Junos OS

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  What is the log format for deny hosts ACL?

    Posted 02-08-2018 07:24

    We are running JunOS 14.1R8.6  and we have the following config that logs denied hosts for an ACL:

     

    file DENY-HOSTS.log {

        firewall any;

     

    I have that log being forwared via syslog to a Splunk sever where I have the Splunk Add-in for Juniper installed. I set the sourcetype to juniper:junos:firewall, but the events are not being parsed. A log event is as follows:

     

    Feb 8 10:07:12 1 <host IP> Feb 8 10:07:12 <hostname> fpc0 PFE_FW_SYSLOG_IP: FW: xe-0/0/0.447 D tcp x.x.x.x y.y.y.y 47619 12472 (1 packets)

     

    I tried looking for documentation that details the log format, and the closest I came was the information at this link:

    https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-firewall-log.html

     

    However, it's not matching up perfectly. Is there any other document that details the log format?

     

    My best guess re: field names for the log is as follows (after hostname):

    fpc0 ===> ?

    PFE_FW_SYSLOG_IP: FW: ===> Filter 

    xe-0/0/0.447 ===> Interface

    D ===> Filter Action

    tcp ===> Protocol

    x.x.x.x ===> Source IP

    y.y.y.y ===> Destination IP

    47619 ===> I assume this is port, but not sure if it's Source or Destination

    12472 ===>  packet length?

     

    Would apprecaite any help,

    Thx


    #log
    #JUNOS
    #fields
    #splunk
    #syslog
    #format


  • 2.  RE: What is the log format for deny hosts ACL?
    Best Answer

     
    Posted 02-08-2018 09:18

    HI

    Hope this helps:

     

    fpc0 ===> This is Forwarding Module Slot Number. For instance, the interface here in this log is xe-0/0/0 that relates to FPC0.  The first octet is Slot number, second is PIC, third is the port number. that is FPC-0, PIC-0, Port-0.


    FPC0 just means that log was from slot-0 (FPC0) in chassis. there can be other FPC as well in the chassis

    PFE_FW_SYSLOG_IP: FW: ===> Filter.  Yes, as per the doc

    xe-0/0/0.447 ===> Interface.  Yes, indeed, its interface xe-0/0/0 with unit 447.

    D ===> Filter Action.  Yep, D as in Discard

    tcp ===> Protocol - Right!

    x.x.x.x ===> Source IP

    y.y.y.y ===> Destination IP

    47619 ===> I assume this is port, but not sure if it's Source or Destination -> I believe its dest port - was there : next to dest? or src?


    12472 ===>  packet length? 

     

    I assume you picked this log from syslog server? Could you check on device (show firewall log detail), may give details to corelate with.

     

     

     

     



  • 3.  RE: What is the log format for deny hosts ACL?

    Posted 02-08-2018 10:19

    Karan,

    Actually 47619 is the source port and 12472 is the destinatioin port.

     

    Thx for the info on Forwarding Module Slot Number and verifying the other fields. I believe I'm good to go!