three levels. The first two are fixed as firewall.juniper
. The third level identifies the technology type and must be one of isg
, nsm
, srx
, ssg
, system
or traffic
. The fourth element is usually required and you are free to define it as you like.
technology | brand | type | subtype | junos release |
---|
firewall
| juniper
| | usually required and fixed depending on type | appended to firewall.juniper.srx.traffic tag and must be one of: v12 (Junos releases between 12.3 and 14)
v14 (Junos 14.x )
v15 (Junos releases between 14 and 15.1X49)
v16 (Junos 15.1X49-D80 and later)
|
Therefore, the valid tags include:
Tags | Data tables |
---|
firewall.juniper.isg.system
| firewall.juniper.isg.
|
...
...
isg.traffic
| firewall.juniper.
|
...
...
...
...
...
...
traffic
|
firewall.juniper.srx.
|
...
...
...
srx.probe
| firewall.juniper.srx.probe
|
firewall.juniper.srx.system
| firewall.juniper.
|
...
...
...
srx.traffic
| firewall.juniper.srx.traffic
|
For more information, read more about Devo tags.
Firewall Juniper ISG / SSG
It is not possible to send system and traffic events to different ports on the same remote machine, in this case the Devo Relay. Therefore, we need to set up two relay rules to process and tag the different events received on the same port.
- In the first rule, we use regex in the Source Message field to identify events that should be tagged firewall.juniper.isg.traffic. In this rule we mark Stop Processing so that when an event meets the conditions of the rule and the tag is applied, the event is not subjected to any further relay rules and is forwarded directly to the Devo Cloud.
- The second rule simply applies the firewall.juniper.isg.system tag to all other events received on the same port.
It is important that the first rule come before the second rule in the order of rule processing on the relay.
Rule 1: Identify "traffic" type events
...
firewall.juniper.srx.utm
| firewall.juniper.srx.utm
|
firewall.juniper.ssg.system
| firewall.juniper.ssg.system
|
firewall.juniper.ssg.traffic
| firewall.juniper.ssg.traffic
|
firewall.juniper.system
| firewall.juniper.system
|
firewall.juniper.traffic
| firewall.juniper.traffic
|
For more information, read more about Devo tags.
Firewall Juniper ISG / SSG
It is not possible to send system and traffic events to different ports on the same remote machine, in this case the Devo Relay. Therefore, we need to set up two relay rules to process and tag the different events received on the same port.
In the first rule, we use regex in the Source Message field to identify events that should be tagged firewall.juniper.isg.traffic. In this rule we mark Stop Processing so that when an event meets the conditions of the rule and the tag is applied, the event is not subjected to any further relay rules and is forwarded directly to the Devo Cloud.
The second rule simply applies the firewall.juniper.isg.system tag to all other events received on the same port.
It is important that the first rule come before the second rule in the order of rule processing on the relay.
Rule 1: Identify "traffic" type events
Source port → 514
Source message → "\\[Root]system-[^][0-9](traffic):"
Target tag → firewall.juniper.isg.traffic
Check the Stop
Processingprocessing checkbox
...
Rule 2: Tag all other events received from the Juniper IP as "system"
IP → <Juniper IP address>
Source Port → 514
Target
Tagtag → all the rest as firewall.juniper.isg.system
Image Removed
Firewall Juniper SRX Series
Below find instructions for setting up the Devo Relay rules to correctly process the SRX events, and also a note about logging dropped packets in SRX.
Devo Relay rules - SRX logging in syslog format
You need to set up new relay rules to handle the SRX events received on port 514 port 514 and tag them correctly as firewall.juniper.srx.
subtype .<subtype>
Essentially, these rules identify the syslog tag contained in the inbound event so that when there's a match, the correct tag is applied to the event and the event is forwarded to the Devo Cloud without further processing on the relay.
