Juniper
LogZilla App Store application: Juniper
Overview
Juniper Networks develops and markets networking products, including routers, switches, network management software, network security products, and software-defined networking technology. JunOS is Juniper's network operating system that runs on their hardware platforms.
The Juniper app processes JunOS log messages from various Juniper Networks hardware units, extracting security and network flow information for analysis.
App Function
The Juniper app processes two types of JunOS log messages:
Structured Messages
- Recognizes a wide range of JunOS message types (see supported log types below)
- Sets appropriate user tags for fields contained in each message type
- Supports extensible message recognition for new event types
Unstructured Messages
- Focuses on session-related events (
RT_FLOW_SESSION_CREATE,RT_FLOW_SESSION_CLOSE,RT_FLOW_SESSION_DENY) - Reformats log messages into key/value pairs
- Creates user tags for easier analysis and filtering
Vendor Documentation
Log Source Details
| Item | Value |
|---|---|
| Vendor | Juniper Networks |
| Device Type | Routers, switches, and security devices running JunOS |
| Supported Software Version(s) | JunOS 11.x and newer (tested on SRX-series firewalls) |
| Collection Method | Syslog |
| Configurable Log Output? | Partially – JunOS supports both structured and unstructured syslog formats |
| Log Source Type | JunOS syslog |
| Exceptions | N/A |
Incoming Log Format
Juniper JunOS devices generate syslog messages in two distinct formats:
Structured Format: Uses structured data elements with key-value pairs enclosed in brackets, following RFC 5424 structured data format.
Unstructured Format: Uses space-separated fields in a fixed order, primarily for session flow events.
Both formats are processed by the Juniper app to extract relevant security and network flow information.
Supported Log Types
Supported Structured Message Types
Any event whose message type (MSGID) is listed in the RECOGNIZED_MESSAGE_IDS
section of the config file. Supported message types include:
SECINTEL_SERVICE_MANAGEMENTAAMWD_NETWORK_CONNECT_FAILEDAPPTRACK_SESSION_CREATEAPPTRACK_SESSION_CLOSELIBJSNMP_NS_LOG_WARNINGRTLOG_CONN_ERRORLICENSE_EXPIRED_KEY_DELETEDUI_NETCONF_CMDUI_CHILD_STARTUI_CHILD_STATUSRT_FLOW_SESSION_CREATERT_FLOW_SESSION_CLOSERT_FLOW_SESSION_DENY
Supported Unstructured Message Types
Session-related events (RT_FLOW_SESSION_CREATE, RT_FLOW_SESSION_CLOSE,
RT_FLOW_SESSION_DENY) output as space-separated fields (see log examples
below).
Parsed Metadata Fields
The Juniper app extracts the following fields from both structured and unstructured messages and converts them into user tags:
| Tagged | Field Name | Tag Name | Example | Description |
|---|---|---|---|---|
| ☑ | MSGID | msgid | AAMWD_NETWORK_CONNECT_FAILED | JunOS message identifier (event type) |
| ☑ | hostname | hostname | host1.us-west-1.company.net | Host that generated the log |
| ☑ | category-name | category-name | security | JunOS category of the event |
| ☑ | ip-address | SrcIP | 11.22.33.44 | Source IP address |
| ☑ | source-port | SrcPort | dynamic | Source port service |
| ☑ | destination-port | DstPort | https | Destination port service |
| ☑ | destination-address | DstIP | 55.66.77.88 | Destination IP address |
| ☑ | ingress-interface | ingress-interface | reth8.1122 | Physical / logical ingress interface |
| ☑ | service-name | service-name | None | JunOS service name associated with the flow |
| ☑ | policy-name | policy-name | PolicyEnforcer-Rule1-1 | Security policy that matched the flow |
| ☑ | reason | reason | ICMP error | Reason for session close / deny |
| ☑ | application | application | UNKNOWN | Detected application name |
| ☑ | nested-application | nested-application | UNKNOWN | Nested-application name (if any) |
| ☑ | nat-source-address | nat-source-address | 11.22.33.44 | Post-NAT source IP |
