Table of Contents | ||||||
---|---|---|---|---|---|---|
|
The tags beginning with firewall.
juniper juniper
identify log events generated by the following Juniper technologies:
...
The full tag must have at least three levels. The first two are fixed as firewall.juniper
. The third level identifies the technology type and must be one of isg
, nsm
, srx
, ssg
, system
or traffic
. The fourth element is usually required and you are free to define it as you like.
technology | brand | type | subtype | junos release |
---|---|---|---|---|
|
|
| usually required and fixed depending on type | appended to
|
Therefore, the valid tags include:
Tags | Data tables |
---|---|
|
|
|
|
|
|
|
|
...
|
|
...
|
|
...
|
|
...
|
|
...
|
|
...
|
|
...
|
|
...
For more information, read more about Devo tags.
...
|
|
|
|
|
|
|
|
|
|
For more information, read more about Devo tags.
Firewall Juniper ISG / SSG
It is not possible to send system and traffic events to different ports on the same remote machine, in this case the Devo Relay. Therefore, we need to set up two relay rules to process and tag the different events received on the same port.
...
Rule 1: Identify "traffic" type events
Source Portport →
514
Source Messagemessage →
"\\[Root]system-[^][0-9](traffic):"
Target Tagtag →
firewall.juniper.isg.traffic
Check the Stop Processingprocessing checkbox
Rule 2: Tag all other events received from the Juniper IP as "system"
IP →
<Juniper IP address>
Source Port →
514
Target Tagtag → all the rest as
firewall.juniper.isg.system
Firewall Juniper SRX Series
...
You need to set up new relay rules to handle the SRX events received on port 514 and tag them correctly as firewall.juniper.srx.
subtype .<subtype>
Essentially, these rules identify the syslog tag contained in the inbound event so that when there's a match, the correct tag is applied to the event and the event is forwarded to the Devo Cloud without further processing on the relay.
...
Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"
Source Portport →
514
Source Tagtag →
RT_FLOW
Target Tagtag → firewall
firewall.juniper.srx.traffic
(or firewallorfirewall.juniper.srx.traffic.
vXXvXX
)Check the Stop Processingprocessing checkbox
Rule 2: Tag events containing the syslog tag RT_UTM as "utm"
Source Portport → 514
514
Source Tagtag → RT
RT_
UTMUTM
Target Tagtag → firewall
firewall.juniper.srx.utm
Check the Stop Processing checkbox
Rule 3: Tag events containing the syslog tag RT_IDP as "idp"
Source Portport → 514
514
Source Tagtag → RT
RT_IDP
Target Tagtag → firewall
firewall.juniper.srx.idp
Check the Stop Processingprocessing checkbox
Rule 4: Tag all other events received on port 514 as "system"
Source Portport →
514
Target Tagtag →
firewall.juniper.srx.system
Check the Sent without syslog tag checkbox
...
Rule 1: Tag events containing the syslog tag RT_FLOW as "traffic"
Source Port → 13003 port →
13003
Source Data → ^data →
^.*? RT_FLOW - .*$
Target Tag → firewalltag →
firewall.juniper.srx.traffic
Check the Stop Processingprocessing and Sent without syslog tag checkboxes
Rule 2: Tag events containing the syslog tag RT_UTM as "utm"
Source Port → 13003port →
13003
Source Data → ^data →
^.*? RT_UTM - .*$
Target Tag → firewalltag →
firewall.juniper.srx.utm
Check the Stop Processingprocessing and Sent without syslog tag checkboxes
Rule 3: Tag events containing the syslog tag RT_IDP as "idp"
Source Port → 13003port →
13003
Source Data → ^data →
^.*? RT_IDP - .*$
Target Tag → firewalltag →
firewall.juniper.srx.idp
Check the Stop Processingprocessing and Sent without syslog tag checkboxes
Rule 4: Tag all other events received on the same port as "system"
IP → <Juniper →
<Juniper IP>
Source Port → 13003port →
13003
Target Tag → firewalltag →
firewall.juniper.srx.system
Check the Sent without syslog tag checkbox
...