Info |
---|
It is possible to change the port where the SRX log events are sent, but our examples below use the standard syslog UDP port 514. |
Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"
- Source Port → 514
- Source Tag → RT_FLOW
- Target Tag → firewall.juniper.srx.traffic (or firewall.juniper.srx.traffic.vXX)
- Check the Stop Processing checkbox
- Image Removed
Rule 2: Tag events containing the syslog tag RT_UTM as "utm"
- Source Port → 514
- Source Tag → RT_UTM
- Target Tag → firewall.juniper.srx.utm
- Check the Stop Processing checkbox
Image Removed
Rule 3: Tag events containing the syslog tag RT_IDP as "idp"
- Source Port → 514
- Source Tag → RT_IDP
- Target Tag → firewall.juniper.srx.idp
- Check the Stop Processing checkbox
Image Removed
Rule 4: Tag all other events received on port 514 as "system"
- Source Port → 514
- Target Tag → firewall.juniper.srx.system
- Check the Sent without syslog tag checkbox
Image Removed
Note |
---|
The system log will show events from the *nix system. |
Devo Relay rules - SRX logging in structured-data format
If SRX is logging in structured-data format, the Devo Relay rules need to be defined in a different way.
Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"
- Source Port → 13003
- Source Data → ^.*? RT_FLOW - .*$
- Target Tag → firewall.juniper.srx.traffic
- Check the Stop Processing and Sent without syslog tag checkboxes
Image Removed
Rule 2: Tag events containing the syslog tag RT_UTM as "utm"
- Source Port → 13003
- Source Data → ^.*? RT_UTM - .*$
- Target Tag → firewall.juniper.srx.utm
- Check the Stop Processing and Sent without syslog tag checkboxes
Image Removed
Rule 3: Tag events containing the syslog tag RT_IDP as "idp"
- Source Port → 13003
- Source Data → ^.*? RT_IDP - .*$
- Target Tag → firewall.juniper.srx.idp
- Check the Stop Processing and Sent without syslog tag checkboxes
Image Removed
Rule 4: Tag all other events received on the same port as "system"
- IP → <Juniper IP>
- Source Port → 13003
- Target Tag → firewall.juniper.srx.system
- Check the Sent without syslog tag checkbox
Image Removed
SRX Rule Base - Add rule to log dropped packets
The SRX does not log packets dropped by default. A rule needs to be defined at the end of the rule base to drop all and to activate the logging.
Configuration for Junos release 11.4 and earlier
Create a template group. Note that <*> is a wild card character to match any security zone.
Code Block |
---|
set groups default-deny-template security policies from-zone <*> to-zone policy default-deny match source-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny match destination-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny match application any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny then deny
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny then log session-init |
Apply the group. The following configuration statement applies the template groups between all zones that already have a policy context:
Code Block |
---|
set apply-groups default-deny-template |
Configuration for Junos release 11.4 and later
...
the relay.
Info |
---|
It is possible to change the port where the SRX log events are sent, but our examples below use the standard syslog UDP port 514. |
Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"
Source port → 514
Source tag → RT_FLOW
Target tag → firewall.juniper.srx.traffic
(or firewall.juniper.srx.traffic.vXX
)
Check the Stop processing checkbox
Rule 2: Tag events containing the syslog tag RT_UTM as "utm"
Source port → 514
Source tag → RT_UTM
Target tag → firewall.juniper.srx.utm
Check the Stop Processing checkbox
Rule 3: Tag events containing the syslog tag RT_IDP as "idp"
Source port → 514
Source tag → RT_IDP
Target tag → firewall.juniper.srx.idp
Check the Stop processing checkbox
Rule 4: Tag all other events received on port 514 as "system"
Source port → 514
Target tag → firewall.juniper.srx.system
Check the Sent without syslog tag checkbox
Note |
---|
The system log will show events from the *nix system. |
Devo Relay rules - SRX logging in structured-data format
If SRX is logging in structured-data format, the Devo Relay rules need to be defined in a different way.
Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"
Source port → 13003
Source data → ^.*? RT_FLOW - .*$
Target tag → firewall.juniper.srx.traffic
Check the Stop processing and Sent without syslog tag checkboxes
Rule 2: Tag events containing the syslog tag RT_UTM as "utm"
Source port → 13003
Source data → ^.*? RT_UTM - .*$
Target tag → firewall.juniper.srx.utm
Check the Stop processing and Sent without syslog tag checkboxes
Rule 3: Tag events containing the syslog tag RT_IDP as "idp"
Source port → 13003
Source data → ^.*? RT_IDP - .*$
Target tag → firewall.juniper.srx.idp
Check the Stop processing and Sent without syslog tag checkboxes
Rule 4: Tag all other events received on the same port as "system"
IP → <Juniper IP>
Source port → 13003
Target tag → firewall.juniper.srx.system
Check the Sent without syslog tag checkbox
SRX Rule Base - Add rule to log dropped packets
The SRX does not log packets dropped by default. A rule needs to be defined at the end of the rule base to drop all and to activate the logging.
Configuration for Junos release 11.4 and earlier
Create a template group. Note that <*> is a wild card character to match any security zone.
Code Block |
---|
set groups default-deny-template security policies from-zone <*> to-zone policy default-deny match source-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny match destination-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny match application any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny then deny
set groups default-deny-template security policies from-zone <*> to-zone <*> policy default-deny then log session-init |
Apply the group. The following configuration statement applies the template groups between all zones that already have a policy context:
Code Block |
---|
set apply-groups default-deny-template |
Configuration for Junos release 11.4 and later
Code Block |
---|
set security policies global policy default-deny match source-address any
set security policies global policy default-deny match destination-address any
set security policies global policy default-deny match application any
set security policies global policy default-deny then deny
set security policies global policy default-deny then log session-ini |
Table structure
These are the fields displayed in these tables:
Rw ui tabs macro |
---|
firewall.juniper.isg.systemField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| | | product | str
| vproduct | | devId0 | str
| | | severity | str
| | | type | int4
| | | message | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| message | ✓ |
firewall.juniper.isg.trafficField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | machine | str
| | | | product | str
| | vproduct | | devId | str
| | | | severity | str
| | | | type | int4
| | | | startTime | timestamp
| | | | duration | int4
| Code Block |
---|
isnotnull(duration_tmp) ? duration_tmp : duration_aux |
| duration_aux duration_tmp | | policyId | int8
| | | | service | str
| Code Block |
---|
isnotnull(service_tmp) ? service_tmp : service_aux |
| service_aux service_tmp | | protocol | int4
| Code Block |
---|
isnotnull(proto_tmp) ? proto_tmp : proto_aux |
| proto_aux proto_tmp | | protoStr | str
| Code Block |
---|
(protocol = 6) ? "TCP" : (protocol = 17) ? "UDP" : (protocol = 1) ? "ICMP" : null("") |
| protocol | | srcZone | str
