|
|
##
|
|
|
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
|
|
|
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
|
##
|
|
|
##
|
|
|
|
|
|
## LOOKUP
|
|
|
[juniper_transport_protocols_lookup]
|
|
|
filename = juniper_transport_protocols.csv
|
|
|
|
|
|
[juniper_netscreen_firewall_ids_info_lookup]
|
|
|
filename = juniper_netscreen_firewall_ids_info.csv
|
|
|
|
|
|
###### Juniper Firewall (Netscreen Firewall) ######
|
|
|
|
|
|
## TRANSFORMS
|
|
|
[force_host_for_netscreen_firewall]
|
|
|
DEST_KEY = MetaData:Host
|
|
|
REGEX = \s+([^\s]+)\:\s+NetScreen\s+device_id\=
|
|
|
FORMAT = host::$1
|
|
|
|
|
|
[force_sourcetype_for_netscreen_firewall]
|
|
|
DEST_KEY = MetaData:Sourcetype
|
|
|
REGEX = \s+NetScreen\s+device_id\=
|
|
|
FORMAT = sourcetype::netscreen:firewall
|
|
|
|
|
|
## LOOKUP
|
|
|
[juniper_netscreen_firewall_action_lookup]
|
|
|
filename = juniper_netscreen_firewall_actions.csv
|
|
|
|
|
|
## REPORT
|
|
|
[dest_translated_for_netscreen_firewall]
|
|
|
REGEX = dst-xlated\s+ip\s*=\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+port\s*=\s*(\d+)
|
|
|
FORMAT = dest_translated_ip::$1 dest_translated_port::$2
|
|
|
|
|
|
[src_translated_for_netscreen_firewall]
|
|
|
REGEX = src-xlated\s+ip\s*=\s*(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+port\s*=\s*(\d+)
|
|
|
FORMAT = src_translated_ip::$1 src_translated_port::$2
|
|
|
|
|
|
[zone_for_netscreen_firewall]
|
|
|
REGEX = src\s+zone\=(\S+)*\s+dst\s+zone\=(\S+)*
|
|
|
FORMAT = src_zone::$1 dest_zone::$2
|
|
|
|
|
|
[app_for_netscreen_firewall]
|
|
|
REGEX = (?<app>[Nn]et[Ss]creen).*(?:Password\s+authentication|Login\s+attempt|attempt\s+by\s+admin|admin\s+authentication|for\s+admin\s+user|system-alert-)
|
|
|
|
|
|
[dvc_for_netscreen_firewall]
|
|
|
REGEX = (?<dvc>[\w\d\-\.]+)\s+[\w\d\-\.]+\s*:\s*[Nn]et[Ss]creen
|
|
|
|
|
|
## Netscreen Authentication Extractions
|
|
|
|
|
|
[local_admin_auth_for_netscreen_firewall]
|
|
|
REGEX = (?:([\w\d\-\.]+)\s+[\w\d\-\.]+\s*)?:\s*(NetScreen).*?Local\s+admin\s+authentication\s+(failed|successful)\s+for\s+login\s+name\s+([^\s:]+)
|
|
|
FORMAT = dest::$1 vendor_app::$2 vendor_action::$3 netscreen_user::$4
|
|
|
|
|
|
[login_refused_for_netscreen_firewall]
|
|
|
REGEX = (?:([\w\d\-\.]+)\s+[\w\d\-\.]+\s*)?:\s*(NetScreen).*Login\s+attempt\s+by\s+admin\s+(\S+)\s+from\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+is\s+(refused)
|
|
|
FORMAT = dest::$1 vendor_app::$2 netscreen_user::$3 src_ip::$4 vendor_action::$5
|
|
|
|
|
|
[password_auth_for_netscreen_firewall]
|
|
|
REGEX = (?:([\w\d\-\.]+)\s+[\w\d\-\.]+\s*)?:\s*(NetScreen).*?Password\s+authentication\s+(failed|successful)\s+for\s+admin\s+user\s+[\'\"]\s*([^\'\"\s]+)\s*[\'\"]\s+at\s+host\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|.+?)[\s\.]*\s
|
|
|
FORMAT = dest::$1 vendor_app::$2 vendor_action::$3 netscreen_user::$4 dest::$5
|
|
|
|
|
|
## Netscreen Network Change Extractions
|
|
|
[change_src_dest_for_netscreen_firewall]
|
|
|
REGEX = system\-notification\-00018\:.*from\s+host\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+to\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\:
|
|
|
FORMAT = src_ip::$1 dest_ip::$2
|
|
|
|
|
|
## Modify firewall messages for ScreenOS 6.0.0 Rev2 and later
|
|
|
[firewall_change_for_netscreen_firewall]
|
|
|
REGEX = system\-notification\-00018\:\s.*\swas\s(\w+).*\sby\s([^\s]*)\svia\s([^\s]*)\s
|
|
|
FORMAT = vendor_action::$1 netscreen_user::$2 command::$3
|
|
|
|
|
|
[policy_id_for_netscreen_firewall]
|
|
|
REGEX = system\-notification\-00018\:.*?[Pp]olicy\s*(?:ID\s*|\()(\d+)
|
|
|
FORMAT = policy_id::$1
|
|
|
|
|
|
[translation_log_for_netscreen_firewall]
|
|
|
REGEX = \s+([^\s]+)\:\s+(NetScreen) device_id\=([^\s]+)\s+.*?system\-information.*?\:\s+IP\s+address\s+(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+.*?assigned\s+to\s+(\w+)\.
