I am trying to ingest juniper log via filebeat using juniper module
but it does not give me systemname and RT_FLOW anywhere in my ELK data. how do I get that?
source = dc-fw1
Can I modify this module and add my own process to retrieve/delete fields?
<14>1 2021-04-16T08:00:39.489-05:00 dc-fw1 RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.140 reason=\"ICMP error\" source-address=\"10.10.94.62\" source-port=\"36931\" destination-address=\"10.25.63.18\" destination-port=\"161\" service-name=\"None\" application=\"SNMP\" nested-application=\"UNKNOWN\" nat-source-address=\"10.10.94.62\" nat-source-port=\"36931\" nat-destination-address=\"10.25.63.18\" nat-destination-port=\"161\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"20201029\" source-zone-name=\"trusted-ent\" destination-zone-name=\"trusted-prod\" session-id-32=\"62595271\" packets-from-client=\"2\" bytes-from-client=\"142\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"et-1/0/0.207\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"Infrastructure\" sub-category=\"Monitoring\" apbr-policy-name=\"N/A\" amr-rule-name=\"N/A\"]"
Is this from an SRX? Are you using the juniper module with the SRX fileset or the Junos fileset enabled?
Looking at the logs they look quite like srx logs, and just wanted to see if you maybe are not using the correct fileset?
Asked network team and they said
"SRX is the Firewall and Junos is the operating system that it is running. So yes to both."
@elasticforme , Can they configure only the SRX fileset? It does Junos parsing as well, but its extended to support srx specific fields and information as well.
what would be different fileset
ok. this is only SRX log
I have following enable on my filebeat
- module: juniper
junos:
enabled: true
var.input: udp
var.syslog_host: elkdev01
var.syslog_port: 1514
srx:
enabled: true
var.input: udp
var.syslog_host: elkdev01
var.syslog_port: 1514
is this seems correct?
@elasticforme , yeah so they set junos to enabled: false
.
They don't need both, the SRX one is more mature and includes Junos logs (from SRX devices). See if that causes some difference first, else you are pretty much creating the same logs twice, and they cant really be listening on the same port either, that would not work.
1 Like
Perefect. I got it.
I had junos first and hence it was doing that.
I turn on SRX first disable junos and I started getting log saying juniper.srx.
Thank you
1 Like
system
(system)
Closed
May 25, 2021, 9:15pm
9
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.