| Code Block |
---|
isnotnull(srcZone_tmp) ? srcZone_tmp : srcZone_aux |
| srcZone_tmp srcZone_aux | | dstZone | str
| Code Block |
---|
isnotnull(dstZone_tmp) ? dstZone_tmp : dstZone_aux |
| dstZone_aux dstZone_tmp | | action | str
| | | | bytesSend | int8
| Code Block |
---|
isnotnull(cliBytes_tmp) ? cliBytes_tmp : cliBytes_aux |
| cliBytes_aux cliBytes_tmp | | bytesRecv | int8
| Code Block |
---|
isnotnull(srvBytes_tmp) ? srvBytes_tmp : srvBytes_aux |
| srvBytes_tmp srvBytes_aux | | srcIp | ip4
| Code Block |
---|
isnotnull(srcIp_tmp) ? srcIp_tmp : srcIp_aux |
| srcIp_aux srcIp_tmp | | srcIp_str | str
| Code Block |
---|
isnotnull(srcIp_tmp_str) ? srcIp_tmp_str : srcIp_aux_str |
| srcIp_tmp_str srcIp_aux_str | | dstIp | ip4
| Code Block |
---|
isnotnull(dstIp_tmp) ? dstIp_tmp : dstIp_aux |
| dstIp_aux dstIp_tmp | | dstIp_str | str
| Code Block |
---|
isnotnull(dstIp_tmp_str) ? dstIp_tmp_str : dstIp_aux_str |
| dstIp_aux_str dstIp_tmp_str | | srcPort | int4
| Code Block |
---|
isnotnull(srcPort_tmp) ? srcPort_tmp : srcPort_aux |
| srcPort_tmp srcPort_aux | | dstPort | int4
| Code Block |
---|
isnotnull(dstPort_tmp) ? dstPort_tmp : dstPort_aux |
| dstPort_tmp dstPort_aux | | icmpType | int4
| Code Block |
---|
isnotnull(icmpType_tmp) ? icmpType_tmp : icmpType_aux |
| icmpType_tmp icmpType_aux | | icmpCode | int4
| | | | sessionId | int8
| Code Block |
---|
isnotnull(session_tmp) ? session_tmp : session_aux |
| session_tmp session_aux | | srcXIp | ip4
| | | | srcXPort | int4
| | | | dstXIp | ip4
| | | | dstXPort | int4
| | | | reason | str
| Code Block |
---|
isnotnull(reason_tmp) ? reason_tmp : reason_aux |
| reason_aux reason_tmp | | unknown | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | rawSource | ✓ |
firewall.juniper.nsm.trafficField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| | | logDayId | str
| | | logRecordId | str
| | | timeReceived | timestamp
| | | timeGenerated | timestamp
| | | deviceDomain | str
| | | deviceDomainVer | str
| | | deviceName | str
| | | deviceIp | ip4
| | | category | str
| | | subCategory | str
| | | srcZone | str
| | | srcIface | str
| | | srcIp | ip4
| | | srcIp_str | str
| | | srcPort | int4
| | | srcXIp | ip4
| | | srcXPort | int4
| | | dstZone | str
| | | dstIface | str
| | | dstIp | ip4
| | | dstIp_str | str
| | | dstPort | int4
| | | dstXIp | ip4
| | | dstXPort | int4
| | | proto | str
| | | policyDomain | str
| | | policyDomainVer | str
| | | policyName | str
| | | rulebase | str
| | | ruleNumber | str
| | | ruleNumber2 | str
| | | action | str
| | | severity | str
| | | isAlert | str
| | | details | str
| | | user | str
| | | app | str
| | | uri | str
| | | elapsedSecs | int4
| | | bytesIn | int8
| | | bytesOut | int8
| | | bytesTotal | int8
| | | pktsIn | int4
| | | pktsOut | int4
| | | pktsTotal | int4
| | | repeatCount | int4
| | | hasData | str
| | | data | str
| | | appliService | str
| | | deviceFamily | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | ✓ |
firewall.juniper.srx.idpField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| | | type | str
| | | attack_name | str
| | | source_address | ip4
| | | source_port | int4
| | | destination_address | ip4
| | | destination_port | int4
| | | protocol_id | str
| | | source_zone_name | str
| | | interface_name | str
| | | action | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | ✓ |
firewall.juniper.srx.probeField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| | | type | str
| | | interfaceName | str
| | | snmpInterfaceIndex | str
| | | adminStatus | str
| | | operationalStatus | str
| | | testName | str
| | | testOwner | str
| | | name | str
| | | message | str
| | | rawMessage | str
| rawSource | ✓ | hostchain | str
| | ✓ | tag | str
| | ✓ |
firewall.juniper.srx.systemField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| rawHostName | | serverdate | str
| | | hostname | str
| | | process_name | str
| | | pid | str
| | | log_type | str
| | | platform | str
| | | username | str
| | | authentication_level | str
| | | client_ip | ip4
| | | client_port | str
| | | destination_ip | ip4
| | | destination_port | str
| | | message | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
firewall.juniper.srx.trafficField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | machine | str
| | | | tag | str
| | | | version | str
| | | | server_date | str
| | | | message_source | str
| | | | action_name | str
| Code Block |
---|
action_prefix + action |
| action_prefix action | | action | str
| | | | srcIp | ip4
| Code Block |
---|
isnotnull(srcIp_tmp) ? srcIp_tmp : srcIp_aux |
| srcIp_aux srcIp_tmp | | srcIp_str | str
| Code Block |
---|
isnotnull(srcIp_tmp_str) ? srcIp_tmp_str : srcIp_aux_str |
| srcIp_tmp_str srcIp_aux_str | | srcPort | int4
| Code Block |
---|
isnotnull(srcPort_tmp) ? srcPort_tmp : srcPort_aux |
| srcPort_tmp srcPort_aux | | dstIp | ip4
| Code Block |
---|
isnotnull(dstIp_tmp) ? dstIp_tmp : dstIp_aux |
| dstIp_aux dstIp_tmp | | dstIp_str | str
| Code Block |
---|
isnotnull(dstIp_tmp_str) ? dstIp_tmp_str : dstIp_aux_str |
| dstIp_aux_str dstIp_tmp_str | | dstPort | int4
| Code Block |
---|
isnotnull(dstPort_tmp) ? dstPort_tmp : dstPort_aux |
| dstPort_tmp dstPort_aux | | service | str
| Code Block |
---|
isnotnull(service_tmp) ? service_tmp : service_aux |
| service_aux service_tmp | | srcXIp | ip4
| | | | srcXPort | int4
| | | | dstXIp | ip4
| | | | dstXPort | int4
| | | | natConnetionTag | str
| | | | srcNatRuleType | str
| Code Block |
---|
isnotnull(srcNatRuleType_tmp) ? srcNatRuleType_tmp : srcNatRuleType_aux |
| srcNatRuleType_aux srcNatRuleType_tmp | | srcNatRule | str
| Code Block |
---|
isnotnull(srcNatRule_tmp) ? srcNatRule_tmp : srcNatRule_aux |
| srcNatRule_aux srcNatRule_tmp | | dstNatRuleType | str
| Code Block |
---|
isnotnull(dstNatRuleType_tmp) ? dstNatRuleType_tmp : dstNatRuleType_aux |
| dstNatRuleType_tmp dstNatRuleType_aux | | dstNatRule | str
| Code Block |
---|
isnotnull(dstNatRule_tmp) ? dstNatRule_tmp : dstNatRule_aux |
| dstNatRule_tmp dstNatRule_aux | | srcNatIp | ip4
| | | | dstNatIp | ip4
| | | | proto | int4
| Code Block |
---|
isnotnull(proto_tmp) ? proto_tmp : proto_aux |
| proto_aux proto_tmp | | protoStr | str
| Code Block |
---|
(proto = 6) ? "TCP" : (proto = 17) ? "UDP" : (proto = 1) ? "ICMP" : null("") |
| proto | | policy | str
| Code Block |
---|
isnotnull(policy_tmp) ? policy_tmp : policy_aux |
| policy_aux policy_tmp | | srcZone | str
| Code Block |
---|
isnotnull(srcZone_tmp) ? srcZone_tmp : srcZone_aux |
| srcZone_tmp srcZone_aux | | dstZone | str
| Code Block |
---|
isnotnull(dstZone_tmp) ? dstZone_tmp : dstZone_aux |
| dstZone_aux dstZone_tmp | | session | int4