Code Block |
---|
set security policies global policy default-deny match source-address any set security policies global policy default-deny match destination-address any set security policies global policy default-deny match application any set security policies global policy default-deny then deny set security policies global policy default-deny then log session-ini |
Table structure
These are the fields displayed in these tables:
Rw ui tabs macro | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Anchor |
isg.trafficsystem
timestamp
timestamp
ip4
str
Anchor | | firewall.juniper.srx.probe | firewall.juniper.srx.probe | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Field | Type | Extra Label | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
eventdate |
| - | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
machine |
| - | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
type |
| - | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
interfaceName |
| - | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
name |
| - | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
testOwner |
| - | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
snmpInterfaceIndex |
| - | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
testName |
| - | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
message |
| - | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
adminStatus |
| - | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
operationalStatus |
| - | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
hostchain |
| ✓ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
tag |
| ✓ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rawMessage |
| ✓ |
Rw tab | ||
---|---|---|
|
[firewall.juniper.srx.traffic][firewall.juniper.srx.utm][firewall.juniper.system]
firewall.juniper.srx.traffic
Field
Type
Extra Label
eventdate
timestamp
-
machine
str
-
serverdate
str
-
hostname
str
-
process_name
str
-
pid
str
-
log_type
str
-
platform
str
-
username
str
-
authentication_level
str
-
client_ip
ip4
-
client_port
str
-
destination_ip
ip4
-
destination_port
str
-
message
str
-
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
firewall.juniper.srx.utm
Field
Type
Extra Label
eventdate
timestamp
-
machine
str
-
srcIp
ip4
-
srcIp_str
str
-
srcPort
int4
-
dstIp
ip4
-
dstPort
int4
-
name
str
-
error_message
str
-
profile_name
str
-
object_name
str
-
pathname
str
-
username
str
-
roles
str
-
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
firewall.juniper.system
Field
Type
Extra Label
eventdate
timestamp
-
machine
str
-
product
str
-
devModel
str
-
devId0
str
-
severity
str
-
type
int4
-
message
str
-
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
firewall.juniper.traffic
Field
Type
Extra Label
eventdate
timestamp
-
machine
str
-
product
str
-
devModel
str
-
devId
str
-
severity
str
-
type
int4
-
startTime
timestamp
-
duration
int4
-
policyId
int8
-
service
str
-
protocol
int4
-
protoStr
str
-
srcZone
str
-
dstZone
str
-
action
str
-
cliPkts
int4
-
bytesSend
int8
-
srvPkts
int4
-
bytesRecv
int8
-
srcIp
ip4
-
srcIp_str
str
-
dstIp
ip4
-
srcPort
int4
-
dstPort
int4
-
icmpType
int4
-
icmpCode
int4
-
sessionId
int8
-
srcXIp
ip4
-
srcXPort
int4
-
dstXIp
ip4
-
dstXPort
int4
-
reason
str
-
version
str
-
pid
str
-
natConnetionTag
str
-
srcNatRuleType
str
-
srcNatRule
str
-
dstNatRuleType
str
-
dstNatRule
str
-
srcNatIp
ip4
-
dstNatIp
ip4
-
policy
str
-
user
str
-
roles
str
-
iface
str
-
app
str
-
app2
str
-
encrypted
str
-
structuredData
str
-
unknown
str
