JunOS
Juniper Networks develops and markets networking products, including routers, switches, network management software, network security products, and software-defined networking technology.
This app is focused on Juniper JunOS messages produced by various Juniper Networks hardware units.
App Function
This app handles two different types of JunOS log messages: structured and unstructured. These two message types are explained below.
For either message type the app recognizes messages of type RT_FLOW.
For structured messages the app merely sets appropriate user tags for
some fields contained in the log message. For unstructured messages
again the app sets appropriate user tags, but in addition also reformats
the log message into key/value pairs for easier comprehension.
Vendor Documentation
Incoming Log Message Format
As previously indicated this app handles two different JunOS log message formats. The first message format is "structured" and is comprised of a few message header fields such as date-timestamp, host name, and event type, followed by many key/value pairs that are particular to the JunOS message type. The second message format is "unstructured" and is comprised first of the JunOS message type indicator, followed by many space-separated fields that are placed in a specific order that is particular to the individual event type in the log message. See log examples below.
The specific message event types handled are: for structured messages,
any RT_FLOW event. For unstructured messages, specifically
RT_FLOW_SESSION_ events.
Parsed Metadata Fields
For both structured and unstructured messages the following fields are parsed and added as user tags:
| Tagged | Field Name | Tag Name | Example |
|---|---|---|---|
| ☑ | reason |
Reason |
ICMP error |
| ☑ | source-address |
SrcIP |
11.22.33.44 |
| ☑ | source-port |
SrcPort |
dynamic |
| ☑ | destination-address |
DstIP |
55.66.77.88 |
| ☑ | destination-port |
DstPort |
https |
| ☑ | policy-name |
Policy |
PolicyEnforcer-Rule1-1 |
As previously mentioned for unstructured messages the event message text is reformatted to consist of key/value pairs. The specific fields that are emitted as keys are as follows:
| Field Key | Example |
|---|---|
reason |
TCP SERVER RST |
src |
11.22.33.44 |
dst |
55.66.77.88 |
src-port |
50488 |
dst-port |
48001 |
service |
None |
policy |
13101705 |
nat-src |
11.22.33.44 |
nat-src-port |
50488 |
nat-dst |
55.66.77.88 |
nat-dst-port |
48001 |
src-nat-rule |
N/A |
dst-nat-rule |
N/A |
protocol |
6 |
src-zone |
DMZ_One |
dst-zone |
DMZ_Two |
session-id |
120095417 |
ingress-interface |
reth8.1122 |
Log Samples
Structured Message - Session Close
2018-07-13T09:49:21.734Z TESTER RT_FLOW - RT_FLOW_SESSION_CLOSE
[[email protected] reason="ICMP error" source-address="11.22.33.44"
source-port="1298" destination-address="55.66.77.88"
destination-port="53" service-name="None"
nat-source-address="11.22.33.44" nat-source-port="8325"
nat-destination-address="55.66.77.88" nat-destination-port="53"
src-nat-rule-type="source rule" src-nat-rule-name="source-nat-rule"
dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6"
policy-name="PolicyEnforcer-Rule1-1" source-zone-name="trust"
destination-zone-name="untrust" session-id-32="20267666"
packets-from-client="1" bytes-from-client="64" packets-from-server="0"
bytes-from-server="0" elapsed-time="1" application="INCONCLUSIVE"
nested-application="INCONCLUSIVE" username="N/A" roles="N/A"
packet-incoming-interface="ge-0/0/1.0" encrypted="UNKNOWN"]
Unstructured Message - Session Close
RT_FLOW_SESSION_CLOSE: session closed TCP SERVER
RST: 11.22.33.44/50488->55.66.77.88/48001 None
11.22.33.44/50488->55.66.77.88/48001 N/A N/A N/A N/A 6
13101705 DMZ_One DMZ_Two 120095417 16(8769) 15(1262) 2
UNKNOWN UNKNOWN N/A(N/A) reth8.1122 UNKNOWN
Unstructured Message - Session Denied