Tuesday, February 10, 2015

Juniper Source Type

The documentation is a combination from the online docs.splunk.com with some of the answers found on answers.splunk.com.  In this situation, we need to make an entry into the props.conf located ($SPLUNK_HOME/etc/apps/homemonitor/local/props.conf).  The plan is to create ‘field-aliases’ which will convert the way juniper logs the events to CIM (Common Information Model). Here’s how I would make the changes:

[juniper]
FIELDALIAS-source-address = source-addresss as src_ip
FIELDALIAS-source-port = source-port as src_port
FIELDALIAS-destintation-address = destintation-addresss as dest_ip
FIELDALIAS-destination-port = destination-port as dest_port

Then you’ll need to make an entry into the transforms.conf located ($SPLUNK_HOME/etc/apps/homemonitor/local/transforms.conf) to add the juniper transformation from syslog to juniper sourcetype:

[juniper]
REGEX = juniper
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::juniper
DEST_KEY = MetaData:Sourcetype

Once you’ve added this entry, just make sure that your hostname of your firewall matches the “REGEX = juniper” entry.  I’m assuming that the hostname of the firewall is juniper.  

Lastly, we’ll need to build some lookups to help this along.  I’ll need a little more data to see how the juniper firewall categorizes blocks and accepts, if it uses trust / untrust.  Also, I’ll need to determine what the protocol-id translates to as well, (does 6 = TCP?); again we’ll need another lookup for that. All this can be done rather easily, we just need to better understand the data coming from the juniper firewall.  

No comments:

Post a Comment