Introducing the Juniper Networks App for Splunk - Now Available in Splunkbase

By cdods posted 10-23-2017 06:15


Juniper Networks is excited to announce the availability of our App in Splunk's marketplace, Splunkbase. You can find it here.


Leveraging the rich reporting capabilities of SRX Series Next-Generation Firewalls, Splunk users can now monitor, analyze, and evaluate threats in real-time through a unified dashboard.


Diving In


The Overview Dashboard aims to be a holistic review of your environment, presenting you with details on threat events, network-based exploits, prolific malware, infected hosts, and which applications are consuming the most bandwidth. 


Overview DashboardOverview Dashboard


The Application Dashboard provides information on:

  • Top Applications by Session Count
  • Top Applications by Volume
  • Top Nested-Applications
  • Top Sources utilizing Unknown or Unspecified-Encrypted Applications


Application DashboardApplication Dashboard


The Firewall Policies Dashboard provides information on:


  • Top Firewall Policies by hit-count
  • Top Denied Firewall Policies by hit-count
  • Top Firewall Policies by Bandwdith consumed


Firewall Policies DashboardFirewall Policies Dashboard


The IDP Dashboard provides information on:


  • Top Sources triggering IDP events
  • Top Users triggering IDP events
  • Top Signatures being triggered
  • Threat Severity trends (Critical, High, Medium, Low, Informational)
  • Top Applications by Threat Severity for Critical, High, and Medium severity attacks


IDP DashboardIDP Dashboard


The Web Filtering Dashboard provides information on:


  • Top URL Categories
  • Top URLs being accessed
  • Top Users attempting to access URLs which are being denied
  • Top URLs being permitted by policy
  • Top URLs being denied by policy


Web Filtering DashboardWeb Filtering Dashboard


The Sky ATP Dashboard provides information on:


  • Top Users and Client IP Addresses generating Malware events
  • Top Users and Client IP Addresses communicating with Command-and-Control infrastructure (C&C)
  • The most prevalent Malware
  • Top hosts flagged as being "Infected" by Sky ATP


Sky ATP DashboardSky ATP Dashboard


The Event Information Dashboard provides system-level information, such as account auditing, process status, command-line activity, and more.


Event Information DashboardEvent Information Dashboard


 Configuring an SRX Series Next-Generation Firewall to forward events to Splunk: 

Through Security Director:

  1.  Go to Devices
  2.  Right click your device
  3.  Modify Configuration
  4.  Security Logging
  5.  Stream Configuration
  6.  Add Splunk's detailsAdding Splunk via Security DirectorAdding Splunk via Security Director


 Through J-Web

  1. Device Settings
  2. Basic Setup
  3. Logging
  4. Set Logging-Type to 'Stream' and enable 'Traffic Logs'
  5. Add Splunk's details
  6. CommitAdding Splunk via J-WebAdding Splunk via J-Web




Through the CLI:

  1.  Enter configuration mode via 'edit' or 'configure'
  2.  Add the correct information for your Splunk instance (IP address, port, SRX source interface if required, etc)


set security log mode stream
set security log source-interface <srx.interface>
set security log stream Splunk format sd-syslog
set security log stream Splunk host <ip.address.of.splunk>

# Commit the changes
commit and-quit











06-19-2018 10:22

I hava a trouble with the app only show event information, can you explain how configurate the app?



syslog : EXTRACT-attack_name_full Inline attack_name.(?<attack_name>.*?)[\r\n]
syslog : EXTRACT-event_severity Inline ^[^>\n]*>(?P<event_severity>\d+)

06-12-2018 11:21

I just downloaded the app, and found that only the "event information" view populates with data.


After some digging I found that the props.conf only has 2 extractions in it:

EXTRACT-attack_name_full = attack_name.(?<attack_name>.*?)[\r\n]
EXTRACT-event_severity = ^[^>\n]*>(?P<event_severity>\d+)

Based on the xml content, I'm showing that the searches are looking for other fields, like policy_name.

Did I get a bad version? (Mine is version 121)


If not, does anyone have a "full" props.conf with all the extractions, or perhaps just a list of the extractions required for this app? At a bare minimum, I need the policy_name extraction for firewall policies.




04-03-2018 10:49

@cdods, thank you for the reply.  I think my problem was that we don't have APPTRACK turned on.  I edited the search and noticed it was searching for "APPTRACK_SESSION_CLOSE.  When I switched to the Firewall section I was seeing data as expected.


Thank you, for the help!

04-03-2018 10:04

Hi tcw135


You can change the port it's listening on by going to:

Settings -> Data Inputs -> UDP (assuming you're using UDP syslog instead of tcp/tls) 


Create new Port


Set source name override to jnpr-syslog and add the correct port (1514)



Select app context (Juniper Networks App for Splunk)


Set other settings as needed

03-30-2018 08:01

Hello.  I installed the Juniper app for Splunk this morning and am excited to get it working.  I am running into an issue with the app populating data.  All the windows say "Waiting for data...".  Our main firewall, a Juniper SRX 1500, is set to send sd-syslogs over port 1514 since 514 is used by other devices to send regular syslogs.  When I search for jnpr-syslog I receive the logs that I expect but I don't see any of that information in the Juniper app.


I'm not sure where to look to troubleshoot this.  Any help would be apprciated!

03-20-2018 10:37

@RRiley - It's certified now, you should be able to use it where it's convenient for you.


@Miles - As long as the messages themselves retain the same semantic structure, yes (Tested this with JSA/QRadar forwarding to Splunk and it worked just fine).

03-14-2018 16:11

Can this app still work with Juniper data that is not streamed direct from juniper devices, what if your Juniper data is sent to syslog recievers and then wrtitten to file which a Splunk forwarder can pick up?

01-03-2018 08:26

It isn't certifiied by Splunk for Splunk cloud so you can't install it. Anyone know if the new app will be certified for Splunk cloud anytime soon?

11-28-2017 14:34

Hi dwolcot1,


I was checking this new app, and it is looks like:

1. It does not interact with Space ro SD

2. It does not interact with PE. Even without new JunOS app you can search for PE events looking for SECINTEL_ACTION_LOG type syslogs

3. Not sure about Cloud, but work fine with on prem Linux

4. It take clean Syslog (in same structured format as Space Log collector)


I also checked with JTAC and they promised to update official documentation for the app shortly.


Please post here if you had any luck with app. I’m mostly confused about this new Juniper App clashing with old Splunk supported Juniper app. It is also not clear if new app CIM compatible and can be used by Splunk ESS.

11-08-2017 07:30

I have a few questions.


- So how does this interact with Junos Space\SD once configured?

- How does this affect Policy Enforcer?

- Does this work with Splunk Cloud? 

- Can you transport the security logs via TLS to Splunk? TLS is a transport option but wanted to know if it was compatible with Splunk. Currently TLS does not work with Junipers own Log Collector.