Grok Parsing Error When Integrating Elastic Agent with Juniper SRX

Hello everyone,

I encountered an issue while integrating Elastic Agent with Juniper SRX and would like to seek some help or suggestions.
I have configured Juniper to send structured-data logs via syslog to Elastic Agent.

The following error occurred:
Processor "grok" with tag "" in pipeline "logs-juniper_srx.log-1.21.3" failed with message "Provided Grok expressions do not match field value

event.original:
<14>Dec 24 11:39:04 SRX1500 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.3.17.1/32768->9.9.9.9/53 0x0 junos-dns-udp 192.3.17.1/32768->9.9.9.9/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-01 zone-x zone-y 52332 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A

Questions:

  1. Does the default pipeline require modifications? If so, how should I adjust the Grok patterns?
  2. Are there any recommended debugging methods to identify and resolve this issue more efficiently?

Hi @wangsubo

Can you please provide the entire json object / sample document with the event.orignal etc that is failing the grok. Then perhaps we can help

Hi @wangsubo

I found the issue your logs / standard format should look like

Your logs...

<14>Dec 24 11:39:04 SRX1500 RT_FLOW: 

Should look like

<14>1 Dec 24 11:39:04 SRX1500 RT_FLOW: 
....^^

You are missing what appears to be the version number and a space in your raw syslog message

You can fix be

A) Either fixing your source it looks like the expected pattern is <14>1 (space after the version)
B) Editing the GET _ingest/pipeline/logs-juniper_srx.log-1.21.3 pipeline which will break when you update...

I think this will work... this makes the version option and space optional

            "SYSLOG_PREFIX": "<%{POSINT:syslog_pri}>(?:\\d{0,3}\\s*)",

To debug these things you should learn about the ingest _simulate API

Example ...

get the pipeline in question

GET _ingest/pipeline/logs-juniper_srx.log-1.21.3

Then set up a small sample using _simulate

POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "processors": [
            {
        "grok": {
          "field": "message",
          "patterns": [
            "^%{SYSLOG_PREFIX}?%{TIMESTAMP_ISO8601:_temp_.raw_date}\\s%{SYSLOGHOST:syslog_hostname}\\s%{JUNIPER_TRAFFIC_PROCESS:syslog_program}\\s(?:%{POSINT:syslog_pid}|-)?\\s%{WORD:tag}\\s\\[([^=]+?\\s)?%{GREEDYDATA:_temp_.traffic_structured}\\]\\s?$",
            "^%{SYSLOG_PREFIX}?%{CUSTOM_DATE:_temp_.raw_date}\\s%{SYSLOGHOST:syslog_hostname}\\s%{PROG:syslog_program}\\s(?:%{POSINT:syslog_pid}|-)?\\s%{WORD:tag}\\s\\[([^=]+?\\s)?%{GREEDYDATA:_temp_.system_structured}\\](?!=)\\s?%{DATA:_temp_.unparsed.message}\\s?$",
            "^%{SYSLOG_PREFIX}?%{CUSTOM_DATE:_temp_.raw_date}\\s%{SYSLOGHOST:syslog_hostname}\\s%{GREEDYDATA:_temp_.unparsed.message}$"
          ],
          "pattern_definitions": {
            "SYSLOG_PREFIX": "<%{POSINT:syslog_pri}>(?:\\d{0,3}\\s*)",
            "CUSTOM_DATE": "%{TIMESTAMP_ISO8601}|(%{MONTH}%{SPACE}%{MONTHDAY}%{SPACE}%{TIME})",
            "JUNIPER_TRAFFIC_PROCESS": "RT_FLOW|RT_UTM|RT_IDP|RT_IDS|RT_AAMW|RT_SECINTEL"
          }
        }
      }
    ]
  }, 
  "docs": [
    {
      "_source": {
        "tags": [
          "preserve_original_event",
          "preserve_duplicate_custom_fields",
          "forwarded",
          "trend_micro_vision_one-detection"
        ],
        "@timestamp": "2024-12-11T17:09:59.000Z",
        "message": "<14>Dec 24 11:39:04 SRX1500 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.3.17.1/32768->9.9.9.9/53 0x0 junos-dns-udp 192.3.17.1/32768->9.9.9.9/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-01 zone-x zone-y 52332 N/A(N/A) ge-0/0/1.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A"
      }
    },
     {
      "_source": {
        "tags": [
          "preserve_original_event",
          "preserve_duplicate_custom_fields",
          "forwarded",
          "trend_micro_vision_one-detection"
        ],
        "@timestamp": "2024-12-11T17:09:59.000Z",
        "message": """<14>1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@67.43.156.15 source-address="10.0.0.1" source-port="594" destination-address="67.43.156.13" destination-port="10400" connection-tag="0" service-name="icmp" nat-source-address="10.0.0.1" nat-source-port="594" nat-destination-address="67.43.156.13" nat-destination-port="10400" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn_trust_permit-all" source-zone-name="vpn" destination-zone-name="trust" session-id-32="6093" username="N/A" roles="N/A" packet-incoming-interface="st0.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="1" application-characteristics="N/A"]"""      }
    }
  ]
}