|
|
|
FORMAT = dest::$1 vendor_app::$2 device_id::$3 ip::$4 mac::$5
|
|
|
|
|
|
[user_for_netscreen_firewall_restart]
|
|
|
REGEX = system\-information\-\w+\:.*System\s+halt\-reboot\s+by\s+\'([^\']+)\'
|
|
|
FORMAT = netscreen_user::$1
|
|
|
|
|
|
[login_failed_for_netscreen_firewall]
|
|
|
REGEX = (?:([\w\d\-\.]+)\s+[\w\d\-\.]+\s*)?:\s*(NetScreen).*Login\s+attempt\s+to\s+system\s+by\s+admin\s+(\S+)\s+via\s+Telnet\s+from\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s*:\s*(\d+)\s+has\s+(failed)
|
|
|
FORMAT = dest::$1 vendor_app::$2 netscreen_user::$3 src_ip::$4 src_port::$5 vendor_action::$6
|
|
|
|
|
|
## Alert messages for ScreenOS 6.3.0 Rev5, Published: 2014-12-17
|
|
|
[alert_first_part_for_netscreen_firewall]
|
|
|
REGEX = \s+(NetScreen)\s+.*system\-alert\-(\w+):\s+(.*)
|
|
|
FORMAT = vendor_app::$1 alert_id::$2 body::$3
|
|
|
|
|
|
[alert_rest_part_for_netscreen_firewall]
|
|
|
REGEX = system\-alert\-\w+:\s+\w[^!]+!\s+From\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\:?(\d+)?\s+to\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\:?(\d+)?,\s+proto\s+(\w+)\s+\(zone\s+(\w+),?\s+int\s+([^\s)]+)\)\.\s+Occurred\s+(\d+)\s+times
|
|
|
FORMAT = src_ip::$1 src_port::$2 dest_ip::$3 dest_port::$4 protocol::$5 zone::$6 interface_name::$7 frequency::$8
|
|
|
|
|
|
###### Juniper Restarts ######
|
|
|
|
|
|
## REPORT
|
|
|
[juniper_restart_field]
|
|
|
REGEX = device_id=([\w\-]+).*System\shalt-(reboot)\sby\s'\w+'
|
|
|
FORMAT = dest::$1 vendor_action::$2
|
|
|
|
|
|
###### Juniper JunOS IDP ######
|
|
|
|
|
|
## TRANSFORMS
|
|
|
[force_sourcetype_for_junos_idp_structured]
|
|
|
DEST_KEY = MetaData:Sourcetype
|
|
|
REGEX = \s+RT_IDP\s+\-\s+\w+\s+\[junos@2636
|
|
|
FORMAT = sourcetype::juniper:junos:idp:structured
|
|
|
|
|
|
[force_sourcetype_for_junos_idp]
|
|
|
DEST_KEY = MetaData:Sourcetype
|
|
|
REGEX = \s+RT_IDP:\s+
|
|
|
FORMAT = sourcetype::juniper:junos:idp
|
|
|
|
|
|
## REPORT
|
|
|
[message_tag_for_junos_idp]
|
|
|
REGEX = RT_IDP\s*(?:\:|\-)\s+(?<message_tag>[\w]+)
|
|
|
|
|
|
[dvc_for_junos_idp]
|
|
|
REGEX = (?<dvc>\S+)\s+RT_IDP
|
|
|
|
|
|
[auto_kv_for_junos_idp]
|
|
|
## FIELDS: IDP: at epoch-time, message-type Attack log <source-address/source-port->destination-address/destination-port> for protocol-name protocol and service service-name application application-name by rule rule-name of rulebase rulebase-name in policy policy-name. attack: id=export-id, repeat=repeat-count, action=action, threat-severity=threat-severity, name=attack-name, NAT <nat-source-address:nat-source-port->nat-destination-address:nat-destination-port>, time-elapsed=elapsed-time, inbytes=inbound-bytes, outbytes=outbound-bytes, inpackets=inbound-packets, outpackets=outbound-packets, intf:source-zone-name:source-interface-name->destination-zone-name:destination-interface-name, packet-log-id: packet-log-id, alert=alert, username=username, roles=roles, xff-header=xff-header and misc-message message
|
|
|
|