-
rawMessage
str
|
str
-
srcZone
str
-
srcIface
str
-
srcIp
ip4
-
srcIp_str
str
-
srcPort
int4
-
srcXIp
ip4
-
srcXPort
int4
-
dstZone
str
-
dstIface
str
-
dstIp
ip4
-
dstPort
int4
-
dstXIp
ip4
-
dstXPort
int4
-
proto
str
-
policyDomain
str
-
policyDomainVer
str
-
policyName
str
-
rulebase
str
-
ruleNumber
str
-
ruleNumber2
str
-
action
str
-
severity
str
-
isAlert
str
-
details
str
-
user
str
-
app
str
-
uri
str
-
elapsedSecs
int4
-
bytesIn
int8
-
bytesOut
int8
-
bytesTotal
int8
-
pktsIn
int4
-
pktsOut
int4
-
pktsTotal
int4
-
repeatCount
int4
-
hasData
str
-
data
str
-
appliService
str
-
deviceFamily
str
-
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
firewall.juniper.srx.idp
Field
Type
Extra Label
eventdate
timestamp
-
machine
str
-
type
str
-
attack_name
str
-
source_address
ip4
-
source_port
int4
-
destination_address
ip4
-
destination_port
int4
-
protocol_id
str
-
source_zone_name
str
-
interface_name
str
-
action
str
-
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
|
Field | Type | Field transformation | Source field name | Extra fields | ||
---|---|---|---|---|---|---|
eventdate |
|
|
| |||
machine |
|
|
| |||
product |
|
| vproduct | |||
devId |
|
|
| |||
severity |
|
|
| |||
type |
|
|
| |||
startTime |
|
|
| |||
duration |
|
| duration_aux duration_tmp | |||
policyId |
|
|
| |||
service |
|
| service_aux service_tmp | |||
protocol |
|
| proto_aux proto_tmp | |||
protoStr |
|
| protocol | |||
srcZone |
|
| srcZone_tmp srcZone_aux | |||
dstZone |
|
| dstZone_aux dstZone_tmp | |||
action |
|
|
| |||
bytesSend |
|
| cliBytes_aux cliBytes_tmp | |||
bytesRecv |
|
| srvBytes_tmp srvBytes_aux | |||
srcIp |
|
| srcIp_aux srcIp_tmp | |||
srcIp_str |
|
| srcIp_tmp_str srcIp_aux_str | |||
dstIp |
|
| dstIp_aux dstIp_tmp | |||
dstIp_str |
|
| dstIp_aux_str dstIp_tmp_str | |||
srcPort |
|
| srcPort_tmp srcPort_aux | |||
dstPort |
|
| dstPort_tmp dstPort_aux | |||
icmpType |
|
| icmpType_tmp icmpType_aux | |||
icmpCode |
|
|
| |||
sessionId |
|
| session_tmp session_aux | |||
srcXIp |
|
|
| |||
srcXPort |
|
|
| |||
dstXIp |
|
|
| |||
dstXPort |
|
|
| |||
reason |
|
| reason_aux reason_tmp | |||
unknown |
|
|
| |||
hostchain |
|
|
| ✓ | ||
tag |
|
|
| ✓ | ||
rawMessage |
|
| rawSource | ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
machine |
|
| |
logDayId |
|
| |
logRecordId |
|
| |
timeReceived |
|
| |
timeGenerated |
|
| |
deviceDomain |
|
| |
deviceDomainVer |
|
| |
deviceName |
|
| |
deviceIp |
|
| |
category |
|
| |
subCategory |
|
| |
srcZone |
|
| |
srcIface |
|
| |
srcIp |
|
| |
srcIp_str |
|
| |
srcPort |
|
| |
srcXIp |
|
| |
srcXPort |
|
| |
dstZone |
|
| |
dstIface |
|
| |
dstIp |
|
| |
dstIp_str |
|
| |
dstPort |
|
| |
dstXIp |
|
| |
dstXPort |
|
| |
proto |
|
| |
policyDomain |
|
| |
policyDomainVer |
|
| |
policyName |
|
| |
rulebase |
|
| |
ruleNumber |
|
| |
ruleNumber2 |
|
| |
action |
|
| |
severity |
|
| |
isAlert |
|
| |
details |
|
| |
user |
|
| |
app |
|
| |
uri |
|
| |
elapsedSecs |
|
| |
bytesIn |
|
| |
bytesOut |
|
| |
bytesTotal |
|
| |
pktsIn |
|
| |
pktsOut |
|
| |
pktsTotal |
|
| |
repeatCount |
|
| |
hasData |
|
| |
data |
|
| |
appliService |
|
| |
deviceFamily |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
| rawSource | ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
machine |
|
| |
type |
|
| |
attack_name |
|
| |
source_address |
|
| |
source_port |
|
| |
destination_address |
|
| |
destination_port |
|
| |
protocol_id |
|
| |
source_zone_name |
|
| |
interface_name |
|
| |
action |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
