Juniper Junos (Operating System)¶
About¶
Junos® OS automates network operations with streamlined precision, furthers operational efficiency, and frees up valuable time and resources for top-line growth opportunities. Built for reliability, security, and flexibility, Junos OS runs many of the world’s most sophisticated network deployments, giving operators an advantage over those who run competing network operating systems.
Product Details¶
Vendor URL: Juniper Junos
Product Type: Network Operating System
Product Tier: Tier III
Integration Method: Syslog
Integration URL: N/A
Log Guide: Junos OS - Overview of System Logging
Parser Details¶
Log Format: Syslog CEF
Expected Normalization Rate: 100%
Data Label: JUNIPER_JUNOS
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
msg | metadata.description |
hard-coded: GENERIC_EVENT or NETWORK_UNCATEGORIZED | metadata.event_type |
at | metadata.product_deployment_id |
product_event | metadata.product_event_type |
eventId | metadata.product_log_id |
product | metadata.product_name |
version, av | metadata.product_version |
vendor | metadata.vendor_name |
proto | network.ip_protocol |
deviceZoneURI, agentZoneURI | observer.asset.network_domain |
aid | observer.asset.product_object_id |
ahost, dvchost, ahost | observer.hostname |
agt | observer.ip |
amac | observer.mac |
aid | principal.asset.product_object_id |
dvchost | principal.hostname |
dvc | principal.ip |
if severity is High, hard-coded: ALERTING | security_result.alert_state |
cn1 or cs1-cs6 and label fields | security_result.detection_fields |
severity | security_result.severity |
summary or hard-coded: CEF CS Fields Found | security_result.summary |
sourceZoneURI | src.asset.network_domain |
src, shost | src.hostname |
src, shost | src.ip |
spt | src.port |
suser | src.user.userid |
destinationZoneURI | target.asset.network_domain |
dst, dhost | target.hostname |
dst, dhost | target.ip |
dpt | target.port |
request | target.url |
Product Event Types¶
type,subtype | severity | UDM Event Classification | alerting enabled |
---|---|---|---|
Default | GENERIC_EVENT | TRUE | |
If log is supported type | NETWORK_UNCATEGORIZED | TRUE |
Log Sample¶
Apr 29 15:30:12 10.10.10.10 CEF: 0|Juniper|JUNOS||FLOW_SESSION_DENY|Session denied|High| eventId=123456789 msg=No Denied by policy 987654321 N/A N/A -1 app=None proto=UDP categorySignificance=/Informational/Warning categoryBehavior=/Access categoryDeviceGroup=/Firewall catdt=Firewall categoryOutcome=/Failure categoryObject=/Host/Application/Service art=123123123123 deviceSeverity=info rt=234234234234 shost=hostname1.domain.com src=10.20.20.20 sourceZoneURI=/All Zones/Private Zones/RFC1918: 10.0.0.0-10.255.255.255 spt=53210 dhost=10.2.3.4.publicdomain.com dst=192.168.2.2 destinationZoneURI=/All Zones/Address Space Zones/10.0.0.0-10.255.255.255 (IANA) dpt=443 duser=N/A cs5=default-deny cs1Label=Rule Name cs2Label=Function Name cs3Label=Routing Instance cs4Label=Reason cs5Label=Policy Name cs6Label=Group name cn1Label=Current count ahost=hostname2.domain.local agt=10.10.10.10 agentZoneURI=/All Zones/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 amac=00-11-22-A3-BC-DE av=7.65.4.321.0 atz=US/Central at=syslog dvchost=hostname3 dvc=10.30.30.30 deviceZoneURI=/All Zones/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 dtz=EST deviceFacility=user deviceProcessName=FLOW geid=0 _cefVer=0.1 ad.source-zone-name=SOURCE-ZONE ad.destination-zone-name=DEST-ZONE ad.application=UNKNOWN ad.icmp-type=0 ad.packet-incoming-interface=interface.1234 ad.roles=N/A ad.nested-application=UNKNOWN aid=123123456456678678 smb_host=smbhost-0011223 smb_stage1=123863482364 smb_uid=239r7whufbwg90uho4nt2 smb_timezone=EDT
Sample Parsing¶
metadata.product_log_id = "123456789"
metadata.event_timestamp.seconds = 1652473382
metadata.event_timestamp.nanos = 150413497
metadata.event_type = "NETWORK_UNCATEGORIZED"
metadata.vendor_name = "Juniper"
metadata.product_name = "JUNOS"
metadata.product_version = "7.65.4.321.0"
metadata.product_event_type = "Session denied"
metadata.product_deployment_id = "syslog"
metadata.description = "No Denied by policy 987654321 N/A N/A -1"
principal.hostname = "hostname3"
principal.asset.product_object_id = "123123456456678678"
principal.ip = "10.30.30.30"
src.hostname = "hostname1.domain.com"
src.asset.network_domain = "/All Zones/Private Zones/RFC1918: 10.0.0.0-10.255.255.255"
src.ip = "10.20.20.20"
src.port = "53210"
target.asset.network_domain = "/All Zones/Address Space Zones/10.0.0.0-10.255.255.255 (IANA)"
target.ip = "192.168.2.2"
target.ip = "10.2.3.4"
target.port = "443"
observer.hostname = "hostname2.domain.local"
observer.asset.product_object_id = "123123456456678678"
observer.asset.network_domain = "/All Zones/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255"
observer.ip = "10.10.10.10"
observer.mac = "00:11:22:a3:bc:de"
security_result.detection_fields.key = "Current count"
security_result.detection_fields.key = "Rule Name"
security_result.detection_fields.key = "Function Name"
security_result.detection_fields.key = "Routing Instance"
security_result.detection_fields.key = "Reason"
security_result.detection_fields.key = "Policy Name"
security_result.detection_fields.value = "default-deny"
security_result.detection_fields.key = "Group name"
security_result.summary = "CEF CS Fields Found"
security_result.severity = "LOW"
network.ip_protocol = "UDP"
Parser Alerting¶
Alerting is dependent on if the severity level is set to High.