|
|
REGEX = (?<message_type>\S+)\s+Attack\s+log\s+<(?<src_ip>\d+\.\d+\.\d+\.\d+)(?:\/|\:)(?<src_port>\d+)->(?<dest_ip>\d+\.\d+\.\d+\.\d+)(?:\/|\:)(?<dest_port>\d+)>\s+for\s+(?<protocol>\S+)\s+protocol\s+and\s+service\s+(?<service>\S+)\s+application\s+(?<vendor_app>\S+)\s+by\s+rule\s+(?<rule>\S+)\s+of\s+rulebase\s+(?<rulebase_name>\S+)\s+in\s+policy\s+(?<policy_name>\S+)\..*NAT\s+<(?<src_translated_ip>\d+\.\d+\.\d+\.\d+)(?:\/|\:)(?<src_translated_port>\d+)->(?<dest_translated_ip>\d+\.\d+\.\d+\.\d+)(?:\/|\:)(?<dest_translated_port>\d+)>.*intf:(?<src_zone>[^:]+):(?<src_interface>[^>]+)->(?<dest_zone>[^:]+):(?<dest_interface>[^,]+),\s*packet-log-id:\s*(?<packet_log_id>\w+).*and\s+misc-message\s+(?<misc_message>\S+)
|
|
|
|
|
|
|
|
|
###### Juniper JunOS FW ######
|
|
|
|
|
|
## TRANSFORMS
|
|
|
[force_sourcetype_for_junos_firewall]
|
|
|
DEST_KEY = MetaData:Sourcetype
|
|
|
REGEX = \s+(?:RT_FLOW|RT_IDS|ESWD_STP_STATE_CHANGE_INFO|ESWD_DAI_FAILED|PFE_FW_SYSLOG_ETH_IP|RT_UTM):\s+
|
|
|
FORMAT = sourcetype::juniper:junos:firewall
|
|
|
|
|
|
[force_sourcetype_for_junos_firewall_structured]
|
|
|
DEST_KEY = MetaData:Sourcetype
|
|
|
REGEX = \s+(?:RT_FLOW|RT_IDS|RT_UTM)\s+\-\s+\w+\s+\[junos@2636
|
|
|
FORMAT = sourcetype::juniper:junos:firewall:structured
|
|
|
|
|
|
[force_sourcetype_for_junos_firewall_rpd]
|
|
|
DEST_KEY = MetaData:Sourcetype
|
|
|
REGEX = rpd\[\d+\]\s*:
|
|
|
FORMAT = sourcetype::juniper:junos:firewall
|
|
|
|
|
|
## REPORT
|
|
|
[message_tag_for_junos_fw]
|
|
|
REGEX = (?:RT_FLOW|RT_IDS|RT_UTM|junos-alg)\s*(?:\:|\-)\s+(?<message_tag>\w+)
|
|
|
|
|
|
[dvc_for_junos_fw]
|
|
|
REGEX = (?<dvc>\S+)\s+(?:RT_FLOW[:-]|RT_IDS|RT_UTM|junos-alg)
|
|
|
|
|
|
[file_name_for_junos_fw]
|
|
|
REGEX = \sfilename\s*=\s*['\"]?(?:\S+[\\\/])*(?<file_name>.+?)['\"]*(?:\s|\])
|
|
|
|
|
|
[auto_kv_for_rt_screen]
|
|
|
## FIELDS: signature source: source-address:source-port, destination: destination-address:destination-port, zone name: source-zone-name, interface name: dest-interface, action: action
|
|
|
|
|
|
REGEX = (?:RT_SCREEN_UDP|RT_SCREEN_TCP|RT_SCREEN_ICMP)\s*\:\s*(?<signature>.+)\s+source\s*:\s*(?<src_ip>\d+\.\d+\.\d+\.\d+):?(?<src_port>\d+)?,\s*destination\s*:\s*(?<dest_ip>\d+\.\d+\.\d+\.\d+):?(?<dest_port>\d+)?,\s*zone\sname\s*:\s*(?<zone_name>[^,]+),\s*interface\sname\s*:\s*(?<dest_interface>[^,]+),\s*action\s*:\s*(?<action>\S+)
|
|
|
|
|
|
[auto_kv_for_rt_flow_session_create]
|
|
|
## FIELDS: session created source-address/source-port->destination-address/destination-port 0xconnection-tag service-name nat-source-address/nat-source-port->nat-destination-address/nat-destination-port 0xnat-connection-tag src-nat-rule-type src-nat-rule-name dst-nat-rule-type dst-nat-rule-name protocol-id policy-name source-zone-name destination-zone-name session-id-32 username(roles) packet-incoming-interface application nested-application encrypted application-category application-sub-category application-risk application-characteristics src-vrf-grp dst-vrf-grp
|