| rawSource | ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
machine |
|
| |
type |
|
| |
interfaceName |
|
| |
snmpInterfaceIndex |
|
| |
adminStatus |
|
| |
operationalStatus |
|
| |
testName |
|
| |
testOwner |
|
| |
name |
|
| |
message |
|
| |
rawMessage |
| rawSource | ✓ |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
machine |
| rawHostName | |
serverdate |
|
| |
hostname |
|
| |
process_name |
|
| |
pid |
|
| |
log_type |
|
| |
platform |
|
| |
username |
|
| |
authentication_level |
|
| |
client_ip |
|
| |
client_port |
|
| |
destination_ip |
|
| |
destination_port |
|
| |
message |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |
Rw tab | ||
---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Field transformation | Source field name | Extra fields | ||
---|---|---|---|---|---|---|
eventdate |
|
|
| |||
machine |
|
|
| |||
tag |
|
|
| |||
version |
|
|
| |||
server_date |
| |||||
message_source |
| |||||
action_name |
|
| action_prefix action | |||
action |
|
|
| |||
srcIp |
|
| srcIp_aux srcIp_tmp | |||
srcIp_str |
|
| srcIp_tmp_str srcIp_aux_str | |||
srcPort |
|
| srcPort_tmp srcPort_aux | |||
dstIp |
|
| dstIp_aux dstIp_tmp | |||
dstIp_str |
|
| dstIp_aux_str dstIp_tmp_str | |||
dstPort |
|
| dstPort_tmp dstPort_aux | |||
service |
|
| service_aux service_tmp | |||
srcXIp |
|
|
| |||
srcXPort |
|
|
| |||
dstXIp |
|
|
| |||
dstXPort |
|
|
| |||
natConnetionTag |
|
|
| |||
srcNatRuleType |
|
| srcNatRuleType_aux srcNatRuleType_tmp | |||
srcNatRule |
|
| srcNatRule_aux srcNatRule_tmp | |||
dstNatRuleType |
|
| dstNatRuleType_tmp dstNatRuleType_aux | |||
dstNatRule |
|
| dstNatRule_tmp dstNatRule_aux | |||
srcNatIp |
|
|
| |||
dstNatIp |
|
|
| |||
proto |
|
| proto_aux proto_tmp | |||
protoStr |
|
| proto | |||
policy |
|
| policy_aux policy_tmp | |||
srcZone |
|
| srcZone_tmp srcZone_aux | |||
dstZone |
|
| dstZone_aux dstZone_tmp | |||
session |
|
| session_tmp session_aux | |||
reason |
|
| reason_aux reason_tmp | |||
cliPkts |
|
| cliPkts_tmp cliPkts_aux | |||
cliBytes |
|
| cliBytes_aux cliBytes_tmp | |||
srvPkts |
|
| srvPkts_tmp srvPkts_aux | |||
srvBytes |
|
| srvBytes_tmp srvBytes_aux | |||
duration |
|
| duration_aux duration_tmp | |||
app |
|
| app_aux app_tmp | |||
app2 |
|
| app2_aux app2_tmp | |||
user |
|
| user_tmp user_aux | |||
roles |
|
| roles_aux roles_tmp | |||
iface |
|
| iface_aux iface_tmp | |||
icmpType |
|
| icmpType_tmp icmpType_aux | |||
structuredData |
|
|
| |||
encrypted |
|
| encrypted_tmp encrypted_aux | |||
connectionTag |
|
|
| |||
unknown |
|
|
| ✓ | ||
rawMessage |
|
|
| ✓ | ||
hostchain |
|
|
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Source field name | |
---|---|---|---|
eventdate |
|
| |
machine |
|
| |
server_date |
|
| |
message_source |
|
| |
event_category |
|
| |
srcIp |
|
| |
srcIp_str |
|
| |
srcPort |
|
| |
dstIp |
|
| |
dstIp_str |
|
| |
dstPort |
|
| |
srcZone |
|
| |
dstZone |
|
| |
application |
|
| |
nested_application |
|
| |
application_sub_category |
|
| |
urlcategory_risk |
|
| |
name |
|
| |
error_message |
|
| |
profile_name |
|
| |
object_name |
|
| |
pathname |
|
| |
username |
|
| |
roles |
|
| |
session_id |
|
| |
category |
|
| |
reason |
|
| |
profile |
|
| |
url |
|
| |
obj |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
| rawSource | ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
machine |
|
| |
product |
| vproduct | |
devModel |
|
| |
devId0 |
|
| |
severity |
|
| |
type |
|
| |
message |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
