Juniper SRX collector 5.0 not mapping certain fields correctly


Article ID: 158263


Updated On:


Security Information Manager


Juniper SRX collector 5.0 is collecting Juniper syslogs and send them to the SSIM; however the following fields are not mapped correctly even tough the details are present in the raw event:
- source IP
- source port
- destination IP
- destination port

Samples of Juniper SRX syslog formats:

This is an unstructured (traditional syslog) message:

Apr 24 12:30:05  cs-loki3 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1303673404, ANOMALY Attack log <>> for TCP protocol and service HTTP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP, threat-severity=HIGH, name=HTTP:INVALID:MSNG-HTTP-VER, NAT <>>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:fe-0/0/2.0->untrust:fe-0/0/3.0, packet-log-id: 0 and misc-message -

This is an example of a structured syslog message

<28>1 2011-07-19T21:51:03.624Z elza utmd 33838 WEBFILTER_URL_BLOCKED [[email protected] source-address="" source-port="39945" destination-address="" destination-port="80" name="N/A" error-message="by other category" profile-name="UTM-WFCPA" object-name="" pathname="/"] WebFilter: ACTION="URL Blocked"> CATEGORY="N/A" REASON="by other category" PROFILE="UTM-WFCPA"URL= OBJ=/


Syslogs forwarded from Juniper SRX are sent in "structured" format
The collector only supports syslogs in "unstructured" format


Configure Juniper SRX to forward syslog events in "unstructured" format