Juniper
LogZilla App Store application: Juniper
JunOS
Juniper Networks develops and markets networking products, including routers, switches, network management software, network security products, and software-defined networking technology.
This app is focused on Juniper JunOS messages produced by various Juniper Networks hardware units.
App Function
This app handles two different types of JunOS log messages: structured and unstructured. These two message types are explained below.
For structured messages, the app recognizes a wide range of JunOS message
types, not just RT_FLOW (see below under Currently Supported LogTypes).
For each recognized type, the app sets appropriate user tags for fields
contained in that type of log message. More messages will be added over time,
and the user has the option of updating the messages and associated user tags
themselves, if needed (contact LogZilla support for assistance).
For unstructured messages, the app focuses on session-related events (such as
RT_FLOW_SESSION_CREATE, RT_FLOW_SESSION_CLOSE, RT_FLOW_SESSION_DENY),
reformats the log message into key/value pairs, and sets user tags for easier
comprehension.
Vendor Documentation
Log Source Details
| Item | Value |
|---|---|
| Vendor | Juniper Networks |
| Device Type | Routers, switches, and security devices running JunOS |
| Supported Software Version(s) | JunOS 11.x and newer (tested on SRX-series firewalls) |
| Collection Method | Syslog |
| Configurable Log Output? | Partially – JunOS supports both structured and unstructured syslog formats |
| Log Source Type | JunOS syslog |
| Exceptions | N/A |
Currently Supported Log Types
- Structured messages: Any event whose message type (MSGID) is listed in the
RECOGNIZED_MESSAGE_IDSsection of the config file. This includes, but is not limited to:SECINTEL_SERVICE_MANAGEMENTAAMWD_NETWORK_CONNECT_FAILEDAPPTRACK_SESSION_CREATEAPPTRACK_SESSION_CLOSELIBJSNMP_NS_LOG_WARNINGRTLOG_CONN_ERRORLICENSE_EXPIRED_KEY_DELETEDUI_NETCONF_CMDUI_CHILD_STARTUI_CHILD_STATUSRT_FLOW_SESSION_CREATERT_FLOW_SESSION_CLOSERT_FLOW_SESSION_DENY
- Unstructured messages: Session-related events such as
RT_FLOW_SESSION_CREATE,RT_FLOW_SESSION_CLOSE, andRT_FLOW_SESSION_DENYoutput as space-separated fields (see log samples below).
Parsed Metadata Fields
For both structured and unstructured messages the following fields are parsed and (where a Tag Name is given) converted into user tags:
| Tagged | Field Name | Tag Name | Example | Description |
|---|---|---|---|---|
| ☑ | MSGID | msgid | AAMWD_NETWORK_CONNECT_FAILED | JunOS message identifier (event type) |
| ☑ | hostname | hostname | host1.us-west-1.company.net | Host that generated the log |
| ☑ | category-name | category-name | security | JunOS category of the event |
| ☑ | ip-address | SrcIP | 11.22.33.44 | Source IP address |
| ☑ | source-port | SrcPort | dynamic | Source port service |
| ☑ | destination-port | DstPort | https | Destination port service |
| ☑ | destination-address | DstIP | 55.66.77.88 | Destination IP address |
| ☑ | ingress-interface | ingress-interface | reth8.1122 | Physical / logical ingress interface |
| ☑ | service-name | service-name | None | JunOS service name associated with the flow |
| ☑ | policy-name | policy-name | PolicyEnforcer-Rule1-1 | Security policy that matched the flow |
| ☑ | reason | reason | ICMP error | Reason for session close / deny |
| ☑ | application | application | UNKNOWN | Detected application name |
| ☑ | nested-application | nested-application | UNKNOWN | Nested-application name (if any) |
| ☑ | nat-source-address | nat-source-address | 11.22.33.44 | Post-NAT source IP |
| ☑ | nat-destination-address | nat-destination-address | 55.66.77.88 | Post-NAT destination IP |
| ☑ | nat-source-port | nat-source-port | dynamic | Post-NAT source port service |
