Skip to content

Juniper Junos (Operating System)

Juniper Junos

About

Junos® OS automates network operations with streamlined precision, furthers operational efficiency, and frees up valuable time and resources for top-line growth opportunities. Built for reliability, security, and flexibility, Junos OS runs many of the world’s most sophisticated network deployments, giving operators an advantage over those who run competing network operating systems.

Product Details

Vendor URL: Juniper Junos

Product Type: Network Operating System

Product Tier: Tier III

Integration Method: Syslog

Integration URL: N/A

Log Guide: Junos OS - Overview of System Logging

Parser Details

Log Format: Syslog CEF

Expected Normalization Rate: 100%

Data Label: JUNIPER_JUNOS

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
msg metadata.description
hard-coded: GENERIC_EVENT or NETWORK_UNCATEGORIZED metadata.event_type
at metadata.product_deployment_id
product_event metadata.product_event_type
eventId metadata.product_log_id
product metadata.product_name
version, av metadata.product_version
vendor metadata.vendor_name
proto network.ip_protocol
deviceZoneURI, agentZoneURI observer.asset.network_domain
aid observer.asset.product_object_id
ahost, dvchost, ahost observer.hostname
agt observer.ip
amac observer.mac
aid principal.asset.product_object_id
dvchost principal.hostname
dvc principal.ip
if severity is High, hard-coded: ALERTING security_result.alert_state
cn1 or cs1-cs6 and label fields security_result.detection_fields
severity security_result.severity
summary or hard-coded: CEF CS Fields Found security_result.summary
sourceZoneURI src.asset.network_domain
src, shost src.hostname
src, shost src.ip
spt src.port
suser src.user.userid
destinationZoneURI target.asset.network_domain
dst, dhost target.hostname
dst, dhost target.ip
dpt target.port
request target.url

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
Default GENERIC_EVENT TRUE
If log is supported type NETWORK_UNCATEGORIZED TRUE

Log Sample

Apr 29 15:30:12 10.10.10.10 CEF: 0|Juniper|JUNOS||FLOW_SESSION_DENY|Session denied|High| eventId=123456789 msg=No Denied by policy 987654321 N/A N/A -1 app=None proto=UDP categorySignificance=/Informational/Warning categoryBehavior=/Access categoryDeviceGroup=/Firewall catdt=Firewall categoryOutcome=/Failure categoryObject=/Host/Application/Service art=123123123123 deviceSeverity=info rt=234234234234 shost=hostname1.domain.com src=10.20.20.20 sourceZoneURI=/All Zones/Private Zones/RFC1918: 10.0.0.0-10.255.255.255 spt=53210 dhost=10.2.3.4.publicdomain.com dst=192.168.2.2 destinationZoneURI=/All Zones/Address Space Zones/10.0.0.0-10.255.255.255 (IANA) dpt=443 duser=N/A cs5=default-deny cs1Label=Rule Name cs2Label=Function Name cs3Label=Routing Instance cs4Label=Reason cs5Label=Policy Name cs6Label=Group name cn1Label=Current count ahost=hostname2.domain.local agt=10.10.10.10 agentZoneURI=/All Zones/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 amac=00-11-22-A3-BC-DE av=7.65.4.321.0 atz=US/Central at=syslog dvchost=hostname3 dvc=10.30.30.30 deviceZoneURI=/All Zones/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 dtz=EST deviceFacility=user deviceProcessName=FLOW geid=0 _cefVer=0.1 ad.source-zone-name=SOURCE-ZONE ad.destination-zone-name=DEST-ZONE ad.application=UNKNOWN ad.icmp-type=0 ad.packet-incoming-interface=interface.1234 ad.roles=N/A ad.nested-application=UNKNOWN aid=123123456456678678 smb_host=smbhost-0011223 smb_stage1=123863482364 smb_uid=239r7whufbwg90uho4nt2 smb_timezone=EDT

Sample Parsing

metadata.product_log_id = "123456789"
metadata.event_timestamp.seconds = 1652473382
metadata.event_timestamp.nanos = 150413497
metadata.event_type = "NETWORK_UNCATEGORIZED"
metadata.vendor_name = "Juniper"
metadata.product_name = "JUNOS"
metadata.product_version = "7.65.4.321.0"
metadata.product_event_type = "Session denied"
metadata.product_deployment_id = "syslog"
metadata.description = "No Denied by policy 987654321 N/A N/A -1"
principal.hostname = "hostname3"
principal.asset.product_object_id = "123123456456678678"
principal.ip = "10.30.30.30"
src.hostname = "hostname1.domain.com"
src.asset.network_domain = "/All Zones/Private Zones/RFC1918: 10.0.0.0-10.255.255.255"
src.ip = "10.20.20.20"
src.port = "53210"
target.asset.network_domain = "/All Zones/Address Space Zones/10.0.0.0-10.255.255.255 (IANA)"
target.ip = "192.168.2.2"
target.ip = "10.2.3.4"
target.port = "443"
observer.hostname = "hostname2.domain.local"
observer.asset.product_object_id = "123123456456678678"
observer.asset.network_domain = "/All Zones/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255"
observer.ip = "10.10.10.10"
observer.mac = "00:11:22:a3:bc:de"
security_result.detection_fields.key = "Current count"
security_result.detection_fields.key = "Rule Name"
security_result.detection_fields.key = "Function Name"
security_result.detection_fields.key = "Routing Instance"
security_result.detection_fields.key = "Reason"
security_result.detection_fields.key = "Policy Name"
security_result.detection_fields.value = "default-deny"
security_result.detection_fields.key = "Group name"
security_result.summary = "CEF CS Fields Found"
security_result.severity = "LOW"
network.ip_protocol = "UDP"

Parser Alerting

Alerting is dependent on if the severity level is set to High.