Console
    Contact Us Start free

    Collect Juniper Junos logs

    Supported in:

    This document describes how you can collect Juniper Junos logs by using a Google Security Operations forwarder.

    For more information, see Data ingestion to Google Security Operations .

    An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the JUNIPER_JUNOS ingestion label.

    Configure structured logging for a Juniper Networks SRX device

    Structured log format extracts information from log messages. The log format complies with the Syslog protocol .

    1. Sign in to Juniper SRX CLIusing SSH to its management IP address.
    2. Type CLI at the shell prompt and press enter .
    3. Type configure and press enter to get into the configuration mode of the device.
    4. Enter the contact details or customer reference point.

    5. To map the fields to the user account, run the following commands:

       set system syslog host FORWARDER_IP_ADDRESS 
any info

   set system syslog host FORWARDER_IP_ADDRESS 
structured-data

      Replace FORWARDER_IP_ADDRESS with the IP address of the Google Security Operations forwarder.

    6. To enable the structured logging for security logs, use the following commands:

         
 set 
  
 security 
  
 log 
  
 mode 
  
 stream 
  
 set 
  
 security 
  
 log 
  
 source 
 - 
 address 
  
  SRC_IP_ADDRESS 
 
  
 set 
  
 security 
  
 log 
  
 stream 
  
  SYSLOG_STREAM_NAME 
 
  
 host 
  
  FORWARDER_IP_ADDRESS 
 
  
 set 
  
 security 
  
 log 
  
 stream 
  
  SYSLOG_STREAM_NAME 
 
  
 format 
  
 sd 
 - 
 syslog

      Replace the following:

      • SRC_IP_ADDRESS : the IP address of the Juniper SRX device.

      • SYSLOG_STREAM_NAME : the name which is assigned to the syslog server.

      • FORWARDER_IP_ADDRESS : the IP address of the Google Security Operations forwarder.

    7. Make sure that logging is enabled on all the security policies. To enable logging, run the following commands:

       set security policies from-zone <zone-name1> to-zone <zone-name2> policy <policy-name> then log session-close

   set security policies from-zone <zone-name1> to-zone <zone-name2> policy <policy-name> then log session-init

    8. Configure the hostname on the device using the following command:

       set system host-name HOSTNAME

      Replace HOSTNAME with the assigned Juniper Networks SRX device.

    9. Enter commit to save the executed commands in the configuration.

    Configure Google Security Operations forwarder and syslog to ingest Juniper Junos logs

    1. Select SIEM Settings > Forwarders.
    2. Click Add new forwarder.
    3. Enter a unique name in the Forwarder namefield.
    4. Click Submitand then click Confirm. The forwarder is added and the Add collector configurationwindow appears.
    5. In the Collector namefield, enter a unique name for the collector.
    6. Select Juniper Junosas the Log type.
    7. Select Syslogas the Collector type.
    8. Configure the following input parameters:
      • Protocol: specify the protocol as UDP.
      • Address: specify the target IP address or hostname where the collector resides and listens for syslog data.
      • Port: specify the target port where the collector resides and listens for syslog data.
    9. Click Submit.

    For more information about Google Security Operations forwarders, see Google Security Operations forwarders documentation . For information about requirements for each forwarder type, see Forwarder configuration by type . If you encounter issues when you create forwarders, contact Google Security Operations support .

    Field mapping reference

    This parser extracts fields from Juniper JUNOS syslog messages, handling both key-value and non-key-value formats. It uses grok patterns to match various message structures, including firewall logs, SSH activity, and command executions, then maps the extracted fields to the UDM. The parser also handles CEF formatted logs using an include file and performs specific actions based on the message content, such as merging IP addresses and usernames into appropriate UDM fields.

