Juniper log ingestion

elasticforme · April 22, 2021, 1:28pm

I am trying to ingest juniper log via filebeat using juniper module

but it does not give me systemname and RT_FLOW anywhere in my ELK data. how do I get that?
source = dc-fw1

Can I modify this module and add my own process to retrieve/delete fields?

<14>1 2021-04-16T08:00:39.489-05:00 dc-fw1 RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.140 reason=\"ICMP error\" source-address=\"10.10.94.62\" source-port=\"36931\" destination-address=\"10.25.63.18\" destination-port=\"161\" service-name=\"None\" application=\"SNMP\" nested-application=\"UNKNOWN\" nat-source-address=\"10.10.94.62\" nat-source-port=\"36931\" nat-destination-address=\"10.25.63.18\" nat-destination-port=\"161\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"20201029\" source-zone-name=\"trusted-ent\" destination-zone-name=\"trusted-prod\" session-id-32=\"62595271\" packets-from-client=\"2\" bytes-from-client=\"142\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"et-1/0/0.207\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"Infrastructure\" sub-category=\"Monitoring\" apbr-policy-name=\"N/A\" amr-rule-name=\"N/A\"]"

Marius_Iversen · April 24, 2021, 10:06am

Is this from an SRX? Are you using the juniper module with the SRX fileset or the Junos fileset enabled?

Looking at the logs they look quite like srx logs, and just wanted to see if you maybe are not using the correct fileset?

elasticforme · April 26, 2021, 1:05pm

Asked network team and they said
"SRX is the Firewall and Junos is the operating system that it is running. So yes to both."

Marius_Iversen · April 26, 2021, 1:27pm

@elasticforme , Can they configure only the SRX fileset? It does Junos parsing as well, but its extended to support srx specific fields and information as well.

elasticforme · April 27, 2021, 1:09pm

what would be different fileset

elasticforme · April 27, 2021, 6:23pm

ok. this is only SRX log

I have following enable on my filebeat

- module: juniper
  junos:
    enabled: true
    var.input: udp
    var.syslog_host: elkdev01
    var.syslog_port: 1514

  srx:
    enabled: true
    var.input: udp
    var.syslog_host: elkdev01
    var.syslog_port: 1514

is this seems correct?

Marius_Iversen · April 27, 2021, 7:04pm

@elasticforme , yeah so they set junos to enabled: false.

They don't need both, the SRX one is more mature and includes Junos logs (from SRX devices). See if that causes some difference first, else you are pretty much creating the same logs twice, and they cant really be listening on the same port either, that would not work.

elasticforme · April 27, 2021, 7:15pm

Perefect. I got it.

I had junos first and hence it was doing that.

I turn on SRX first disable junos and I started getting log saying juniper.srx.

Thank you

system · May 25, 2021, 9:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.