Refine your search:

Juniper monitoring

0

A app for monitor Juniper logs srx, sa etc would be cool.

asked 05 Dec '10, 22:26

fisk12's gravatar image

fisk12
469
accept rate: 0%

3 Answers:
oldestnewestmost voted
0

I already have some field extractions that I made for SRX

Created Session Logs

RT_FLOW_SESSION_CREATE:\ssession\screated\s(?P<srx_src_ip>\d+\.\d+\.\d+\.\d+)\/(?P<srx_src_port>\d+)\D+(?P<srx_dst_ip>\d+\.\d+\.\d+\.\d+)\/(?P<srx_dst_port>\d+)\s(?P<srx_svc_name>\S+)\s(?P<srx_nat_src_ip>\d+\.\d+\.\d+\.\d+)\/(?P<srx_nat_src_port>\d+)\D+(?P<srx_nat_dst_ip>\d+\.\d+\.\d+\.\d+)\/(?P<srx_nat_dst_port>\d+)\s(?P<srx_src_nat_rule_name>\S+)\s(?P<srx_dst_nat_rule_name>\S+)\s(?P<srx_protocol_id>\d+)\s(?P<srx_policy_name>\S+)\s(?P<srx_src_zone>\S+)\s(?P<srx_dst_zone>\S+)\s(?P<srx_sess_id>\d+)

Closed Session Logs

RT_FLOW_SESSION_CLOSE:\ssession\sclosed\s(?P<srx_closed_reason>[^:]+)\D+(?P<srx_src_ip>\d+\.\d+\.\d+\.\d+)\/(?P<srx_src_port>\d+)\D+(?P<srx_dst_ip>\d+\.\d+\.\d+\.\d+)\/(?P<srx_dst_port>\d+)\s(?P<srx_svc_name>\S+)\s(?P<srx_nat_src_ip>\d+\.\d+\.\d+\.\d+)\/(?P<srx_nat_src_port>\d+)\D+(?P<srx_nat_dst_ip>\d+\.\d+\.\d+\.\d+)\/(?P<srx_nat_dst_port>\d+)\s(?P<srx_src_nat_rule_name>\S+)\s(?P<srx_dst_nat_rule_name>\S+)\s(?P<srx_protocol_id>\d+)\s(?P<srx_policy_name>\S+)\s(?P<srx_src_zone>\S+)\s(?P<srx_dst_zone>\S+)\s(?P<srx_sess_id>\d+)\s(?P<srx_pkts_from_client>\d+)\((?P<srx_bytes_from_client>\d+)\)\s(?P<srx_pkts_from_server>\d+)\((?P<srx_bytes_from_server>\d+)\)\s(?P<srx_sess_elapsed_time>\d+)
link

answered 06 Dec '10, 00:42

jerrad's gravatar image

jerrad
1353
accept rate: 40%

0

Jerrad,

Any chance you have a field extraction for the IDS reporting on the SRX?

Here's a sample of the security log output:

Mar 14 09:43:50 Mar 14 09:43:50 RT_IDS: %USER-3-RT_SCREEN_TCP: Port scan! source: :80, destination: :27743, zone name: untrust, interface name: ae1.0

link

answered 14 Mar '11, 18:08

williamturner's gravatar image

williamturner
111
accept rate: 0%

0

Never mind :)

I've been able to create these extractions myself.

EXTRACT-RT_SCREEN_ICMP 

(?i)-RT_SCREEN_ICMP: (?P<ids_detection>.+?)s+w+:D+(?P<ids_src_ip>d+.d+.d+.d+),sdestination:D+(?P<ids_dest_ip>d+.d+.d+.d+),szonesname:s(?P<ids_zone>S+),sinterfacesname:s(?P<ids_interface>S+)

EXTRACT-RT_SCREEN_TCP 

(?i)-RT_SCREEN_TCP: (?P<ids_detection>.+?)s+w+:D+(?P<ids_src_ip>d+.d+.d+.d+):(?P<ids_src_port>d+),sdestination:D+(?P<ids_dest_ip>d+.d+.d+.d+):(?P<ids_dest_port>d+),szonesname:s(?P<ids_zone>S+),sinterfacesname:s(?P<ids_interface>S+)

EXTRACT-RT_SCREEN_IP 

(?i)-RT_SCREEN_IP: (?P<ids_detection>.+?)s+w+:D+(?P<ids_src_ip>d+.d+.d+.d+),sdestination:D+(?P<ids_dest_ip>d+.d+.d+.d+),sprotocol-id:s(?P<ids_protocol>d+),szonesname:s(?P<ids_zone>S+),sinterfacesname:s(?P<ids_interface>S+)

Hope this helps others.

link

answered 23 Mar '11, 23:24

williamturner's gravatar image

williamturner
111
accept rate: 0%

edited 24 May '11, 09:21

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×17

Asked: 05 Dec '10, 22:26

Seen: 1,676 times

Last updated: 24 May '11, 09:21

Related questions

App Wanted: Tomcat

App Wanted: LSF log parser

Splunk for Exchange App (i.e. activity monitoring app)

Splunk for SQL App (i.e. database activity monitoring)

Trouble with juniper sa splunk app

Splunk Monitoring app and Windows 2003

Trouble with TA-Juniper

Error on dashboard - splunk agent monitoring app

what are your favorite dashboards, reports, and searches for monitoring Java App Servers?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.