| ☑ | nat-destination-address | nat-destination-address | 55.66.77.88 | Post-NAT destination IP |
| ☑ | nat-source-port | nat-source-port | dynamic | Post-NAT source port service |
| ☑ | nat-destination-port | nat-destination-port | dynamic | Post-NAT destination service |
| ☑ | username | username | N/A | Username associated with the event |
| ☑ | src-nat-rule-name | src-nat-rule-name | source-nat-rule | Name of source-NAT rule |
| ☑ | src-nat-rule-type | src-nat-rule-type | source rule | Type of source-NAT rule |
| ☑ | dst-nat-rule-name | dst-nat-rule-name | N/A | Name of destination-NAT rule |
| ☑ | dst-nat-rule-type | dst-nat-rule-type | N/A | Type of destination-NAT rule |
| ☑ | protocol-id | protocol-id | 6 | IP protocol number (TCP=6, UDP=17, …) |
| ☑ | proxy-address | proxy-address | 1.2.3.4 | Proxy server IP (if used) |
| ☑ | proxy-port | proxy-port | 8080 | Proxy server port |
| ☑ | source-zone-name | source-zone-name | trust | Source security zone |
| ☑ | destination-zone-name | destination-zone-name | untrust | Destination security zone |
| ☑ | roles | roles | admin | User roles involved in the event |
| ☑ | encrypted | encrypted | UNKNOWN | Indicates if the session is encrypted |
| ☑ | packet-incoming-interface | packet-incoming-interface | ge-0/0/1.0 | Interface that received the first packet |
| ☑ | stream-name | stream-name | spam | Name of log/event stream |
| ☑ | filename | filename | JUNOS966182 | Filename or key referenced in the log |
| ☑ | error-message | error-message | Unauthorized | Error text returned by the system |
Unstructured Message Key/Value Pairs
For unstructured messages, the app reformats the event message text into key/value pairs. The following fields are extracted:
| Field Key | Example |
|---|---|
reason | TCP SERVER RST |
src | 11.22.33.44 |
dst | 55.66.77.88 |
src-port | 50488 |
dst-port | 48001 |
service | None |
policy | 13101705 |
nat-src | 11.22.33.44 |
nat-src-port | 50488 |
nat-dst | 55.66.77.88 |
nat-dst-port | 48001 |
src-nat-rule | N/A |
dst-nat-rule | N/A |
protocol | 6 |
src-zone | DMZ_One |
dst-zone | DMZ_Two |
session-id | 120095417 |
ingress-interface | reth8.1122 |
High-Cardinality (HC) Tags
SrcIPDstIP
Log Examples
Structured Message - Session Close
text2018-07-13T09:49:21.734Z TESTER RT_FLOW - RT_FLOW_SESSION_CLOSE [[email protected] reason="ICMP error" source-address="11.22.33.44" source-port="1298" destination-address="55.66.77.88" destination-port="53" service-name="None" nat-source-address="11.22.33.44" nat-source-port="8325" nat-destination-address="55.66.77.88" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="source-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="PolicyEnforcer-Rule1-1" source-zone-name="trust" destination-zone-name="untrust" session-id-32="20267666" packets-from-client="1" bytes-from-client="64" packets-from-server="0" bytes-from-server="0" elapsed-time="1" application="INCONCLUSIVE" nested-application="INCONCLUSIVE" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" encrypted="UNKNOWN"]
Structured Message - Network Connect Failed
text2024-06-01T12:34:56.789Z TESTER AAMWD - AAMWD_NETWORK_CONNECT_FAILED [[email protected] severity="2" proxy-port="None" proxy-address="None" ip-address="11.22.33.44" hostname="host1.us-west-1.company.net" error-message="Unauthorized" destination-port="443"] <2> Access host srxapi.eu-west-1.sky.junipersecurity.net on ip 52.210.70.159 port 443 proxy None port None Unauthorized.
Unstructured Message - Session Close
textRT_FLOW_SESSION_CLOSE: session closed TCP SERVER RST: 11.22.33.44/50488->55.66.77.88/48001 None 11.22.33.44/50488->55.66.77.88/48001 N/A N/A N/A N/A 6 13101705 DMZ_One DMZ_Two 120095417 16(8769) 15(1262) 2 UNKNOWN UNKNOWN N/A(N/A) reth8.1122 UNKNOWN
Unstructured Message - Session Denied
textRT_FLOW_SESSION_DENY: session denied 11.22.33.44/36619->55.66.77.88/23 junos-telnet 6(0) default-deny-log untrust DMZ_TESTONE UNKNOWN UNKNOWN N/A(N/A) reth8.88 UNKNOWN policy deny