Collect Juniper NetScreen Firewall logs

Supported in:

Google secops SIEM

This document explains how to set up Juniper NetScreen Firewall logs to be sent to Google Security Operations. The parser extracts fields using grok patterns, handling various syslog formats and JSON payloads. It then maps these extracted fields to the UDM, categorizing events as network connections, user logins, status updates, or generic events based on the presence of specific fields like IP addresses, usernames, and ports.

Before you begin

Ensure that you have administrative access to your Juniper NetScreen Firewall.
Ensure that you have a Google Security Operations instance.

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer IDfrom the Organization Detailssection.

Install the Bindplane agent

Windows installation

Open the Command Promptor PowerShellas an administrator.

Run the following command:

  msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

 sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

Additional installation resources

For additional installation options, consult this installation guide .

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

Access the configuration file:
1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
2. Open the file using a text editor (for example, nano , vi , or Notepad).

Edit the config.yaml file as follows:

  receivers 
 : 
  
 tcplog 
 : 
  
 # Replace the port and IP address as required 
  
 listen_address 
 : 
  
 "0.0.0.0:54525" 
 exporters 
 : 
  
 chronicle/chronicle_w_labels 
 : 
  
 compression 
 : 
  
 gzip 
  
 # Adjust the path to the credentials file you downloaded in Step 1 
  
 creds 
 : 
  
 '/path/to/ingestion-authentication-file.json' 
  
 # Replace with your actual customer ID from Step 2 
  
 customer_id 
 : 
  
< customer_id 
>  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 # Add optional ingestion labels for better organization 
  
 ingestion_labels 
 : 
  
 log_type 
 : 
  
 SYSLOG 
  
 namespace 
 : 
  
 juniper_firewall 
  
 raw_log_field 
 : 
  
 body 
 service 
 : 
  
 pipelines 
 : 
  
 logs/source0__chronicle_w_labels-0 
 : 
  
 receivers 
 : 
  
 - 
  
 tcplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/chronicle_w_labels

Replace the port and IP address as required in your infrastructure.
Replace <customer_id> with the actual customer ID.
Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux, run the following command:
```
 sudo  
systemctl  
restart  
bindplane-agent 
```
To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:
```
 net stop BindPlaneAgent && net start BindPlaneAgent 
```

Configure Juniper Networks NetScreen firewall

Sign in to the Juniper NetScreenweb interface.
Select Configuration > Report settings > Log settings.
Select all the Event severitycheckboxes.
Click Apply.
Select Configuration > Report settings > Syslog.
Select the Enable syslog messagescheckbox.
In the Source interfacelist, select the NetScreeninterface from which the syslog packets need to be sent.
In the Syslog serverssection, select the Enablecheckbox and provide the following:
1. IP/Hostname: enter the Bindplane IP address.
2. Port: enter the Bindplane port number.
3. MDR facility: select Local0facility level.
4. Facility: select Local0facility level.
Click Apply.