| Code Block |
---|
isnotnull(session_tmp) ? session_tmp : session_aux |
| session_tmp session_aux | | reason | str
| Code Block |
---|
isnotnull(reason_tmp) ? reason_tmp : reason_aux |
| reason_aux reason_tmp | | cliPkts | int4
| Code Block |
---|
isnotnull(cliPkts_tmp) ? cliPkts_tmp : cliPkts_aux |
| cliPkts_tmp cliPkts_aux | | cliBytes | int8
| Code Block |
---|
isnotnull(cliBytes_tmp) ? cliBytes_tmp : cliBytes_aux |
| cliBytes_aux cliBytes_tmp | | srvPkts | int4
| Code Block |
---|
isnotnull(srvPkts_tmp) ? srvPkts_tmp : srvPkts_aux |
| srvPkts_tmp srvPkts_aux | | srvBytes | int8
| Code Block |
---|
isnotnull(srvBytes_tmp) ? srvBytes_tmp : srvBytes_aux |
| srvBytes_tmp srvBytes_aux | | duration | int4
| Code Block |
---|
isnotnull(duration_tmp) ? duration_tmp : duration_aux |
| duration_aux duration_tmp | | app | str
| Code Block |
---|
isnotnull(app_tmp) ? app_tmp : app_aux |
| app_aux app_tmp | | app2 | str
| Code Block |
---|
isnotnull(app2_tmp) ? app2_tmp : app2_aux |
| app2_aux app2_tmp | | user | str
| Code Block |
---|
isnotnull(user_tmp) ? user_tmp : user_aux |
| user_tmp user_aux | | roles | str
| Code Block |
---|
isnotnull(roles_tmp) ? roles_tmp : roles_aux |
| roles_aux roles_tmp | | iface | str
| Code Block |
---|
isnotnull(iface_tmp) ? iface_tmp : iface_aux |
| iface_aux iface_tmp | | icmpType | int4
| Code Block |
---|
isnotnull(icmpType_tmp) ? icmpType_tmp : icmpType_aux |
| icmpType_tmp icmpType_aux | | structuredData | str
| | | | encrypted | str
| Code Block |
---|
isnotnull(encrypted_tmp) ? encrypted_tmp : encrypted_aux |
| encrypted_tmp encrypted_aux | | connectionTag | str
| | | | unknown | str
| | | ✓ | rawMessage | str
| | | ✓ | hostchain | str
| | | ✓ |
firewall.juniper.srx.utmField | Type | Source field name | |
---|
eventdate | timestamp
| | | machine | str
| | | server_date | str
| | | message_source | str
| | | event_category | str
| | | srcIp | ip4
| | | srcIp_str | str
| | | srcPort | int4
| | | dstIp | ip4
| | | dstIp_str | str
| | | dstPort | int4
| | | srcZone | str
| | | dstZone | str
| | | application | str
| | | nested_application | str
| | | application_sub_category | str
| | | urlcategory_risk | str
| | | name | str
| | | error_message | str
| | | profile_name | str
| | | object_name | str
| | | pathname | str
| | | username | str
| | | roles | str
| | | session_id | str
| | | category | str
| | | reason | str
| | | profile | str
| | | url | str
| | | obj | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| rawSource | ✓ |
firewall.juniper.ssg.systemField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| | | product | str
| vproduct | | devModel | str
| | | devId0 | str
| | | severity | str
| | | type | int4
| | | message | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| message | ✓ |
firewall.juniper.ssg.trafficField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | machine | str
| | | | product | str
| | | | devModel | str
| | | | devId | str
| | | | severity | str
| | | | type | int4
| | | | startTime | timestamp
| | | | duration | int4
| Code Block |
---|
isnotnull(duration_tmp) ? duration_tmp : duration_aux |
| duration_aux duration_tmp | | policyId | int8
| | | | service | str
| Code Block |
---|
isnotnull(service_tmp) ? service_tmp : service_aux |
| service_aux service_tmp | | protocol | int4
| Code Block |
