Skip to content

JunOS

Juniper Networks develops and markets networking products, including routers, switches, network management software, network security products, and software-defined networking technology.

This app is focused on Juniper JunOS messages produced by various Juniper Networks hardware units.

App Function

This app handles two different types of JunOS log messages: structured and unstructured. These two message types are explained below.

For either message type the app recognizes messages of type RT_FLOW. For structured messages the app merely sets appropriate user tags for some fields contained in the log message. For unstructured messages again the app sets appropriate user tags, but in addition also reformats the log message into key/value pairs for easier comprehension.

Vendor Documentation

Incoming Log Message Format

As previously indicated this app handles two different JunOS log message formats. The first message format is "structured" and is comprised of a few message header fields such as date-timestamp, host name, and event type, followed by many key/value pairs that are particular to the JunOS message type. The second message format is "unstructured" and is comprised first of the JunOS message type indicator, followed by many space-separated fields that are placed in a specific order that is particular to the individual event type in the log message. See log examples below.

The specific message event types handled are: for structured messages, any RT_FLOW event. For unstructured messages, specifically RT_FLOW_SESSION_ events.

Parsed Metadata Fields

For both structured and unstructured messages the following fields are parsed and added as user tags:

Tagged Field Name Tag Name Example
reason Reason ICMP error
source-address SrcIP 11.22.33.44
source-port SrcPort dynamic
destination-address DstIP 55.66.77.88
destination-port DstPort https
policy-name Policy PolicyEnforcer-Rule1-1

As previously mentioned for unstructured messages the event message text is reformatted to consist of key/value pairs. The specific fields that are emitted as keys are as follows:

Field Key Example
reason TCP SERVER RST
src 11.22.33.44
dst 55.66.77.88
src-port 50488
dst-port 48001
service None
policy 13101705
nat-src 11.22.33.44
nat-src-port 50488
nat-dst 55.66.77.88
nat-dst-port 48001
src-nat-rule N/A
dst-nat-rule N/A
protocol 6
src-zone DMZ_One
dst-zone DMZ_Two
session-id 120095417
ingress-interface reth8.1122

Log Samples

Structured Message - Session Close

2018-07-13T09:49:21.734Z TESTER RT_FLOW - RT_FLOW_SESSION_CLOSE
[junos@2636.1.1.1.2.49 reason="ICMP error" source-address="11.22.33.44"
source-port="1298" destination-address="55.66.77.88"
destination-port="53" service-name="None"
nat-source-address="11.22.33.44" nat-source-port="8325"
nat-destination-address="55.66.77.88" nat-destination-port="53"
src-nat-rule-type="source rule" src-nat-rule-name="source-nat-rule"
dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6"
policy-name="PolicyEnforcer-Rule1-1" source-zone-name="trust"
destination-zone-name="untrust" session-id-32="20267666"
packets-from-client="1" bytes-from-client="64" packets-from-server="0"
bytes-from-server="0" elapsed-time="1" application="INCONCLUSIVE"
nested-application="INCONCLUSIVE" username="N/A" roles="N/A"
packet-incoming-interface="ge-0/0/1.0" encrypted="UNKNOWN"]

Unstructured Message - Session Close

RT_FLOW_SESSION_CLOSE: session closed TCP SERVER
RST: 11.22.33.44/50488->55.66.77.88/48001 None
11.22.33.44/50488->55.66.77.88/48001 N/A N/A N/A N/A 6
13101705 DMZ_One DMZ_Two 120095417 16(8769) 15(1262) 2
UNKNOWN UNKNOWN N/A(N/A) reth8.1122 UNKNOWN

Unstructured Message - Session Denied

RT_FLOW_SESSION_DENY: session denied
11.22.33.44/36619->55.66.77.88/23 junos-telnet 6(0)
default-deny-log untrust DMZ_TESTONE UNKNOWN UNKNOWN N/A(N/A)
reth8.88 UNKNOWN policy deny