Juniper SRX collector 5.0 not mapping certain fields correctly

book

Article ID: 158263

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

Juniper SRX collector 5.0 is collecting Juniper syslogs and send them to the SSIM; however the following fields are not mapped correctly even tough the details are present in the raw event:
- source IP
- source port
- destination IP
- destination port

Samples of Juniper SRX syslog formats:

This is an unstructured (traditional syslog) message:


Apr 24 12:30:05  cs-loki3 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1303673404, ANOMALY Attack log <64.1.2.1/48397->198.87.233.110/80> for TCP protocol and service HTTP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP, threat-severity=HIGH, name=HTTP:INVALID:MSNG-HTTP-VER, NAT <46.0.3.254:55870->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:fe-0/0/2.0->untrust:fe-0/0/3.0, packet-log-id: 0 and misc-message -

This is an example of a structured syslog message


<28>1 2011-07-19T21:51:03.624Z elza utmd 33838 WEBFILTER_URL_BLOCKED [[email protected] source-address="192.168.1.109" source-port="39945" destination-address="192.168.2.3" destination-port="80" name="N/A" error-message="by other category" profile-name="UTM-WFCPA" object-name="192.168.2.3" pathname="/ss-eicar.com"] WebFilter: ACTION="URL Blocked" 192.168.1.109(39945)->192.168.2.3(80) CATEGORY="N/A" REASON="by other category" PROFILE="UTM-WFCPA"URL=192.168.2.3 OBJ=/ss-eicar.com

Cause

Syslogs forwarded from Juniper SRX are sent in "structured" format
The collector only supports syslogs in "unstructured" format

Resolution

Configure Juniper SRX to forward syslog events in "unstructured" format