|
|
|
|
|
REGEX = session\s+created\s+(?<src_ip>\d+\.\d+\.\d+\.\d+)\/(?<src_port>\d+)->(?<dest_ip>\d+\.\d+\.\d+\.\d+)\/(?<dest_port>\d+)\s+(?<connection_tag>(?:0x|0X)[0-9A-Fa-f]{0,16})\s+(?<service_name>\S+)\s+(?<src_translated_ip>\d+\.\d+\.\d+\.\d+)\/(?<src_translated_port>\d+)->(?<dest_translated_ip>\d+\.\d+\.\d+\.\d+)\/(?<dest_translated_port>\d+)\s+(?<translated_connection_tag>(?:0x|0X)[0-9A-Fa-f]{0,16})\s+(?<src_translated_rule_type>(?:\S+|(?:static|source)\s\S+))\s+(?<src_translated_rule_name>\S+)\s+(?<dest_translated_rule_type>(?:\S+|(?:static|destination)\s\S+))\s+(?<dest_translated_rule_name>\S+)\s+(?<protocol_id>\d+)\s+(?<policy_name>\S+)\s+(?<src_zone>\S+)\s+(?<dest_zone>\S+)\s+(?<session_id_32>\d+)\s+(?<user>\S+)\((?<user_roles>\S+)\)\s+(?<inbound_interface>\S+)\s+(?<vendor_app>\S+)\s+(?<nested_vendor_app>\S+)\s+(?<encrypted>\S+)\s*(?<vendor_app_category>\S+)?\s*(?<vendor_app_sub_category>\S+)?\s*(?<vendor_app_risk>\S+)?\s*(?<vendor_app_characteristics>(?:N\/A)|(?:.*;)|\S+)?\s*(?<src_vrf_grp>\S+)?\s*(?<dest_vrf_grp>\S+)?
|
|
|
|
|
|
[auto_kv_for_rt_flow_session_close]
|
|
|
## FIELDS: session closed reason: source-address/source-port->destination-address/destination-port 0xconnection-tag service-name nat-source-address/nat-source-port->nat-destination-address/nat-destination-port 0xnat-connection-tag src-nat-rule-type src-nat-rule-name dst-nat-rule-type dst-nat-rule-name protocol-id policy-name source-zone-name destination-zone-name session-id-32 packets-from-client(bytes-from-client) packets-from-server(bytes-from-server) elapsed-time application nested-application username(roles) packet-incoming-interface encrypted application-category application-sub-category application-risk application-characteristics secure-web-proxy-session-type peer-session-id peer-source-address/peer-source-port->peer-destination-address/peer-destination-port hostname src-vrf-grp dst-vrf-grp
|
|
|
|
|
|
REGEX = session\s+closed\s+(?<reason>[^:]+): (?<src_ip>\d+\.\d+\.\d+\.\d+)\/(?<src_port>\d+)->(?<dest_ip>\d+\.\d+\.\d+\.\d+)\/(?<dest_port>\d+)\s+(?<connection_tag>(?:0x|0X)[0-9A-Fa-f]{0,16})\s+(?<service_name>\S+)\s+(?<src_translated_ip>\d+\.\d+\.\d+\.\d+)\/(?<src_translated_port>\d+)->(?<dest_translated_ip>\d+\.\d+\.\d+\.\d+)\/(?<dest_translated_port>\d+)\s+(?<translated_connection_tag>(?:0x|0X)[0-9A-Fa-f]{0,16})\s+(?<src_translated_rule_type>(?:\S+|(?:static|source)\s\S+))\s+(?<src_translated_rule_name>\S+)\s+(?<dest_translated_rule_type>(?:\S+|(?:static|destination)\s\S+))\s+(?<dest_translated_rule_name>\S+)\s+(?<protocol_id>\d+)\s+(?<policy_name>\S+)\s+(?<src_zone>\S+)\s+(?<dest_zone>\S+)\s+(?<session_id_32>\d+)\s+(?<packets_from_client>\d+)\((?<bytes_from_client>\d+)\)\s+(?<packets_from_server>\d+)\((?<bytes_from_server>\d+)\)\s+(?<elapsed_time>\d+)\s+(?<vendor_app>\S+)\s+(?<nested_vendor_app>\S+)\s+(?<user>\S+)\((?<user_roles>\S+)\)\s+(?<inbound_interface>\S+)\s+(?<encrypted>\S+)\s*(?<vendor_app_category>\S+)?\s*(?<vendor_app_sub_category>\S+)?\s*(?<vendor_app_risk>\S+)?\s*(?<vendor_app_characteristics>(?:N\/A)|(?:.*;)|\S+)?(?:\s+(?<secure_web_proxy_session_type>\S+)\s+(?<peer_session_id>\S+)\s+(?<peer_src_ip>\d+\.\d+\.\d+\.\d+)\/(?<peer_src_port>\d+)->(?<peer_dest_ip>\d+\.\d+\.\d+\.\d+)\/(?<peer_dest_port>\d+)\s+(?<hostname>\S+)\s+(?<src_vrf_grp>\S+)\s+(?<dest_vrf_grp>\S+))?
