Skip to content

JunOS

Juniper Networks develops and markets networking products, including routers, switches, network management software, network security products, and software-defined networking technology.

This app is focused on Juniper JunOS messages produced by various Juniper Networks hardware units.

App Function

This app handles two different types of JunOS log messages: structured and unstructured. These two message types are explained below.

For structured messages, the app recognizes a wide range of JunOS message types, not just RT_FLOW (see below under Currently Supported LogTypes). For each recognized type, the app sets appropriate user tags for fields contained in that type of log message. More messages will be added over time, and the user has the option of updating the messages and associated user tags themselves, if needed (contact LogZilla support for assistance).

For unstructured messages, the app focuses on session-related events (such as RT_FLOW_SESSION_CREATE, RT_FLOW_SESSION_CLOSE, RT_FLOW_SESSION_DENY), reformats the log message into key/value pairs, and sets user tags for easier comprehension.

Vendor Documentation

Log Source Details

Item Value
Vendor Juniper Networks
Device Type Routers, switches, and security devices running JunOS
Supported Software Version(s) JunOS 11.x and newer (tested on SRX-series firewalls)
Collection Method Syslog
Configurable Log Output? Partially – JunOS supports both structured and unstructured syslog formats
Log Source Type JunOS syslog
Exceptions N/A

Currently Supported Log Types

  • Structured messages: Any event whose message type (MSGID) is listed in the RECOGNIZED_MESSAGE_IDS section of the config file. This includes, but is not limited to:
  • SECINTEL_SERVICE_MANAGEMENT
  • AAMWD_NETWORK_CONNECT_FAILED
  • APPTRACK_SESSION_CREATE
  • APPTRACK_SESSION_CLOSE
  • LIBJSNMP_NS_LOG_WARNING
  • RTLOG_CONN_ERROR
  • LICENSE_EXPIRED_KEY_DELETED
  • UI_NETCONF_CMD
  • UI_CHILD_START
  • UI_CHILD_STATUS
  • RT_FLOW_SESSION_CREATE
  • RT_FLOW_SESSION_CLOSE
  • RT_FLOW_SESSION_DENY
  • Unstructured messages: Session-related events such as RT_FLOW_SESSION_CREATE, RT_FLOW_SESSION_CLOSE, and RT_FLOW_SESSION_DENY output as space-separated fields (see log samples below).

Parsed Metadata Fields

For both structured and unstructured messages the following fields are parsed and (where a Tag Name is given) converted into user tags:

Tagged Field Name Tag Name Example Description
MSGID msgid AAMWD_NETWORK_CONNECT_FAILED JunOS message identifier (event type)
hostname hostname host1.us-west-1.company.net Host that generated the log
category-name category-name security JunOS category of the event
ip-address SrcIP 11.22.33.44 Source IP address
source-port SrcPort dynamic Source port service
destination-port DstPort https Destination port service
destination-address DstIP 55.66.77.88 Destination IP address
ingress-interface ingress-interface reth8.1122 Physical / logical ingress interface
service-name service-name None JunOS service name associated with the flow
policy-name policy-name PolicyEnforcer-Rule1-1 Security policy that matched the flow
reason reason ICMP error Reason for session close / deny
application application UNKNOWN Detected application name
nested-application nested-application UNKNOWN Nested-application name (if any)
nat-source-address nat-source-address 11.22.33.44 Post-NAT source IP
nat-destination-address nat-destination-address 55.66.77.88 Post-NAT destination IP
nat-source-port nat-source-port dynamic Post-NAT source port service
nat-destination-port nat-destination-port dynamic Post-NAT destination service
username username N/A Username associated with the event
src-nat-rule-name src-nat-rule-name source-nat-rule Name of source-NAT rule
src-nat-rule-type src-nat-rule-type source rule Type of source-NAT rule
dst-nat-rule-name dst-nat-rule-name N/A Name of destination-NAT rule
dst-nat-rule-type dst-nat-rule-type N/A Type of destination-NAT rule
protocol-id protocol-id 6 IP protocol number (TCP=6, UDP=17, …)
proxy-address proxy-address 1.2.3.4 Proxy server IP (if used)
proxy-port proxy-port 8080 Proxy server port
source-zone-name source-zone-name trust Source security zone
destination-zone-name destination-zone-name untrust Destination security zone
roles roles admin User roles involved in the event
encrypted encrypted UNKNOWN Indicates if the session is encrypted
packet-incoming-interface packet-incoming-interface ge-0/0/1.0 Interface that received the first packet
stream-name stream-name spam Name of log/event stream
filename filename JUNOS966182 Filename or key referenced in the log
error-message error-message Unauthorized Error text returned by the system

For unstructured messages the event message text is additionally reformatted to consist of key/value pairs. The specific fields that are emitted as keys are as follows:

Field Key Example
reason TCP SERVER RST
src 11.22.33.44
dst 55.66.77.88
src-port 50488
dst-port 48001
service None
policy 13101705
nat-src 11.22.33.44
nat-src-port 50488
nat-dst 55.66.77.88
nat-dst-port 48001
src-nat-rule N/A
dst-nat-rule N/A
protocol 6
src-zone DMZ_One
dst-zone DMZ_Two
session-id 120095417
ingress-interface reth8.1122

High-Cardinality (HC) Tags

SrcIP, DstIP

Log Samples

Structured Message - Session Close

2018-07-13T09:49:21.734Z TESTER RT_FLOW - RT_FLOW_SESSION_CLOSE
[[email protected] reason="ICMP error" source-address="11.22.33.44"
source-port="1298" destination-address="55.66.77.88"
destination-port="53" service-name="None"
nat-source-address="11.22.33.44" nat-source-port="8325"
nat-destination-address="55.66.77.88" nat-destination-port="53"
src-nat-rule-type="source rule" src-nat-rule-name="source-nat-rule"
dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6"
policy-name="PolicyEnforcer-Rule1-1" source-zone-name="trust"
destination-zone-name="untrust" session-id-32="20267666"
packets-from-client="1" bytes-from-client="64" packets-from-server="0"
bytes-from-server="0" elapsed-time="1" application="INCONCLUSIVE"
nested-application="INCONCLUSIVE" username="N/A" roles="N/A"
packet-incoming-interface="ge-0/0/1.0" encrypted="UNKNOWN"]

Structured Message - Network Connect Failed

2024-06-01T12:34:56.789Z TESTER AAMWD - AAMWD_NETWORK_CONNECT_FAILED
[[email protected] severity="2" proxy-port="None" proxy-address="None"
ip-address="11.22.33.44" hostname="host1.us-west-1.company.net"
error-message="Unauthorized" destination-port="443"] <2> Access host
srxapi.eu-west-1.sky.junipersecurity.net on ip 52.210.70.159 port 443 proxy
None port None Unauthorized.

Unstructured Message - Session Close

RT_FLOW_SESSION_CLOSE: session closed TCP SERVER
RST: 11.22.33.44/50488->55.66.77.88/48001 None
11.22.33.44/50488->55.66.77.88/48001 N/A N/A N/A N/A 6
13101705 DMZ_One DMZ_Two 120095417 16(8769) 15(1262) 2
UNKNOWN UNKNOWN N/A(N/A) reth8.1122 UNKNOWN

Unstructured Message - Session Denied

RT_FLOW_SESSION_DENY: session denied
11.22.33.44/36619->55.66.77.88/23 junos-telnet 6(0)
default-deny-log untrust DMZ_TESTONE UNKNOWN UNKNOWN N/A(N/A)
reth8.88 UNKNOWN policy deny