diff --git a/index.md b/index.md index c9cde9b..8c4ed2b 100644 --- a/index.md +++ b/index.md @@ -86,6 +86,10 @@ Have a NodeJS app? Get your logs into logstash efficiently with this cookbook. Sample configuration for parsing syslog messages from a Cisco ASA firewall +## [ JunOS ](recipes/junos/) + +Sample configuration for parsing syslog messages from a JunOS device + ## [The LogStash Book](http://www.logstashbook.com) An introductory LogStash book. diff --git a/recipes/junos/index.md b/recipes/junos/index.md new file mode 100644 index 0000000..df68cc3 --- /dev/null +++ b/recipes/junos/index.md @@ -0,0 +1,29 @@ +--- +layout: article +title: Juniper JunOS +tags: juniper junos utm +--- + +* Goal: Demonstrate how to use Grok patterns to index JunOS specific syslog messages from JunOS device. +* Audience: Anyone who has a JunOS device + + + +# UTM Webfilter + +JunOS webfilter messages look like this; + +

+Oct  5 06:01:35   RT_UTM: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 10.0.0.100(56660)->103.31.7.184(80) CATEGORY="N/A" REASON="BY_OTHER" PROFILE="blockadult" URL=i.imgur.com OBJ=/xxy5xcl.png USERNAME=demo ROLES=NoAdultMaterial
+
+Oct  5 11:19:54   RT_UTM: WEBFILTER_URL_BLOCKED: WebFilter: ACTION="URL Blocked" 10.0.0.100(56958)->64.210.140.16(80) CATEGORY="Adult_Sexually_Explicit" REASON="BY_PRE_DEFINED" PROFILE="blockadult" URL=www.porn.com OBJ=/ USERNAME=demo ROLES=NoAdultMaterial
+
+
+ +The following logstash configuration shows how you would accept this syslog messages from the firewall and parse the messages into something useful. + +{% include_code logstash.conf %} + +Below is what the JunOS firewall has configured for syslog. Im matching on "webfilter_url" just to keep the syslog stream cleaner while developing the logstash code. + +{% include_code srx.conf %} diff --git a/recipes/junos/logstash.conf b/recipes/junos/logstash.conf new file mode 100644 index 0000000..d093ac2 --- /dev/null +++ b/recipes/junos/logstash.conf @@ -0,0 +1,35 @@ +input { + +tcp { + port => 5000 + type => utm_webfilter + } + udp { + port => 5000 + type => utm_webfilter + } + + +} + +filter { +if [type] == "utm_webfilter" { + grok { + match => [ "message", "%{SYSLOGTIMESTAMP:syslog_timestamp}\s+RT_UTM:\s%{WORD:result}:\sWebFilter:\sACTION=\"%{DATA:action}\"\s%{IP:source_address}\(%{NUMBER:source_port}\)->%{IP:dest_address}\(%{NUMBER:dest_port}\)\sCATEGORY=\"%{DATA:category}\"\sREASON=\"%{DATA:reason}\"\sPROFILE=\"%{DATA:profile}\"\sURL=%{HOSTNAME:url}\sOBJ=%{DATA:obj}\sUSERNAME=%{DATA:username}\sROLES=%{DATA:roles}$" ] + add_field => [ "received_at", "%{@timestamp}" ] + } + date { + match => { "syslog_timestamp" => [ "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] } + } +} +} + + + +output { +if [type] == "utm_webfilter" { + elasticsearch { + cluster => "elasticsearch" + } +} +} \ No newline at end of file diff --git a/recipes/junos/srx.conf b/recipes/junos/srx.conf new file mode 100644 index 0000000..38a484d --- /dev/null +++ b/recipes/junos/srx.conf @@ -0,0 +1,3 @@ +set system syslog host 192.168.0.50 any any +set system syslog host 192.168.0.50 match webfilter_url +set system syslog host 192.168.0.50 port 5000 \ No newline at end of file