Junos OS

Expand all | Collapse all

What is the log format for deny hosts ACL?

Jump to Best Answer
  • 1.  What is the log format for deny hosts ACL?

    Posted 02-08-2018 07:24

    We are running JunOS 14.1R8.6  and we have the following config that logs denied hosts for an ACL:

     

    file DENY-HOSTS.log {

        firewall any;

     

    I have that log being forwared via syslog to a Splunk sever where I have the Splunk Add-in for Juniper installed. I set the sourcetype to juniper:junos:firewall, but the events are not being parsed. A log event is as follows:

     

    Feb 8 10:07:12 1 <host IP> Feb 8 10:07:12 <hostname> fpc0 PFE_FW_SYSLOG_IP: FW: xe-0/0/0.447 D tcp x.x.x.x y.y.y.y 47619 12472 (1 packets)

     

    I tried looking for documentation that details the log format, and the closest I came was the information at this link:

    https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-firewall-log.html

     

    However, it's not matching up perfectly. Is there any other document that details the log format?

     

    My best guess re: field names for the log is as follows (after hostname):

    fpc0 ===> ?

    PFE_FW_SYSLOG_IP: FW: ===> Filter 

    xe-0/0/0.447 ===> Interface

    D ===> Filter Action

    tcp ===> Protocol

    x.x.x.x ===> Source IP

    y.y.y.y ===> Destination IP

    47619 ===> I assume this is port, but not sure if it's Source or Destination

    12472 ===>  packet length?

     

    Would apprecaite any help,

    Thx


    #log
    #JUNOS
    #fields
    #splunk
    #syslog
    #format


  • 2.  RE: What is the log format for deny hosts ACL?
    Best Answer

     
    Posted 02-08-2018 09:18

    HI

    Hope this helps:

     

    fpc0 ===> This is Forwarding Module Slot Number. For instance, the interface here in this log is xe-0/0/0 that relates to FPC0.  The first octet is Slot number, second is PIC, third is the port number. that is FPC-0, PIC-0, Port-0.


    FPC0 just means that log was from slot-0 (FPC0) in chassis. there can be other FPC as well in the chassis

    PFE_FW_SYSLOG_IP: FW: ===> Filter.  Yes, as per the doc

    xe-0/0/0.447 ===> Interface.  Yes, indeed, its interface xe-0/0/0 with unit 447.

    D ===> Filter Action.  Yep, D as in Discard

    tcp ===> Protocol - Right!

    x.x.x.x ===> Source IP

    y.y.y.y ===> Destination IP

    47619 ===> I assume this is port, but not sure if it's Source or Destination -> I believe its dest port - was there : next to dest? or src?


    12472 ===>  packet length? 

     

    I assume you picked this log from syslog server? Could you check on device (show firewall log detail), may give details to corelate with.

     

     

     

     



  • 3.  RE: What is the log format for deny hosts ACL?

    Posted 02-08-2018 10:19

    Karan,

    Actually 47619 is the source port and 12472 is the destinatioin port.

     

    Thx for the info on Forwarding Module Slot Number and verifying the other fields. I believe I'm good to go!