If you think you are posting a "legitimate" default pattern you can write a bug against the integrations at

After adjusting the SYSLOG_PREFIX to "<%{POSINT:syslog_pri}>(?:\d{0,3}\s*), the original issue with Processor "grok" with tag "" in pipeline "logs-juniper_srx.log-1.21.3" was resolved.

However, new anomalies have emerged after the adjustment:

Timestamp Issue:
The event.ingested field shows Dec 25, 2024 @ 09:30:29.000, but the @timestamp field automatically adds 8 hours, resulting in Dec 25, 2024 @ 17:30:28.000.

The number of fields in Juniper SRX is relatively small:
The number of fields parsed under juniper.srx in the Juniper SRX integration seems insufficient and appears unreasonable.

I have confirmed that the logs are in structured-data format, but according to the Elastic Juniper SRX Integration Guide, the syslog format should be structured-data + brief.

Currently, I am unsure whether my event.original fully complies with the brief format or if the issue is unrelated to the format itself.

Json:

{
  "_index": ".ds-logs-juniper_srx.log-tp_juniper_srx_1500-2024.12.25-000001",
  "_id": "Wdpv-5MB1yD2fok60J9H",
  "_version": 1,
  "_score": 0,
  "_source": {
    "message_01": " RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A",
    "agent": {
      "name": "tp-Logstash",
      "id": "c3d89c74-6c6b-4e44-992a-f2d7d834b000",
      "ephemeral_id": "21dbd7a4-8abb-407d-863f-c4719b64a4c2",
      "type": "filebeat",
      "version": "8.15.0"
    },
    "syslogIndex": "14",
    "log": {
      "level": "informational",
      "source": {
        "address": "210.71.60.158:514"
      }
    },
    "elastic_agent": {
      "id": "c3d89c74-6c6b-4e44-992a-f2d7d834b060",
      "version": "8.15.0",
      "snapshot": false
    },
    "message": "RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A",
    "juniper": {
      "srx": {
        "log_type": "system",
        "system": {
          "rt_flow": "RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A"
        }
      }
    },
    "tags": [
      "preserve_original_event",
      "juniper-srx",
      "forwarded",
      "beats_input_codec_plain_applied"
    ],
    "input": {
      "type": "udp"
    },
    "observer": {
      "product": "SRX",
      "vendor": "Juniper",
      "name": "SRX1500",
      "type": "firewall"
    },
    "hostname": "SRX1500",
    "@timestamp": "2024-12-25T09:30:28.000Z",
    "ecs": {
      "version": "8.11.0"
    },
    "data_stream": {
      "namespace": "tp_juniper_srx_1500",
      "type": "logs",
      "dataset": "juniper_srx.log"
    },
    "@version": "1",
    "host": {
      "name": "SRX1500"
    },
    "event": {
      "severity": 14,
      "agent_id_status": "auth_metadata_missing",
      "ingested": "2024-12-25T01:30:29Z",
      "original": "<14>Dec 25 09:30:28 SRX1500 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A",
      "timezone": "+00:00",
      "kind": "event",
      "category": [
        "network"
      ],
      "dataset": "juniper_srx.log"
    },
    "timestamp": "Dec 25 09:30:28"
  },
  "fields": {
    "message_01": [
      " RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A"
    ],
    "elastic_agent.version": [
      "8.15.0"
    ],
    "event.category": [
      "network"
    ],
    "syslogIndex": [
      "14"
    ],
    "observer.name": [
      "SRX1500"
    ],
    "observer.vendor": [
      "Juniper"
    ],
    "agent.type": [
      "filebeat"
    ],
    "hostname": [
      "SRX1500"
    ],
    "juniper.srx.system.rt_flow": [
      "RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A"
    ],
    "event.module": [
      "juniper_srx"
    ],
    "@version": [