| message | ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Field transformation | Source field name | Extra fields | ||
---|---|---|---|---|---|---|
eventdate |
|
|
| |||
machine |
|
|
| |||
product |
|
|
| |||
devModel |
|
|
| |||
devId |
|
|
| |||
severity |
|
|
| |||
type |
|
|
| |||
startTime |
|
|
| |||
duration |
|
| duration_aux duration_tmp | |||
policyId |
|
|
| |||
service |
|
| service_aux service_tmp | |||
protocol |
|
| proto_aux proto_tmp | |||
protoStr |
|
| protocol | |||
srcZone |
|
| srcZone_tmp srcZone_aux | |||
dstZone |
|
| dstZone_aux dstZone_tmp | |||
action |
|
|
| |||
bytesSend |
|
| cliBytes_aux cliBytes_tmp | |||
bytesRecv |
|
| srvBytes_tmp srvBytes_aux | |||
srcIp |
|
| srcIp_aux srcIp_tmp | |||
srcIp_str |
|
| srcIp_tmp_str srcIp_aux_str | |||
dstIp |
|
| dstIp_aux dstIp_tmp | |||
dstIp_str |
|
| dstIp_aux_str dstIp_tmp_str | |||
srcPort |
|
| srcPort_tmp srcPort_aux | |||
dstPort |
|
| dstPort_tmp dstPort_aux | |||
icmpType |
|
| icmpType_tmp icmpType_aux | |||
icmpCode |
|
|
| |||
sessionId |
|
| session_tmp session_aux | |||
srcXIp |
|
|
| |||
srcXPort |
|
|
| |||
dstXIp |
|
|
| |||
dstXPort |
|
|
| |||
reason |
|
| reason_aux reason_tmp | |||
unknown |
|
|
| |||
rawMessage |
|
| rawSource | ✓ | ||
hostchain |
|
|
| ✓ | ||
tag |
|
|
| ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
| |
machine |
|
| |
product |
| vproduct | |
devModel |
|
| |
devId0 |
|
| |
severity |
|
| |
type |
|
| |
message |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
| message | ✓ |
Anchor | ||||
---|---|---|---|---|
|
Field | Type | Field transformation | Source field name | Extra fields | ||
---|---|---|---|---|---|---|
eventdate |
| |||||
machine |
| |||||
product |
| vproduct | ||||
devModel |
| |||||
devId |
| |||||
severity |
| |||||
type |
| |||||
startTime |
| |||||
duration |
|
| duration_aux duration_tmp | |||
policyId |
| |||||
service |
|
| service_aux service_tmp | |||
protocol |
|
| proto_aux proto_tmp | |||
protoStr |
|
| proto protocol | |||
srcZone |
|
| srcZone_tmp srcZone_aux | |||
dstZone |
|
| dstZone_aux dstZone_tmp | |||
action |
| |||||
cliPkts |
|
| cliPkts_tmp cliPkts_aux | |||
bytesSend |
|
| cliBytes_aux cliBytes_tmp | |||
srvPkts |
|
| srvPkts_tmp srvPkts_aux | |||
bytesRecv |
|
| srvBytes_tmp srvBytes_aux | |||
srcIp |
|
| srcIp_aux srcIp_tmp | |||
srcIp_str |
|
| srcIp_tmp_str srcIp_aux_str | |||
dstIp |
|
| dstIp_aux dstIp_tmp | |||
dstIp_str |
|
| dstIp_aux_str dstIp_tmp_str | |||
srcPort |
|
| srcPort_tmp srcPort_aux | |||
dstPort |
|
| dstPort_tmp dstPort_aux | |||
icmpType |
|
| icmpType_tmp icmpType_aux | |||
icmpCode |
| |||||
sessionId |
|
| session_tmp session_aux | |||
srcXIp |
| |||||
srcXPort |
| |||||
dstXIp |
| |||||
dstXPort |
| |||||
reason |
|
| reason_aux reason_tmp | |||
version |
| |||||
pid |
| |||||
natConnetionTag |
| |||||
srcNatRuleType |
|
| srcNatRuleType_aux srcNatRuleType_tmp | |||
srcNatRule |
|
| srcNatRule_aux srcNatRule_tmp | |||
dstNatRuleType |
|
| dstNatRuleType_tmp dstNatRuleType_aux | |||
dstNatRule |
|
| dstNatRule_tmp dstNatRule_aux | |||
srcNatIp |
| |||||
dstNatIp |
| |||||
policy |
|
| policy_aux policy_tmp | |||
user |
|
| user_tmp user_aux | |||
roles |
|
| roles_aux roles_tmp | |||
iface |
|
| iface_aux iface_tmp | |||
app |
|
| app_aux app_tmp | |||
app2 |
|
| app2_aux app2_tmp | |||
encrypted |
|
| encrypted_tmp encrypted_aux | |||
structuredData |
| |||||
unknown |
| |||||
rawMessage |
| rawSource | ✓ | |||
hostchain |
| ✓ | ||||
tag |
| ✓ |