| ☑ | nat-destination-port | nat-destination-port | dynamic | Post-NAT destination service |
| ☑ | username | username | N/A | Username associated with the event |
| ☑ | src-nat-rule-name | src-nat-rule-name | source-nat-rule | Name of source-NAT rule |
| ☑ | src-nat-rule-type | src-nat-rule-type | source rule | Type of source-NAT rule |
| ☑ | dst-nat-rule-name | dst-nat-rule-name | N/A | Name of destination-NAT rule |
| ☑ | dst-nat-rule-type | dst-nat-rule-type | N/A | Type of destination-NAT rule |
| ☑ | protocol-id | protocol-id | 6 | IP protocol number (TCP=6, UDP=17, …) |
| ☑ | proxy-address | proxy-address | 1.2.3.4 | Proxy server IP (if used) |
| ☑ | proxy-port | proxy-port | 8080 | Proxy server port |
| ☑ | source-zone-name | source-zone-name | trust | Source security zone |
| ☑ | destination-zone-name | destination-zone-name | untrust | Destination security zone |
| ☑ | roles | roles | admin | User roles involved in the event |
| ☑ | encrypted | encrypted | UNKNOWN | Indicates if the session is encrypted |
| ☑ | packet-incoming-interface | packet-incoming-interface | ge-0/0/1.0 | Interface that received the first packet |
| ☑ | stream-name | stream-name | spam | Name of log/event stream |
| ☑ | filename | filename | JUNOS966182 | Filename or key referenced in the log |
| ☑ | error-message | error-message | Unauthorized | Error text returned by the system |
For unstructured messages the event message text is additionally reformatted to consist of key/value pairs. The specific fields that are emitted as keys are as follows:
| Field Key | Example |
|---|---|
reason | TCP SERVER RST |
src | 11.22.33.44 |
dst | 55.66.77.88 |
src-port | 50488 |
dst-port | 48001 |
service | None |
policy | 13101705 |
nat-src | 11.22.33.44 |
nat-src-port | 50488 |
nat-dst | 55.66.77.88 |
nat-dst-port | 48001 |
src-nat-rule | N/A |
dst-nat-rule | N/A |
protocol | 6 |
src-zone | DMZ_One |
dst-zone | DMZ_Two |
session-id | 120095417 |
ingress-interface | reth8.1122 |
High-Cardinality (HC) Tags
SrcIP, DstIP
Log Samples
Structured Message - Session Close
2018-07-13T09:49:21.734Z TESTER RT_FLOW - RT_FLOW_SESSION_CLOSE [[email protected] reason="ICMP error" source-address="11.22.33.44" source-port="1298" destination-address="55.66.77.88" destination-port="53" service-name="None" nat-source-address="11.22.33.44" nat-source-port="8325" nat-destination-address="55.66.77.88" nat-destination-port="53" src-nat-rule-type="source rule" src-nat-rule-name="source-nat-rule" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="PolicyEnforcer-Rule1-1" source-zone-name="trust" destination-zone-name="untrust" session-id-32="20267666" packets-from-client="1" bytes-from-client="64" packets-from-server="0" bytes-from-server="0" elapsed-time="1" application="INCONCLUSIVE" nested-application="INCONCLUSIVE" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/1.0" encrypted="UNKNOWN"]
Structured Message - Network Connect Failed
2024-06-01T12:34:56.789Z TESTER AAMWD - AAMWD_NETWORK_CONNECT_FAILED [[email protected] severity="2" proxy-port="None" proxy-address="None" ip-address="11.22.33.44" hostname="host1.us-west-1.company.net" error-message="Unauthorized" destination-port="443"] <2> Access host srxapi.eu-west-1.sky.junipersecurity.net on ip 52.210.70.159 port 443 proxy None port None Unauthorized.
Unstructured Message - Session Close
RT_FLOW_SESSION_CLOSE: session closed TCP SERVER RST: 11.22.33.44/50488->55.66.77.88/48001 None 11.22.33.44/50488->55.66.77.88/48001 N/A N/A N/A N/A 6 13101705 DMZ_One DMZ_Two 120095417 16(8769) 15(1262) 2 UNKNOWN UNKNOWN N/A(N/A) reth8.1122 UNKNOWN
Unstructured Message - Session Denied
RT_FLOW_SESSION_DENY: session denied 11.22.33.44/36619->55.66.77.88/23 junos-telnet 6(0) default-deny-log untrust DMZ_TESTONE UNKNOWN UNKNOWN N/A(N/A) reth8.88 UNKNOWN policy deny