      "1"
    ],
    "log.level": [
      "informational"
    ],
    "agent.name": [
      "tp-Logstash"
    ],
    "observer.product": [
      "SRX"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "host.name": [
      "SRX1500"
    ],
    "event.agent_id_status": [
      "auth_metadata_missing"
    ],
    "event.kind": [
      "event"
    ],
    "event.timezone": [
      "+00:00"
    ],
    "timestamp": [
      "Dec 25 09:30:28"
    ],
    "event.severity": [
      14
    ],
    "event.original": [
      "<14>Dec 25 09:30:28 SRX1500 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A"
    ],
    "elastic_agent.id": [
      "c3d89c74-6c6b-4e44-992a-f2d7d834b060"
    ],
    "data_stream.namespace": [
      "tp_juniper_srx_1500"
    ],
    "input.type": [
      "udp"
    ],
    "message": [
      "RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.83.25.11/17175->192.83.187.1/53 0x0 junos-dns-udp 192.83.25.11/17175->192.83.187.1/53 0x0 N/A N/A N/A N/A 17 pre-id-default-policy-logical-system-11 fw-ext fw-int 1186800 N/A(N/A) ge-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A"
    ],
    "data_stream.type": [
      "logs"
    ],
    "tags": [
      "preserve_original_event",
      "juniper-srx",
      "forwarded",
      "beats_input_codec_plain_applied"
    ],
    "event.ingested": [
      "2024-12-25T01:30:29.000Z"
    ],
    "@timestamp": [
      "2024-12-25T09:30:28.000Z"
    ],
    "juniper.srx.log_type": [
      "system"
    ],
    "agent.id": [
      "c3d89c74-6c6b-4e44-992a-f2d7d834b060"
    ],
    "ecs.version": [
      "8.11.0"
    ],
    "observer.type": [
      "firewall"
    ],
    "log.source.address": [
      "210.71.60.158:514"
    ],
    "data_stream.dataset": [
      "juniper_srx.log"
    ],
    "agent.ephemeral_id": [
      "21dbd7a4-8abb-407d-863f-c4719b64a4c2"
    ],
    "agent.version": [
      "8.15.0"
    ],
    "event.dataset": [
      "juniper_srx.log"
    ]
  }
}

Hi @wangsubo

The time issue is a time zone issue.

All dates are stored in Elastic in UTC.
If a date comes in without a timezone or offset UTC timezone is used.
Your dates do not have a timezone so UTC is assumed
Kibana displays timestamp in your local time zone by default
This is how Elastic and Kibana works

Your Options

  1. Configure your source to provide the Date field with the timestamp
  2. Add a custom ingest pipeline to adjust the Timestamp for the locale. we can discuss when you choose your approach.

Apologies I am not clear if you are talking about your sample or the integration in general.

Your sample seems pretty short and brief, as you say, and the format seems different with different delimiters, etc. so I am not surprised that is it not parsing completes / correctly.

Here are the sample default Juniper logs as assumed by the Integration; these are used to test the integration.

I encourage you to open an Issue if you have a repeatable issue and are sure you are shipping default messages. If you are not shipping default messages, you will need to provide/update the ingest pipelines to match your message.

You can also open an issue to request the documentation to be more clear on the supported versions of SRX and formats (it seems a little lacking there to me)

I suspect you are perhaps not shipping the required format.

I also see from this ... that your current logs are in the old syslog format, whereas the integration appears to require the newer syslog format, as I showed above.

https://supportportal.juniper.net/s/article/Syslog-output-from-SRX-appears-in-different-format-for-system-logs-and-traffic-logs-Are-these-both-RFC-compliant?language=en_US