topic getting syslog from juniper firwall in Getting Data In

getting syslog from juniper firwall

sarah89 — Tue, 03 Apr 2012 09:54:52 GMT

hello

i want to get data from my juniper firwall , i set a configuration of juniper and i mention the port and the ip adresse of the server
than i choose in splunk, add data from tcp port ,and i set the port and the ip adress of juniper
but it does'nt work ,i don't see the syslog in th summary of search
please tell if this procedure is correct , or if i miss something

thk's

Re: getting syslog from juniper firwall

MarioM — Tue, 03 Apr 2012 11:32:06 GMT

Do you see anything with this:

index=_internal sourcetype="splunkd" component="Metrics" "your juniper fw ip address"

if there is nothing then your juniper is not sending data (logging profile or firewall rule to be created)

if there is something then try :

index="*" NOT index="_*" "your juniper fw ip address"

index="*" sourcetype="jun*"

to see if you have any data and what sourcetype it has and which index it's in.

Re: getting syslog from juniper firwall

sarah89 — Tue, 03 Apr 2012 13:15:06 GMT

that's what i got when i put the first expression
6 events like this one

1 » 4/3/12
11:40:58.727 AM  04-03-2012 11:40:58.727 +0200 INFO  Metrics - group=udpin_connections, 192.168.0.111:5410, sourcePort=5410, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00host=lab2008   Options|  sourcetype=splunkd   Options|  source=C:\Program Files\Splunk\var\log\splunk\metrics.log   Options

and when i put the second expression , it doesn't give me anything

what i should do ??

Re: getting syslog from juniper firwall

MarioM — Mon, 28 Sep 2020 11:36:54 GMT

your juniper isnot sending anything :

_udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00

then you have to check your juniper

Re: getting syslog from juniper firwall

sarah89 — Tue, 03 Apr 2012 13:42:41 GMT

that how i configure my firewall, can you take a look on this please
http://kb.juniper.net/InfoCenter/index?page=content&id=KB4759

Re: getting syslog from juniper firwall

MarioM — Tue, 03 Apr 2012 14:10:15 GMT

which juniper firewall products you have? is it juniper SRX?

if it is then to get SRX logs see Juniper KB16634 and KB16224.

Re: getting syslog from juniper firwall

sarah89 — Tue, 03 Apr 2012 14:40:22 GMT

it's an ssg 20

Re: getting syslog from juniper firwall

MarioM — Tue, 03 Apr 2012 14:54:21 GMT

could you please comment on previous answer rather than creating new answer everytime...

are you sure you sending via UDP and haven't tick TCP?

I would create a Manager >> Data inputs >> TCP >> New on the same port as udp(5410) to be sure.

Re: getting syslog from juniper firwall

sarah89 — Tue, 03 Apr 2012 15:21:07 GMT

i'm sending via tcp port not udp

Re: getting syslog from juniper firwall

kristian_kolb — Tue, 03 Apr 2012 15:43:05 GMT

Does not the Metrics data indicate that you have set your splunk to listen to UDP (and you yourself say that your firewall is sending TCP)?

Make sure that you are listening for the type of traffic you are sending.

Re: getting syslog from juniper firwall

MarioM — Mon, 28 Sep 2020 11:36:56 GMT

well it seems in log extract you paste earlier your ssg is sending in UDP or splunk is listening in udp:
_udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00

then to be sure you get the data i would create in splunk 2 data inputs: one tcp one udp...on the port number you specified in your ssg