    UDM mapping table

    Log Field UDM Mapping Logic
    DPT
    		target.port The destination port of the network connection, converted to an integer.
    DST
    		target.ip The destination IP address of the network connection.
    FLAG
    		additional.fields{}.key : "FLAG", additional.fields{}.value.string_value : Value of FLAG The TCP flag associated with the network connection.
    ID
    		additional.fields{}.key : "ID", additional.fields{}.value.string_value : Value of ID The IP identification field.
    IN
    		additional.fields{}.key : "IN", additional.fields{}.value.string_value : Value of IN The incoming network interface.
    LEN
    		additional.fields{}.key : "LEN", additional.fields{}.value.string_value : Value of LEN The length of the IP packet.
    MAC
    		principal.mac The MAC address extracted from the MAC field.
    OUT
    		additional.fields{}.key : "OUT", additional.fields{}.value.string_value : Value of OUT The outgoing network interface.
    PREC
    		additional.fields{}.key : "PREC", additional.fields{}.value.string_value : Value of PREC The Precedence field in the IP header.
    PROTO
    		network.ip_protocol The IP protocol used in the network connection.
    RES
    		additional.fields{}.key : "RES", additional.fields{}.value.string_value : Value of RES Reserved field in the TCP header.
    SPT
    		principal.port The source port of the network connection, converted to an integer.
    SRC
    		principal.ip The source IP address of the network connection.
    TOS
    		additional.fields{}.key : "TOS", additional.fields{}.value.string_value : Value of TOS The Type of Service field in the IP header.
    TTL
    		network.dns.additional.ttl Time To Live value, converted to an unsigned integer.
    URGP
    		additional.fields{}.key : "URGP", additional.fields{}.value.string_value : Value of URGP Urgent pointer field in the TCP header.
    WINDOW
    		additional.fields{}.key : "WINDOW_SIZE", additional.fields{}.value.string_value : Value of WINDOW The TCP window size.
    action
    		security_result.action The action taken by the firewall, extracted from the CEF message.
    agt
    		observer.ip The IP address of the agent.
    amac
    		target.mac The MAC address of the target, converted to lowercase and with hyphens replaced by colons.
    app
    		target.application The application involved in the event.
    artz
    		observer.zone The observer time zone.
    atz
    		target.location.country_or_region The target time zone.
    categoryBehavior
    		additional.fields{}.key : "Category Behavior", additional.fields{}.value.string_value : Value of categoryBehavior with slashes removed The category behavior.
    categoryDeviceGroup
    		additional.fields{}.key : "Category Device Group", additional.fields{}.value.string_value : Value of categoryDeviceGroup with slashes removed The category device group.
    categoryObject
    		additional.fields{}.key : "Category Object", additional.fields{}.value.string_value : Value of categoryObject with slashes removed The category object.
    categoryOutcome
    		additional.fields{}.key : "Category Outcome", additional.fields{}.value.string_value : Value of categoryOutcome with slashes removed The category outcome.
    categorySignificance
    		additional.fields{}.key : "category Significance", additional.fields{}.value.string_value : Value of categorySignificance The category significance.
    command
    		target.process.command_line The command executed.
    cs1Label
    		additional.fields{}.key : cs1Label , additional.fields{}.value.string_value : Value of corresponding CEF field Custom string field 1 label and value from the CEF message.
    cs2Label
    		additional.fields{}.key : cs2Label , additional.fields{}.value.string_value : Value of corresponding CEF field Custom string field 2 label and value from the CEF message.
    cs3Label
    		additional.fields{}.key : cs3Label , additional.fields{}.value.string_value : Value of corresponding CEF field Custom string field 3 label and value from the CEF message.
    cs4Label
    		additional.fields{}.key : cs4Label , additional.fields{}.value.string_value : Value of corresponding CEF field Custom string field 4 label and value from the CEF message.
    cs5Label
    		additional.fields{}.key : cs5Label , additional.fields{}.value.string_value : Value of corresponding CEF field Custom string field 5 label and value from the CEF message.
    cs6Label