UDM Mapping Table

Log Field	UDM Mapping	Logic
`ACTION`	`security_result.action_details`	Directly mapped from the `ACTION` field extracted via GROK and KV filters.
`APPLICATION`	`principal.application`	Directly mapped from the `APPLICATION` field extracted via GROK and KV filters.
`application`	`target.application`	Directly mapped from the `application` field extracted via GROK.
`attack-name`	`security_result.threat_name`	Directly mapped from the `attack-name` field extracted via GROK.
`bytes-from-client`	`network.sent_bytes`	Directly mapped from the `bytes-from-client` field extracted via GROK.
`bytes-from-server`	`network.received_bytes`	Directly mapped from the `bytes-from-server` field extracted via GROK.
`command`	`target.process.command_line`	Directly mapped from the `command` field extracted via GROK.
`destination-address`	`target.ip`	Directly mapped from the `destination-address` field extracted via GROK.
`destination-port`	`target.port`	Directly mapped from the `destination-port` field extracted via GROK.
`destination-zone`	`additional.fields[].value.string_value`	Directly mapped from the `destination-zone` field extracted via GROK and KV filters. The `key` is set to `destination-zone` .
`destination_zone-name`	`security_result.detection_fields[].value`	Directly mapped from the `destination_zone-name` field extracted via GROK. The `key` is set to `dstzone` .
`dst-nat-rule-name`	`security_result.detection_fields[].value`	Directly mapped from the `dst-nat-rule-name` field extracted via GROK. The `key` is set to `dst-nat-rule-name` .
`dst-nat-rule-type`	`security_result.detection_fields[].value`	Directly mapped from the `dst-nat-rule-type` field extracted via GROK. The `key` is set to `dst-nat-rule-type` .
`elapsed-time`	`network.session_duration.seconds`	Directly mapped from the `elapsed-time` field extracted via GROK.
`encrypted`	`security_result.detection_fields[].value`	Directly mapped from the `encrypted` field extracted via GROK. The `key` is set to `encrypted` .
`event_time`	`metadata.event_timestamp`	The timestamp is extracted from the raw log using various GROK patterns, prioritizing `event_time` , then `TIMESTAMP_ISO8601` , and finally `SYSLOGTIMESTAMP` . It is then converted to a timestamp object.
`host`	`principal.hostname` , `intermediary.hostname`	If `type` is `NetScreen` , mapped to `intermediary.hostname` . Otherwise, mapped to `principal.hostname` .
`host_ip`	`intermediary.ip`	Directly mapped from the `host_ip` field extracted via GROK.
`icmp-type`	`network.icmp_type`	Directly mapped from the `icmp-type` field extracted via GROK.
`ident`	`target.application`	Directly mapped from the `ident` field extracted via GROK and JSON filters.
`inbound-bytes`	`network.received_bytes`	Directly mapped from the `inbound-bytes` field extracted via GROK.
`inbound-packets`	`network.received_packets`	Directly mapped from the `inbound-packets` field extracted via GROK.
`ip`	`principal.ip` , `intermediary.ip`	If `type` is `NetScreen` , mapped to `intermediary.ip` . Otherwise, mapped to `principal.hostname` .
`message`	`security_result.description`	If the message is JSON and the `log_message_data` field is not present, the `message` field is used as the description.
`msg_data`	`security_result.summary`	Directly mapped from the `msg_data` field extracted via GROK.
`nat-destination-address`	`target.nat_ip`	Directly mapped from the `nat-destination-address` field extracted via GROK.
`nat-destination-port`	`target.nat_port`	Directly mapped from the `nat-destination-port` field extracted via GROK.
`nat-source-address`	`principal.nat_ip`	Directly mapped from the `nat-source-address` field extracted via GROK.
`nat-source-port`	`principal.nat_port`	Directly mapped from the `nat-source-port` field extracted via GROK.
`outbound-bytes`	`network.sent_bytes`	Directly mapped from the `outbound-bytes` field extracted via GROK.
`outbound-packets`	`network.sent_packets`	Directly mapped from the `outbound-packets` field extracted via GROK.
`packets-from-client`	`network.sent_packets`	Directly mapped from the `packets-from-client` field extracted via GROK.
`packets-from-server`	`network.received_packets`	Directly mapped from the `packets-from-server` field extracted via GROK.
`packet-incoming-interface`	`security_result.detection_fields[].value`	Directly mapped from the `packet-incoming-interface` field extracted via GROK. The `key` is set to `packet-incoming-interface` .
`pid`	`target.process.pid`	Directly mapped from the `pid` field extracted via GROK and JSON filters.
`policy-name`	`security_result.rule_name`	Directly mapped from the `policy-name` field extracted via GROK.
`PROFILE`	`additional.fields[].value.string_value`	Directly mapped from the `PROFILE` field extracted via GROK and KV filters. The `key` is set to `PROFILE` .
`protocol-id` , `protocol-name`	`network.ip_protocol`	Mapped from the `protocol-id` or `protocol-name` field extracted via GROK. The value is converted to the corresponding IP protocol enum.
`REASON`	`additional.fields[].value.string_value`	Directly mapped from the `REASON` field extracted via GROK and KV filters. The `key` is set to `REASON` .
`reason`	`security_result.description`	Directly mapped from the `reason` field extracted via GROK.
`rule-name`	`security_result.rule_name`	Directly mapped from the `rule-name` field extracted via GROK.
`SESSION_ID`	`network.session_id`	Directly mapped from the `SESSION_ID` field extracted via GROK and KV filters.
`service-name`	`security_result.detection_fields[].value`	Directly mapped from the `service-name` field extracted via GROK. The `key` is set to `srvname` .
`source-address`	`principal.ip`	Directly mapped from the `source-address` field extracted via GROK.
`source-port`	`principal.port`	Directly mapped from the `source-port` field extracted via GROK.
`source-zone`	`additional.fields[].value.string_value`	Directly mapped from the `source-zone` field extracted via GROK and KV filters. The `key` is set to `source-zone` .
`source_zone-name`	`security_result.detection_fields[].value`	Directly mapped from the `source_zone-name` field extracted via GROK. The `key` is set to `srczone` .
`src-nat-rule-name`	`security_result.detection_fields[].value`	Directly mapped from the `src-nat-rule-name` field extracted via GROK. The `key` is set to `src-nat-rule-name` .
`src-nat-rule-type`	`security_result.detection_fields[].value`	Directly mapped from the `src-nat-rule-type` field extracted via GROK. The `key` is set to `src-nat-rule-type` .
`subtype`	`metadata.product_event_type`	Directly mapped from the `subtype` field extracted via GROK.
`threat-severity`	`security_result.severity_details`	Directly mapped from the `threat-severity` field extracted via GROK.
`time`	`metadata.event_timestamp`	Directly mapped from the `time` field extracted via GROK and JSON filters. Converted to timestamp object.
`username`	`target.user.userid`	Directly mapped from the `username` field extracted via GROK.
	`metadata.log_type`	Hardcoded to `JUNIPER_FIREWALL` . Hardcoded to `JUNIPER_FIREWALL` or `NetScreen` based on the `type` field. Hardcoded to `JUNIPER_FIREWALL` . Set to ALLOW or BLOCK based on logic in the parser. Set to LOW, MEDIUM, HIGH, INFORMATIONAL, or CRITICAL based on the `subtype` and `severity_details` fields.

Need more help? Get answers from Community members and Google SecOps professionals.