|
|
|
|
|
|
[auto_kv_for_rt_flow_session_deny]
|
|
|
### Assumption taken that reason field will not have digits in it because reason field may contain spaces and there is no other way to extract it.
|
|
|
## FIELDS: session denied source-address/source-port->destination-address/destination-port 0xconnection-tag service-name protocol-id(icmp-type) policy-name source-zone-name destination-zone-name application nested-application username(roles) packet-incoming-interface encrypted reason session-id-32 application-category application-sub-category application-risk application-characteristics src-vrf-grp dst-vrf-grp
|
|
|
|
|
|
REGEX = session\s+denied\s+(?<src_ip>\d+\.\d+\.\d+\.\d+)\/(?<src_port>\d+)->(?<dest_ip>\d+\.\d+\.\d+\.\d+)\/(?<dest_port>\d+)\s+(?<connection_tag>(?:0x|0X)[0-9A-Fa-f]{0,16})\s+(?<service_name>\S+)\s+(?<protocol_id>\d+)\((?<icmp_type>\d+)\)\s+(?<policy_name>\S+)\s+(?<src_zone>\S+)\s+(?<dest_zone>\S+)\s+(?<vendor_app>\S+)\s+(?<nested_vendor_app>\S+)\s+(?<user>\S+)\((?<user_roles>\S+)\)\s+(?<inbound_interface>\S+)\s+(?<encrypted>\S+)\s+(?<reason>[\s^\D]+)\s*(?<session_id_32>\d+)?\s*(?<vendor_app_category>\S+)?\s*(?<vendor_app_sub_category>\S+)?\s*(?<vendor_app_risk>\S+)?\s*(?<vendor_app_characteristics>(?:N\/A)|(?:.*;)|\S+)?\s*(?<src_vrf_grp>\S+)?\s*(?<dest_vrf_grp>\S+)?
|
|
|
|
|
|
[auto_kv_for_apptrack_session_create]
|
|
|
## FIELDS: AppTrack session created source-address/source-port->destination-address/destination-port service-name application nested-application nat-source-address/nat-source-port->nat-destination-address/nat-destination-port src-nat-rule-name dst-nat-rule-name protocol-id policy-name source-zone-name destination-zone-name session-id-32 username roles encrypted destination-interface-name category sub-category src-vrf-grp dst-vrf-grp
|
|
|
|
|
|
REGEX = AppTrack\s+session\s+created\s+(?<src_ip>\d+\.\d+\.\d+\.\d+)\/(?<src_port>\d+)->(?<dest_ip>\d+\.\d+\.\d+\.\d+)\/(?<dest_port>\d+)\s+(?<service_name>\S+)\s+(?<vendor_app>\S+)\s+(?<nested_vendor_app>\S+)\s+(?<src_translated_ip>\d+\.\d+\.\d+\.\d+)\/(?<src_translated_port>\d+)->(?<dest_translated_ip>\d+\.\d+\.\d+\.\d+)\/(?<dest_translated_port>\d+)\s+(?<src_translated_rule_name>\S+)\s+(?<dest_translated_rule_name>\S+)\s+(?<protocol_id>\d+)\s+(?<policy_name>\S+)\s+(?<src_zone>\S+)\s+(?<dest_zone>\S+)\s+(?<session_id_32>\d+)\s+(?<user>\S+)\s+(?<user_roles>\S+)\s+(?<encrypted>\S+)\s*(?<dest_interface>\S+)?\s*(?<vendor_app_category>\S+)?\s*(?<vendor_app_sub_category>\S+)?\s*(?<src_vrf_grp>\S+)?\s*(?<dest_vrf_grp>\S+)?
