All Apps and Add-ons

Juniper SSG (screenos)Traffic report

tmichiels
Explorer

Being a newbie with splunk, I don't get much further than installing splunk and having a listener set up to which the SSG sends it syslog data.

I need to make traffic reports out of the traffic logs from certain firewall policies.

The output should be a table with following colums:

Source IP | total recv'd data | total sent data | total of recv'd+sent

192.168.1.x | 400 MB | 100 MB | 500 MB

192.168.1.y | 150 MB | 1 GB | 1,15 GB

...

The input is, as said, ScreenOS syslog data in the form of:

Aug 9 19:39:56 192.168.163.2 gw0-NLA: NetScreen device_id=gw0-NLA [Root]system-notification-00257(traffic): start_time="2011-08-09 19:39:51" duration=5 policy_id=1 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=134 rcvd=70 src=192.168.163.26 dst=193.203.32.20 src_port=4090 dst_port=80 src-xlated ip=81.83.5.18 port=3303 dst-xlated ip=193.203.32.20 port=80 session_id=15683 reason=Close - TCP RST
Aug 9 19:39:56 192.168.163.2 gw0-NLA: NetScreen device_id=gw0-NLA [Root]system-notification-00257(traffic): start_time="2011-08-09 19:39:52" duration=4 policy_id=1 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=198 rcvd=70 src=192.168.163.26 dst=193.203.32.20 src_port=3789 dst_port=80 src-xlated ip=81.83.5.18 port=4243 dst-xlated ip=193.203.32.20 port=80 session_id=15984 reason=Close - TCP RST
Aug 9 19:39:56 192.168.163.2 gw0-NLA: NetScreen device_id=gw0-NLA [Root]system-notification-00257(traffic): start_time="2011-08-09 19:39:25" duration=31 policy_id=1 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=11610 rcvd=318968 src=192.168.163.26 dst=193.203.32.39 src_port=3293 dst_port=80 src-xlated ip=81.83.5.18 port=2988 dst-xlated ip=193.203.32.39 port=80 session_id=15342 reason=Close - TCP RST
gw0-NLA

Does somebody has experience with this and could give me some hints?

thanks!

0 Karma

dikaye
Path Finder

not work, error occur as below:

Error in 'stats' command: Repeated group-by field 'src'.
0 Karma

MarioM
Motivator

I dont think you can have table with MB and GB as per your example...But you can have another column for GB,here is an example :

sourcetype=<sourcetype assigned to your netscreen syslog data> | stats sum(sent) AS TotalSent by src, sum(rcvd) AS TotalRcvd by src | eval TotalSentMB=round(TotalSent/1024/1024,2) | eval TotalRcvdMB=round(TotalRcvd/1024/1024,2) | eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2) | eval TotalGB=round((TotalSent+TotalRcvd)/1024/1024/1024,2) | table src TotalSentMB TotalRcvdMB TotalMB TotalGB
0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...