Juniper SRX collector 5.0 is collecting Juniper syslogs and send them to the SSIM; however the following fields are not mapped correctly even tough the details are present in the raw event:
- source IP
- source port
- destination IP
- destination port
Samples of Juniper SRX syslog formats:
This is an unstructured (traditional syslog) message:
Apr 24 12:30:05 cs-loki3 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1303673404, ANOMALY Attack log <64.1.2.1/48397->198.87.233.110/80> for TCP protocol and service HTTP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP, threat-severity=HIGH, name=HTTP:INVALID:MSNG-HTTP-VER, NAT <46.0.3.254:55870->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:fe-0/0/2.0->untrust:fe-0/0/3.0, packet-log-id: 0 and misc-message -
This is an example of a structured syslog message
<28>1 2011-07-19T21:51:03.624Z elza utmd 33838 WEBFILTER_URL_BLOCKED [[email protected] source-address="192.168.1.109" source-port="39945" destination-address="192.168.2.3" destination-port="80" name="N/A" error-message="by other category" profile-name="UTM-WFCPA" object-name="192.168.2.3" pathname="/ss-eicar.com"] WebFilter: ACTION="URL Blocked" 192.168.1.109(39945)->192.168.2.3(80) CATEGORY="N/A" REASON="by other category" PROFILE="UTM-WFCPA"URL=192.168.2.3 OBJ=/ss-eicar.com
Syslogs forwarded from Juniper SRX are sent in "structured" format
The collector only supports syslogs in "unstructured" format
Configure Juniper SRX to forward syslog events in "unstructured" format