|
|
|
|
|
|
[auto_kv_for_apptrack_session_vol_update]
|
|
|
## FIELDS: AppTrack volume update: source-address/source-port->destination-address/destination-port service-name application nested-application nat-source-address/nat-source-port->nat-destination-address/nat-destination-port src-nat-rule-name dst-nat-rule-name protocol-id policy-name source-zone-name destination-zone-name session-id-32 packets-from-client(bytes-from-client) packets-from-server(bytes-from-server) elapsed-time username roles encrypted destination-interface-name category sub-category src-vrf-grp dst-vrf-grp dscp-value apbr-rule-type
|
|
|
|
|
|
REGEX = AppTrack\s+volume\s+update:\s+(?<src_ip>\d+\.\d+\.\d+\.\d+)\/(?<src_port>\d+)->(?<dest_ip>\d+\.\d+\.\d+\.\d+)\/(?<dest_port>\d+)\s+(?<service_name>\S+)\s+(?<vendor_app>\S+)\s+(?<nested_vendor_app>\S+)\s+(?<src_translated_ip>\d+\.\d+\.\d+\.\d+)\/(?<src_translated_port>\d+)->(?<dest_translated_ip>\d+\.\d+\.\d+\.\d+)\/(?<dest_translated_port>\d+)\s+(?<src_translated_rule_name>\S+)\s+(?<dest_translated_rule_name>\S+)\s+(?<protocol_id>\d+)\s+(?<policy_name>\S+)\s+(?<src_zone>\S+)\s+(?<dest_zone>\S+)\s+(?<session_id_32>\d+)\s+(?<packets_from_client>\d+)\((?<bytes_from_client>\d+)\)\s+(?<packets_from_server>\d+)\((?<bytes_from_server>\d+)\)\s+(?<elapsed_time>\d+)\s+(?<user>\S+)\s+(?<user_roles>\S+)\s+(?<encrypted>\S+)\s*(?<dest_interface>\S+)?\s*(?<vendor_app_category>\S+)?\s*(?<vendor_app_sub_category>\S+)?\s*(?<src_vrf_grp>\S+)?\s*(?<dest_vrf_grp>\S+)?\s*(?<dscp_value>\S+)?\s*(?<apbr_rule_type>\S+)?
|
|
|
|
|
|
[auto_kv_for_apptrack_session_close]
|
|
|
## FIELDS: AppTrack session closed reason: source-address/source-port->destination-address/destination-port service-name application nested-application nat-source-address/nat-source-port->nat-destination-address/nat-destination-port src-nat-rule-name dst-nat-rule-name protocol-id policy-name source-zone-name destination-zone-name session-id-32 packets-from-client(bytes-from-client) packets-from-server(bytes-from-server) elapsed-time username roles encrypted profile-name rule-name routing-instance destination-interface-name uplink-incoming-interface-name uplink-tx-bytes uplink-rx-bytes category sub-category apbr-policy-name multipath-rule-name src-vrf-grp dst-vrf-grp dscp-value apbr-rule-type
|
|
|
|
|
|
REGEX = AppTrack\s+session\s+closed\s+(?<reason>[^:]+):\s+(?<src_ip>\d+\.\d+\.\d+\.\d+)\/(?<src_port>\d+)->(?<dest_ip>\d+\.\d+\.\d+\.\d+)\/(?<dest_port>\d+)\s+(?<service_name>\S+)\s+(?<vendor_app>\S+)\s+(?<nested_vendor_app>\S+)\s+(?<src_translated_ip>\d+\.\d+\.\d+\.\d+)\/(?<src_translated_port>\d+)->(?<dest_translated_ip>\d+\.\d+\.\d+\.\d+)\/(?<dest_translated_port>\d+)\s+(?<src_translated_rule_name>\S+)\s+(?<dest_translated_rule_name>\S+)\s+(?