I'm trying event-options to handle the PFE_FW_SYSLOG_IP event generated by the access list that it blocks tentative of access to the host with IP 10.1.1.23 on port 55555
In according with information provided by issuing "help syslog PFE_FW_SYSLOG_IP" I configured the event options as below:
events pfe_fw_syslog_ip;
attributes-match {
pfe_fw_syslog_ip.destination-address matches "10.1.1.23";
pfe_fw_syslog_ip.destination-port-or-code matches "^55555$";
}
then {
execute-commands {
commands {
"show interface ge-0/0/13.0 ";
}
user-name OUR_ADMIN;
output-filename showintge13;
destination local-directory;
output-format text;
}
}
destinations {
local-directory {
archive-sites {
/var/tmp;
}
}
}
(I also configured structured-data in the syslog message)
But the execute-commands is not working because the event is not detected because the log file shows the event not in verbose format: like attribute name and attribute value but as follow:
Output of log message
<158>1 2024-08-08T13:48:10.135+02:00 J-SRX340-LAB-1 - - - - PFE_FW_SYSLOG_IP: FW: ge-0/0/13.0 D tcp 10.2.2.47 10.1.1.23 16509 55555
So I did a test with logger as follow to emulate the verbose mode:
#logger -e PFE_FW_SYSLOG_IP -a destination-address=10.1.1.23 -a destination-port-or-code=55555
this logger generates a syslog message as below that it let event-options detect the event to successful run execute-commands.
output of log message
<13>1 2024-08-08T13:50:29.348+02:00 J-SRX340-LAB-1 logger - PFE_FW_SYSLOG_IP [junos@2636.1.1.1.2.135 destination-address="10.1.1.23" destination-port-or-code="55555"]
My question is:
how can I instruct the syslog message so when logging the event concerning PFE_FW_SYSLOG_IP in the log message , it does it in verbose mode that containing the attribute name and its value so the event is detected in the event-options?
------------------------------
SALVATORE COLIMORO
------------------------------