---|
isnotnull(proto_tmp) ? proto_tmp : proto_aux |
| proto_aux proto_tmp | | protoStr | str
| Code Block |
---|
(protocol = 6) ? "TCP" : (protocol = 17) ? "UDP" : (protocol = 1) ? "ICMP" : null("") |
| protocol | | srcZone | str
| Code Block |
---|
isnotnull(srcZone_tmp) ? srcZone_tmp : srcZone_aux |
| srcZone_tmp srcZone_aux | | dstZone | str
| Code Block |
---|
isnotnull(dstZone_tmp) ? dstZone_tmp : dstZone_aux |
| dstZone_aux dstZone_tmp | | action | str
| | | | bytesSend | int8
| Code Block |
---|
isnotnull(cliBytes_tmp) ? cliBytes_tmp : cliBytes_aux |
| cliBytes_aux cliBytes_tmp | | bytesRecv | int8
| Code Block |
---|
isnotnull(srvBytes_tmp) ? srvBytes_tmp : srvBytes_aux |
| srvBytes_tmp srvBytes_aux | | srcIp | ip4
| Code Block |
---|
isnotnull(srcIp_tmp) ? srcIp_tmp : srcIp_aux |
| srcIp_aux srcIp_tmp | | srcIp_str | str
| Code Block |
---|
isnotnull(srcIp_tmp_str) ? srcIp_tmp_str : srcIp_aux_str |
| srcIp_tmp_str srcIp_aux_str | | dstIp | ip4
| Code Block |
---|
isnotnull(dstIp_tmp) ? dstIp_tmp : dstIp_aux |
| dstIp_aux dstIp_tmp | | dstIp_str | str
| Code Block |
---|
isnotnull(dstIp_tmp_str) ? dstIp_tmp_str : dstIp_aux_str |
| dstIp_aux_str dstIp_tmp_str | | srcPort | int4
| Code Block |
---|
isnotnull(srcPort_tmp) ? srcPort_tmp : srcPort_aux |
| srcPort_tmp srcPort_aux | | dstPort | int4
| Code Block |
---|
isnotnull(dstPort_tmp) ? dstPort_tmp : dstPort_aux |
| dstPort_tmp dstPort_aux | | icmpType | int4
| Code Block |
---|
isnotnull(icmpType_tmp) ? icmpType_tmp : icmpType_aux |
| icmpType_tmp icmpType_aux | | icmpCode | int4
| | | | sessionId | int8
| Code Block |
---|
isnotnull(session_tmp) ? session_tmp : session_aux |
| session_tmp session_aux | | srcXIp | ip4
| | | | srcXPort | int4
| | | | dstXIp | ip4
| | | | dstXPort | int4
| | | | reason | str
| Code Block |
---|
isnotnull(reason_tmp) ? reason_tmp : reason_aux |
| reason_aux reason_tmp | | unknown | str
| | | | rawMessage | str
| | rawSource | ✓ | hostchain | str
| | | ✓ | tag | str
| | | ✓ |
firewall.juniper.systemField | Type | Source field name | Extra fields |
---|
eventdate | timestamp
| | | machine | str
| | | product | str
| vproduct | | devModel | str
| | | devId0 | str
| | | severity | str
| | | type | int4
| | | message | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| message | ✓ |
firewall.juniper.trafficField | Type | Field transformation | Source field name | Extra fields |
---|
eventdate | timestamp
| | | | machine | str
| | | | product | str
| | vproduct | | devModel | str
| | | | devId | str
| | | | severity | str
| | | | type | int4
| | | | startTime | timestamp
| | | | duration | int4
| Code Block |
---|
isnotnull(duration_tmp) ? duration_tmp : duration_aux |
| duration_aux duration_tmp | | policyId | int8
| | | | service | str
| Code Block |
---|
isnotnull(service_tmp) ? service_tmp : service_aux |
| service_aux service_tmp | | protocol | int4
| Code Block |
---|
isnotnull(proto_tmp) ? proto_tmp : proto_aux |
| proto_aux proto_tmp | | protoStr | str
| Code Block |
---|
isnotnull(proto) ? proto : ((protocol = 6) ? "TCP" : (protocol = 17) ? "UDP" : (protocol = 1) ? "ICMP" : null("")) |
| proto protocol | | srcZone | str
| Code Block |
---|
isnotnull(srcZone_tmp) ? srcZone_tmp : srcZone_aux |
| srcZone_tmp srcZone_aux | | dstZone | str
| Code Block |
---|
