Juniper Junos Firewalls vs Junos Routers
I'm looking into getting Juniper SRX Firewalls as event sources. Telling the system they're of type "junos routers" successfully parses most of the system messages, but fails to parse traffic flow (RT_FLOW) messages. I've looked into the EDI xml and it looks like these messages are catered for, but it's looking like either Juniper has changed their log format for either new versions of JunOS, or for SRXs vs their router/switch gear.
Is RSA aware of this situation, and if so, are there any plans to do something about it, and if not, please be aware of it.
I've modified a few of the messages to suit. Example for the DENY (arguably one of them important messages) is below. My changed version vs the original below.
Note, I changed the table from "Firewall" to "Firewall Accounting" as the accounting table has fields for things like source and estination zones and so on.
content="session <action> <faddr>/<fport>-><laddr>/<lport> <lportname> <fld1>(<fld2> <policy_id> <src_zone> <dst_zone>"/>
content="<@:*SYSVAL($MSGID,$ID1)><@event_time:*EVNTTIME($HDR,'%W-%G-%FT%N:%U:%O',hfld32)><@msg:*PARMVAL($MSG)><@obj_typeysObjectID> [junos@<obj_name> source-address="<saddr>" source-port="<sport>" destination-address="<daddr>" destination-port="<dport>" protocol-id="<fld31>" icmp-type="<icmptype>" policy-name="<policyname>"]" />
Actually the Content 1 vs 2 was incidental and not noticed. 😄 I was just messing about getting syslog messages parsed, and the content version must have switched while I wasn't looking.
The reason for doing this is that as written, enVision with updated device support doesn't seem to parse the RT_FLOW messages from SRX firewalls.
I only picked on the Firewall.Accounting table is that was where the equivalent data goes (or appears to from my quick reading of the xml) for Netscreen firewalls.
Summary of your comments is that I seem to be a bit of a n00b with event integration, to which I have to agree. Very very new. My experience with enVision started two weeks ago. But that's beside the point I was trying to make, that being that the provided syslog integration for Junos Routers doesn't seem to fully include Junos Firewalls. Before I look into doing a working ESI xml of lots of fun, I'd just like to know if RSA will be updating the Junos pack with support for SRXs.