Juniper log ingestion

I am trying to ingest juniper log via filebeat using juniper module

but it does not give me systemname and RT_FLOW anywhere in my ELK data. how do I get that?
source = dc-fw1

Can I modify this module and add my own process to retrieve/delete fields?

<14>1 2021-04-16T08:00:39.489-05:00 dc-fw1 RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636. reason=\"ICMP error\" source-address=\"\" source-port=\"36931\" destination-address=\"\" destination-port=\"161\" service-name=\"None\" application=\"SNMP\" nested-application=\"UNKNOWN\" nat-source-address=\"\" nat-source-port=\"36931\" nat-destination-address=\"\" nat-destination-port=\"161\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"20201029\" source-zone-name=\"trusted-ent\" destination-zone-name=\"trusted-prod\" session-id-32=\"62595271\" packets-from-client=\"2\" bytes-from-client=\"142\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"et-1/0/0.207\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"Infrastructure\" sub-category=\"Monitoring\" apbr-policy-name=\"N/A\" amr-rule-name=\"N/A\"]"

Is this from an SRX? Are you using the juniper module with the SRX fileset or the Junos fileset enabled?

Looking at the logs they look quite like srx logs, and just wanted to see if you maybe are not using the correct fileset?

Asked network team and they said
"SRX is the Firewall and Junos is the operating system that it is running. So yes to both."

@elasticforme , Can they configure only the SRX fileset? It does Junos parsing as well, but its extended to support srx specific fields and information as well.

what would be different fileset

ok. this is only SRX log

I have following enable on my filebeat

- module: juniper
    enabled: true
    var.input: udp
    var.syslog_host: elkdev01
    var.syslog_port: 1514

    enabled: true
    var.input: udp
    var.syslog_host: elkdev01
    var.syslog_port: 1514

is this seems correct?

@elasticforme , yeah so they set junos to enabled: false.

They don't need both, the SRX one is more mature and includes Junos logs (from SRX devices). See if that causes some difference first, else you are pretty much creating the same logs twice, and they cant really be listening on the same port either, that would not work.

1 Like

Perefect. I got it.

I had junos first and hence it was doing that.

I turn on SRX first disable junos and I started getting log saying juniper.srx.

Thank you

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.