Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard

Published 20 hours ago verified publisher icon Azure

JuniperSRX parser is not parsing logs correctly

Open jjbhavsar opened this issue 11 months ago • 3 comments

JuniperSRX parser is not parsing logs. I don't see important fields like source ip, destination ip in Sentinel.

Juniper logs we receive are in different format than provided in parser 1.1 example. Can someone please help me to fix parser ?

2024-03-12T17:51:51.755Z FW01 RT_FLOW - RT_FLOW_SESSION_CLOSE [xxxxxx reason="TCP FIN" source-address="xx.xx.xx.xx" source-port="xxxxx" destination-address="xx.xx.xx.xx" destination-port="xxxx" connection-tag="0" service-name="https" nat-source-address="xx.xx.xx.xx" nat-source-port="xxxx" nat-destination-address="xx.xx.xx.xx" nat-destination-port="xxx" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="xx-xxx-xxx" source-zone-name="xxxx" destination-zone-name="xxx" session-id="xxxx" packets-from-client="xx" bytes-from-client="xxx" packets-from-server="xx" bytes-from-server="xx" elapsed-time="1" application="xx" nested-application="xx" username="N/A" roles="N/A" packet-incoming-interface="xx" encrypted="No" application-category="Web" application-sub-category="miscellaneous" application-risk="2" application-characteristics="N/A" secure-web-proxy-session-type="NA" peer-session-id="0" peer-source-address="xxxxx" peer-source-port="0" peer-destination-address="xxxxx" peer-destination-port="0" hostname="NA" src-vrf-grp="N/A" dst-vrf-grp="N/A" tunnel-inspection="Off" tunnel-inspection-policy-set="root" session-flag="0" source-tenant="N/A" destination-service="N/A"]

image

jjbhavsar avatar Mar 13 '24 15:03 jjbhavsar

Hi @jjbhavsar ,Could you please share more details about parser with link and also sample data to email id i.e. [email protected] and [email protected]. Thanks!

v-muuppugund avatar Mar 14 '24 04:03 v-muuppugund

Hi @jjbhavsar, We have responded your mail, and waiting for your response. Thanks!

v-sudkharat avatar Mar 21 '24 06:03 v-sudkharat

Hi @jjbhavsar, We also have checked your share syslogmessage - 2024-03-12T17:51:51.755Z FW01 RT_FLOW - RT_FLOW_SESSION_CLOSE [xxxxxx reason="TCP FIN" source-address="xx.xx.xx.xx" source-port="xxxxx" destination-address="xx.xx.xx.xx" destination-port="xxxx" connection-tag="0" service-name="https" nat-source-address="xx.xx.xx.xx" nat-source-port="xxxx" nat-destination-address="xx.xx.xx.xx" nat-destination-port="xxx" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="xx-xxx-xxx" source-zone-name="xxxx" destination-zone-name="xxx" session-id="xxxx" packets-from-client="xx" bytes-from-client="xxx" packets-from-server="xx" bytes-from-server="xx" elapsed-time="1" application="xx" nested-application="xx" username="N/A" roles="N/A" packet-incoming-interface="xx" encrypted="No" application-category="Web" application-sub-category="miscellaneous" application-risk="2" application-characteristics="N/A" secure-web-proxy-session-type="NA" peer-session-id="0" peer-source-address="xxxxx" peer-source-port="0" peer-destination-address="xxxxx" peer-destination-port="0" hostname="NA" src-vrf-grp="N/A" dst-vrf-grp="N/A" tunnel-inspection="Off" tunnel-inspection-policy-set="root" session-flag="0" source-tenant="N/A" destination-service="N/A"]

The syslogmessage which you are received is in Key-Value paired and not the having default comma-separated one which parser supported. Ex. - //58afdc1d-32c7-497b-926f-94c1d1e9e192,Linux,10/7/2022 18:16,10.151.254.59,10/7/2022 19:27,user,10.151.254.59,info,RT_FLOW_SESSION_CLOSE: session closed TCP //FIN: 10.255.50.101/34494->10.151.254.59/22 junos-ssh 10.255.50.101/34494->10.151.254.59/22 N/A N/A N/A N/A 6 Allow-Intra MGMNT MGMNT 52380767 165(13032) //266(46477) 286 SSH UNKNOWN N/A(N/A) ae1.255 UNKNOWN,,Unknown IP,RT_FLOW,00000000-0000-0000-0000-000000000002,Syslog,>

So, you need to validate your current configuration which you have done it in JuniperSRX side. Please let us know if it done correctly and still facing the issue. Thanks!

v-sudkharat avatar Mar 22 '24 09:03 v-sudkharat

Hi @jjbhavsar, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 29-03-2024 date, we will be closing this issue. Thanks!

v-sudkharat avatar Mar 27 '24 05:03 v-sudkharat

Hi @jjbhavsar, since we have not received a response in the last 5 days, we are closing your issue as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.

v-sudkharat avatar Mar 29 '24 06:03 v-sudkharat

@v-sudkharat

Sorry I was away for few days. I am checking config Juniper side and will update here. Thanks for your help.

jjbhavsar avatar Apr 02 '24 13:04 jjbhavsar