    		additional.fields{}.key : cs6Label , additional.fields{}.value.string_value : Value of corresponding CEF field Custom string field 6 label and value from the CEF message.
    dhost
    		target.hostname Destination hostname.
    deviceCustomString1
    		additional.fields{}.key : cs1Label , additional.fields{}.value.string_value : Value of deviceCustomString1 Device custom string 1.
    deviceCustomString2
    		additional.fields{}.key : cs2Label , additional.fields{}.value.string_value : Value of deviceCustomString2 Device custom string 2.
    deviceCustomString3
    		additional.fields{}.key : cs3Label , additional.fields{}.value.string_value : Value of deviceCustomString3 Device custom string 3.
    deviceCustomString4
    		additional.fields{}.key : cs4Label , additional.fields{}.value.string_value : Value of deviceCustomString4 Device custom string 4.
    deviceCustomString5
    		additional.fields{}.key : cs5Label , additional.fields{}.value.string_value : Value of deviceCustomString5 Device custom string 5.
    deviceCustomString6
    		additional.fields{}.key : cs6Label , additional.fields{}.value.string_value : Value of deviceCustomString6 Device custom string 6.
    deviceDirection
    		network.direction The direction of the network traffic.
    deviceEventClassId
    		additional.fields{}.key : "eventId", additional.fields{}.value.string_value : Value of deviceEventClassId The device event class ID.
    deviceFacility
    		observer.product.subproduct The device facility.
    deviceProcessName
    		about.process.command_line The device process name.
    deviceSeverity
    		security_result.severity The device severity.
    deviceTimeZone
    		observer.zone The device time zone.
    deviceVendor
    		metadata.vendor_name The device vendor.
    deviceVersion
    		metadata.product_version The device version.
    dpt
    		target.port The destination port.
    dst
    		target.ip The destination IP address.
    duser
    		target.user.user_display_name The destination user.
    eventId
    		additional.fields{}.key : "eventId", additional.fields{}.value.string_value : Value of eventId Event ID.
    event_time
    		metadata.event_timestamp The time the event occurred, parsed from the message.
    firewall_action
    		security_result.action_details The firewall action taken.
    host
    		principal.hostname , intermediary.hostname The hostname of the device generating the log. Used for both principal and intermediary in different cases.
    msg
    		security_result.summary The message associated with the event, used as a summary for the security result.
    name
    		metadata.product_event_type The name of the event.
    process_name
    		additional.fields{}.key : "process_name", additional.fields{}.value.string_value : Value of process_name The name of the process.
    p_id
    		target.process.pid The process ID, converted to a string.
    sha256
    		principal.process.file.sha256 The SHA256 hash of a file, extracted from the SSH2 key information.
    shost
    		principal.hostname Source hostname.
    source_address
    		principal.ip The source IP address.
    source_port
    		principal.port The source port, converted to an integer.
    src
    		principal.ip The source IP address.
    src_ip
    		principal.ip The source IP address.
    src_port
    		principal.port The source port, converted to an integer.
    ssh2
    		security_result.detection_fields{}.key : "ssh2", security_result.detection_fields{}.value : Value of ssh2 SSH2 key information.
    subtype
    		metadata.product_event_type The subtype of the event.
    task_summary
    		security_result.description The task summary, used as the description for the security result.
    timestamp
    		metadata.event_timestamp The timestamp of the event.
    user
    		target.user.userid The user associated with the event.
    username
    		principal.user.userid The username associated with the event.
    user_name
    		principal.user.userid The username.
    		metadata.vendor_name Hardcoded to "Juniper Firewall". Hardcoded to "Juniper Firewall". Hardcoded to "JUNIPER_JUNOS". Determined by parser logic based on log content. Defaults to "STATUS_UPDATE" if not a CEF message and no other specific event type is identified. Set to "NETWORK_HTTP" for CEF messages. If no desc field is present, this field is populated with the message_description extracted from the raw log message.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: