After adjusting the SYSLOG_PREFIX to "<%{POSINT:syslog_pri}>(?:\d{0,3}\s*), the original issue with Processor "grok" with tag "" in pipeline "logs-juniper_srx.log-1.21.3" was resolved.
However, new anomalies have emerged after the adjustment:
Timestamp Issue:
The event.ingested field shows Dec 25, 2024 @ 09:30:29.000, but the @timestamp field automatically adds 8 hours, resulting in Dec 25, 2024 @ 17:30:28.000.
The number of fields in Juniper SRX is relatively small:
The number of fields parsed under juniper.srx in the Juniper SRX integration seems insufficient and appears unreasonable.
I have confirmed that the logs are in structured-data format, but according to the Elastic Juniper SRX Integration Guide, the syslog format should be structured-data + brief.
Currently, I am unsure whether my event.original fully complies with the brief format or if the issue is unrelated to the format itself.
Json:
{
"_index": ".ds-logs-juniper_srx.log-tp_juniper_srx_1500-2024.12.25-000001",
"_id": "Wdpv-5MB1yD2fok60J9H",
"_version": 1,
"_score": 0,
"_source": {
"message_01": " RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A",
"agent": {
"name": "tp-Logstash",
"id": "c3d89c74-6c6b-4e44-992a-f2d7d834b000",
"ephemeral_id": "21dbd7a4-8abb-407d-863f-c4719b64a4c2",
"type": "filebeat",
"version": "8.15.0"
},
"syslogIndex": "14",
"log": {
"level": "informational",
"source": {
"address": "210.71.60.158:514"
}
},
"elastic_agent": {
"id": "c3d89c74-6c6b-4e44-992a-f2d7d834b060",
"version": "8.15.0",
"snapshot": false
},
"message": "RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A",
"juniper": {
"srx": {
"log_type": "system",
"system": {
"rt_flow": "RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A"
}
}
},
"tags": [
"preserve_original_event",
"juniper-srx",
"forwarded",
"beats_input_codec_plain_applied"
],
"input": {
"type": "udp"
},
"observer": {
"product": "SRX",
"vendor": "Juniper",
"name": "SRX1500",
"type": "firewall"
},
"hostname": "SRX1500",
"@timestamp": "2024-12-25T09:30:28.000Z",
"ecs": {
"version": "8.11.0"
},
"data_stream": {
"namespace": "tp_juniper_srx_1500",
"type": "logs",
"dataset": "juniper_srx.log"
},
"@version": "1",
"host": {
"name": "SRX1500"
},
"event": {
"severity": 14,
"agent_id_status": "auth_metadata_missing",
"ingested": "2024-12-25T01:30:29Z",
"original": "<14>Dec 25 09:30:28 SRX1500 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A",
"timezone": "+00:00",
"kind": "event",
"category": [
"network"
],
"dataset": "juniper_srx.log"
},
"timestamp": "Dec 25 09:30:28"
},
"fields": {
"message_01": [
" RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A"
],
"elastic_agent.version": [
"8.15.0"
],
"event.category": [
"network"
],
"syslogIndex": [
"14"
],
"observer.name": [
"SRX1500"
],
"observer.vendor": [
"Juniper"
],
"agent.type": [
"filebeat"
],
"hostname": [
"SRX1500"
],
"juniper.srx.system.rt_flow": [
"RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A"
],
"event.module": [
"juniper_srx"
],
"@version": [
"1"
],
"log.level": [
"informational"
],
"agent.name": [
"tp-Logstash"
],
"observer.product": [
"SRX"
],
"elastic_agent.snapshot": [
false
],
"host.name": [
"SRX1500"
],
"event.agent_id_status": [
"auth_metadata_missing"
],
"event.kind": [
"event"
],
"event.timezone": [
"+00:00"
],
"timestamp": [
"Dec 25 09:30:28"
],
"event.severity": [
14
],
"event.original": [
"<14>Dec 25 09:30:28 SRX1500 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A"
],
"elastic_agent.id": [
"c3d89c74-6c6b-4e44-992a-f2d7d834b060"
],
"data_stream.namespace": [
"tp_juniper_srx_1500"
],
"input.type": [
"udp"
],
"message": [
"RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A"
],
"data_stream.type": [
"logs"
],
"tags": [
"preserve_original_event",
"juniper-srx",
"forwarded",
"beats_input_codec_plain_applied"
],
"event.ingested": [
"2024-12-25T01:30:29.000Z"
],
"@timestamp": [
"2024-12-25T09:30:28.000Z"
],
"juniper.srx.log_type": [
"system"
],
"agent.id": [
"c3d89c74-6c6b-4e44-992a-f2d7d834b060"
],
"ecs.version": [
"8.11.0"
],
"observer.type": [
"firewall"
],
"log.source.address": [
"210.71.60.158:514"
],
"data_stream.dataset": [
"juniper_srx.log"
],
"agent.ephemeral_id": [
"21dbd7a4-8abb-407d-863f-c4719b64a4c2"
],
"agent.version": [
"8.15.0"
],
"event.dataset": [
"juniper_srx.log"
]
}
}