<protocol_id>\d+)\s+(?<policy_name>\S+)\s+(?<src_zone>\S+)\s+(?<dest_zone>\S+)\s+(?<session_id_32>\d+)\s+(?<packets_from_client>\d+)\((?<bytes_from_client>\d+)\)\s+(?<packets_from_server>\d+)\((?<bytes_from_server>\d+)\)\s+(?<elapsed_time>\d+)\s+(?<user>\S+)\s+(?<user_roles>\S+)\s+(?<encrypted>\S+)\s*(?<profile_name>\S+)?\s*(?<rule_name>\S+)?\s*(?<routing_instance>\S+)?\s*(?<dest_interface>\S+)?(?:\s*(?<uplink_incoming_interface>\S+)\s+(?<uplink_tx_bytes>\d+)\s+(?<uplink_rx_bytes>\d+))?\s*(?<vendor_app_category>\S+)?\s*(?<vendor_app_sub_category>\S+)?\s*(?<apbr_policy_name>\S+)?\s*(?<amr_or_multipath_rule_name>\S+)?\s*(?<src_vrf_grp>\S+)?\s*(?<dest_vrf_grp>\S+)?\s*(?<dscp_value>\S+)?\s*(?<apbr_rule_type>\S+)?
|
|
|
|
|
|
[auto_kv_for_rt_alg_wrn_cfg_need_ls]
|
|
|
## FIELDS: Logical-system logical-system-name: name ALG message
|
|
|
REGEX = Logical-system\s+(?<logical_system_name>[^:]+):\s+(?<name>\S+)\s+ALG\s+(?<message>.*)
|
|
|
|
|
|
[auto_kv_for_rt_utm_webfilter]
|
|
|
## FIELDS: source-address(source-port)->destination-address(destination-port) [ username roles [ application-sub-category [ urlcategory-risk ] ] ]
|
|
|
|
|
|
REGEX = RT_UTM\s*:\s*(?:WEBFILTER_URL_PERMITTED|WEBFILTER_URL_BLOCKED).*\s+(?<src_ip>\d+\.\d+\.\d+\.\d+)\s*\(\s*(?<src_port>\d{1,5})\s*\)\s*->\s*(?<dest_ip>\d+\.\d+\.\d+\.\d+)\s*\(\s*(?<dest_port>\d{1,5})(?:.*username\s+(?<user>\S+)\s+roles\s+(?<user_roles>\S+))?(?:\s+application\-sub\-category\s+(?<vendor_app_sub_category>\S+))?(?:\s+urlcategory\-risk\s+(?<urlcategory_risk>\S+))?
|
|
|
|
|
|
[auto_kv_for_eswd_dai_failed]
|
|
|
##FIELDS: count type received, interface interface-name[index interface-device-index], vlan vlan-name[index vlan-id], sender ip/mac sender-address/mac1, receiver ip/mac destination-address/mac2
|
|
|
REGEX = (ESWD_DAI_FAILED):\s*(\d+)\s*(.*)\s*received,\s*interface\s*(.*)\s*\[index\s*(\d+)\],\s*vlan\s*(.*)\s*\[index\s*(\d+)\],\s*sender\s*ip\/mac\s*([^\/]+)\s*\/([^,]+)\s*,\s*receiver\s*ip\/mac\s*([^\/]+)\s*\/([^,]+)\s*
|
|
|
FORMAT = message_tag::$1 count::$2 type::$3 interface_name::$4 interface_device_index::$5 vlan::$6 vlan_id::$7 src_ip::$8 src_mac::$9 dest_ip::$10 dest_mac::$11 protocol::"ARP"
|
|
|
|
|
|
[auto_kv_for_fw_eth_ip]
|
|
|
##FIELDS: count type received, interface interface-name[index interface-device-index], vlan vlan-name[index vlan-id], sender ip/mac sender-address/mac1, receiver ip/mac destination-address/mac2
|
|
|
REGEX = (PFE_FW_SYSLOG_ETH_IP)\s*:\s*FW\s*:\s*([^\s]+)\s*([^\s]+)\s*([^\s]+)\s*([^->]+)\s*->\s*([^\s]+)\s*(\w+)\s*([^\s]+)\s*([^\s]+)\s*(\d+)\s*(\d+)\s*\((\d+)\s*packets\)
|
|
|
FORMAT = message_tag::$1 interface_name::$2 action_name::$3 vlan::$4 src_mac::$5 dest_mac::$6 transport::$7 src_ip::$8 dest_ip::$9 src_port::$10 dest_port::$11 packets::$12 protocol_version::"ipv4" protocol::"ip"