isnotnull(dstZone_tmp) ? dstZone_tmp : dstZone_aux |
| dstZone_aux dstZone_tmp | | action | str
| | | | cliPkts | int4
| Code Block |
---|
isnotnull(cliPkts_tmp) ? cliPkts_tmp : cliPkts_aux |
| cliPkts_tmp cliPkts_aux | | bytesSend | int8
| Code Block |
---|
isnotnull(cliBytes_tmp) ? cliBytes_tmp : cliBytes_aux |
| cliBytes_aux cliBytes_tmp | | srvPkts | int4
| Code Block |
---|
isnotnull(srvPkts_tmp) ? srvPkts_tmp : srvPkts_aux |
| srvPkts_tmp srvPkts_aux | | bytesRecv | int8
| Code Block |
---|
isnotnull(srvBytes_tmp) ? srvBytes_tmp : srvBytes_aux |
| srvBytes_tmp srvBytes_aux | | srcIp | ip4
| Code Block |
---|
isnotnull(srcIp_tmp) ? srcIp_tmp : srcIp_aux |
| srcIp_aux srcIp_tmp | | srcIp_str | str
| Code Block |
---|
isnotnull(srcIp_tmp_str) ? srcIp_tmp_str : srcIp_aux_str |
| srcIp_tmp_str srcIp_aux_str | | dstIp | ip4
| Code Block |
---|
isnotnull(dstIp_tmp) ? dstIp_tmp : dstIp_aux |
| dstIp_aux dstIp_tmp | | dstIp_str | str
| Code Block |
---|
isnotnull(dstIp_tmp_str) ? dstIp_tmp_str : dstIp_aux_str |
| dstIp_aux_str dstIp_tmp_str | | srcPort | int4
| Code Block |
---|
isnotnull(srcPort_tmp) ? srcPort_tmp : srcPort_aux |
| srcPort_tmp srcPort_aux | | dstPort | int4
| Code Block |
---|
isnotnull(dstPort_tmp) ? dstPort_tmp : dstPort_aux |
| dstPort_tmp dstPort_aux | | icmpType | int4
| Code Block |
---|
isnotnull(icmpType_tmp) ? icmpType_tmp : icmpType_aux |
| icmpType_tmp icmpType_aux | | icmpCode | int4
| | | | sessionId | int8
| Code Block |
---|
isnotnull(session_tmp) ? session_tmp : session_aux |
| session_tmp session_aux | | srcXIp | ip4
| | | | srcXPort | int4
| | | | dstXIp | ip4
| | | | dstXPort | int4
| | | | reason | str
| Code Block |
---|
isnotnull(reason_tmp) ? reason_tmp : reason_aux |
| reason_aux reason_tmp | | version | str
| | | | pid | str
| | | | natConnetionTag | str
| | | | srcNatRuleType | str
| Code Block |
---|
isnotnull(srcNatRuleType_tmp) ? srcNatRuleType_tmp : srcNatRuleType_aux |
| srcNatRuleType_aux srcNatRuleType_tmp | | srcNatRule | str
| Code Block |
---|
isnotnull(srcNatRule_tmp) ? srcNatRule_tmp : srcNatRule_aux |
| srcNatRule_aux srcNatRule_tmp | | dstNatRuleType | str
| Code Block |
---|
isnotnull(dstNatRuleType_tmp) ? dstNatRuleType_tmp : dstNatRuleType_aux |
| dstNatRuleType_tmp dstNatRuleType_aux | | dstNatRule | str
| Code Block |
---|
isnotnull(dstNatRule_tmp) ? dstNatRule_tmp : dstNatRule_aux |
| dstNatRule_tmp dstNatRule_aux | | srcNatIp | ip4
| | | | dstNatIp | ip4
| | | | policy | str
| Code Block |
---|
isnotnull(policy_tmp) ? policy_tmp : policy_aux |
| policy_aux policy_tmp | | user | str
| Code Block |
---|
isnotnull(user_tmp) ? user_tmp : user_aux |
| user_tmp user_aux | | roles | str
| Code Block |
---|
isnotnull(roles_tmp) ? roles_tmp : roles_aux |
| roles_aux roles_tmp | | iface | str
| Code Block |
---|
isnotnull(iface_tmp) ? iface_tmp : iface_aux |
| iface_aux iface_tmp | | app | str
| Code Block |
---|
isnotnull(app_tmp) ? app_tmp : app_aux |
| app_aux app_tmp | | app2 | str
| Code Block |
---|
isnotnull(app2_tmp) ? app2_tmp : app2_aux |
| app2_aux app2_tmp | | encrypted | str
| Code Block |
---|
isnotnull(encrypted_tmp) ? encrypted_tmp : encrypted_aux |
| encrypted_tmp encrypted_aux | | structuredData | str
| | | | unknown | str
| | | | rawMessage | str
| | rawSource | ✓ | hostchain | str
| | | ✓ | tag | str
| | | ✓ |
|
Related articles