SRX

Expand all | Collapse all

SRX IDP Traffic Logging Format Explanation

Jump to Best Answer
  • 1.  SRX IDP Traffic Logging Format Explanation

    Posted 07-22-2019 23:46

    With a Juniper SRX Firewall with traffic event logging configuration to setup to output "RT_IDP|RT_FLOW_SESSION" to a file on the SRX there are pieces of log information which are appended to the end of the log/event entry.

    For example with the 2 below log events the last 3 words in the first log event refers to "HTTP UNKNOWN UNKNOWN" and the second log line the last 3 words refer to "UNKNOWN UNKNOWN UNKNOWN".

     

    Does anyone what the last 3 words in SRX traffic log files refer to?

     RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.25.255.2/33355->10.10.5.5/80 0x0 junos-http 10.25.255.2/33355->192.168.2.5/80 0x0 N/A N/A destination rule ENT 6 ENT Internet ENT 9719 N/A(N/A) ge-0/0/0.0 HTTP UNKNOWN UNKNOWN
    1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.25.255.2/5432->10.18.5.5/80 0x0 junos-http 10.25.255.2/5432->192.168.2.5/80 0x0 N/A N/A destination rule ENT 6 ENT Internet ENT 10378 N/A(N/A) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN

    Thanks.


    #logging
    #SRX


  • 2.  RE: SRX IDP Traffic Logging Format Explanation
    Best Answer

    Posted 07-22-2019 23:55

    Hello,

     

    Those three fields are application, nested application and encryption respectively. Please see the description added in the log below:

     

    1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.25.255.2/5432->10.18.5.5/80 0x0 junos-http 10.25.255.2/5432->192.168.2.5/80 0x0 N/A N/A destination rule ENT 6 ENT Internet ENT 10378 N/A(N/A) ge-0/0/0.0 UNKNOWN(application) UNKNOWN(nested-application) UNKNOWN(encryption).

     

    Examples for each term:

    Application: HTTP

    Nested-Application: Facebook Messenger(protocols that work over parent application)

    Encryption: If traffic is encrypted (HTTPS).

     

    Regards,

    Prakash






  • 3.  RE: SRX IDP Traffic Logging Format Explanation

    Posted 07-23-2019 00:56

    Hello,

     

    Syslog explorer is THE tool to find out. It is available for free in Juniper public website

    https://apps.juniper.net/syslog-explorer/

     

    And Your message is explained at

    https://apps.juniper.net/syslog-explorer/#msg=RT_FLOW_SESSION_CREATE&sw=Junos%20OS&rel=19.2R1

     

    HTH

    Thx

    Alex