|
|
|
|
|
|
[auto_kv_for_eswd_stp_state_change_info]
|
|
|
## FIELDS: context-name state for interface interface-name context id instance-id changed from old-state to new-state
|
|
|
REGEX = (ESWD_STP_STATE_CHANGE_INFO)\s*:\s*(.*)state\s*for\s*interface\s*(.*)\s*context\s*id\s*(\d+)\s+changed\s*from\s*(.*)\s*to\s*(.*)
|
|
|
FORMAT = message_tag::$1 context_name::$2 interface_name::$3 instance_id::$4 old_state::$5 new_state::$6 result::"state changed" object_category::"interface" status::"success" object_attrs::"state" change_type::"network"
|
|
|
|
|
|
[auto_kv_for_up_down]
|
|
|
REGEX = rpd\[\d+\]\s*:\s* EVENT\s*<[^>]+>\s*(\S+)\s*index\s*\d+\s*<[^>]+>\s*address\s*\S+\s*.*
|
|
|
FORMAT = interface_name::$1 service_name::"rpd" status::"success" result::"state changed" object_attrs::"state" change_type::"network" object_category::"interface" action::"modified"
|
|
|
|
|
|
###### Juniper JunOS AAMW ######
|
|
|
|
|
|
## TRANSFORMS
|
|
|
[force_sourcetype_for_junos_aamw]
|
|
|
DEST_KEY = MetaData:Sourcetype
|
|
|
REGEX = \s+RT_AAMW\s+\-\s+\w+\s+\[junos@2636
|
|
|
FORMAT = sourcetype::juniper:junos:aamw:structured
|
|
|
|
|
|
## REPORT
|
|
|
[message_tag_for_junos_aamw]
|
|
|
REGEX = RT_AAMW\s*[:-]\s*(?<message_tag>\w+)
|
|
|
|
|
|
[dvc_for_junos_aamw]
|
|
|
REGEX = (?<dvc>\S+)\s+RT_AAMW
|
|
|
|
|
|
[score_for_severity_junos_aamw]
|
|
|
REGEX = \(\s*score\s+(?<score>\d+)\s*\)
|
|
|
|
|
|
|
|
|
###### Juniper JunOS SECINTEL ######
|
|
|
|
|
|
## TRANSFORMS
|
|
|
[force_sourcetype_for_junos_secintel]
|
|
|
DEST_KEY = MetaData:Sourcetype
|
|
|
REGEX = \s+RT_SECINTEL\s+\-\s+\w+\s+\[junos@2636
|
|
|
FORMAT = sourcetype::juniper:junos:secintel:structured
|
|
|
|
|
|
## REPORT
|
|
|
[message_tag_for_junos_secintel]
|
|
|
REGEX = RT_SECINTEL\s*[:-]\s*(?<message_tag>\w+)
|
|
|
|
|
|
[dvc_for_junos_secintel]
|
|
|
REGEX = (?<dvc>\S+)\s+RT_SECINTEL
|
|
|
|
|
|
## TRANSFORMS
|
|
|
[force_sourcetype_for_junos_snmp]
|
|
|
DEST_KEY = MetaData:Sourcetype
|
|
|
REGEX = (?:SNMP_TRAP_LINK_UP|SNMP_TRAP_LINK_DOWN)\s*:
|
|
|
FORMAT = sourcetype::juniper:junos:snmp
|
|
|
|
|
|
## REPORT
|
|
|
[auto_kv_for_snmp_link_up_down_fields]
|
|
|
## FIELDS: ifIndex snmp-interface-index, ifAdminStatus admin-status, ifOperStatus operational-status, ifName interface-name
|
|
|
REGEX = (SNMP_TRAP_LINK_(?:UP|DOWN))\s*:\s*ifIndex\s*(\d+),\s*ifAdminStatus\s*(.*),\s*ifOperStatus\s*(.*),\s*ifName\s*(.*)
|
|
|
FORMAT = message_tag::$1 snmp_interface_index::$2 admin_status::$3 operational_status::$4 interface_name::$5 status::"success" result::"state changed" object_attrs::"state" change_type::"network" object_category::"interface" action::"modified" vendor_product::"Juniper JunOS"
|
