We are running JunOS 14.1R8.6 and we have the following config that logs denied hosts for an ACL:
file DENY-HOSTS.log {
firewall any;
I have that log being forwared via syslog to a Splunk sever where I have the Splunk Add-in for Juniper installed. I set the sourcetype to juniper:junos:firewall, but the events are not being parsed. A log event is as follows:
Feb 8 10:07:12 1 <host IP> Feb 8 10:07:12 <hostname> fpc0 PFE_FW_SYSLOG_IP: FW: xe-0/0/0.447 D tcp x.x.x.x y.y.y.y 47619 12472 (1 packets)
I tried looking for documentation that details the log format, and the closest I came was the information at this link:
https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-firewall-log.html
However, it's not matching up perfectly. Is there any other document that details the log format?
My best guess re: field names for the log is as follows (after hostname):
fpc0 ===> ?
PFE_FW_SYSLOG_IP: FW: ===> Filter
xe-0/0/0.447 ===> Interface
D ===> Filter Action
tcp ===> Protocol
x.x.x.x ===> Source IP
y.y.y.y ===> Destination IP
47619 ===> I assume this is port, but not sure if it's Source or Destination
12472 ===> packet length?
Would apprecaite any help,
Thx
#log#JUNOS#fields#splunk#syslog#format