Archive

Juniper SSG (screenos)Traffic report

Explorer

Being a newbie with splunk, I don't get much further than installing splunk and having a listener set up to which the SSG sends it syslog data.

I need to make traffic reports out of the traffic logs from certain firewall policies.

The output should be a table with following colums:

Source IP | total recv'd data | total sent data | total of recv'd+sent

192.168.1.x | 400 MB | 100 MB | 500 MB

192.168.1.y | 150 MB | 1 GB | 1,15 GB

...

The input is, as said, ScreenOS syslog data in the form of:

Aug 9 19:39:56 192.168.163.2 gw0-NLA: NetScreen deviceid=gw0-NLA [Root]system-notification-00257(traffic): starttime="2011-08-09 19:39:51" duration=5 policyid=1 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=134 rcvd=70 src=192.168.163.26 dst=193.203.32.20 srcport=4090 dstport=80 src-xlated ip=81.83.5.18 port=3303 dst-xlated ip=193.203.32.20 port=80 sessionid=15683 reason=Close - TCP RST
Aug 9 19:39:56 192.168.163.2 gw0-NLA: NetScreen deviceid=gw0-NLA [Root]system-notification-00257(traffic): starttime="2011-08-09 19:39:52" duration=4 policyid=1 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=198 rcvd=70 src=192.168.163.26 dst=193.203.32.20 srcport=3789 dstport=80 src-xlated ip=81.83.5.18 port=4243 dst-xlated ip=193.203.32.20 port=80 sessionid=15984 reason=Close - TCP RST
Aug 9 19:39:56 192.168.163.2 gw0-NLA: NetScreen deviceid=gw0-NLA [Root]system-notification-00257(traffic): starttime="2011-08-09 19:39:25" duration=31 policyid=1 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=11610 rcvd=318968 src=192.168.163.26 dst=193.203.32.39 srcport=3293 dstport=80 src-xlated ip=81.83.5.18 port=2988 dst-xlated ip=193.203.32.39 port=80 sessionid=15342 reason=Close - TCP RST
gw0-NLA

Does somebody has experience with this and could give me some hints?

thanks!

0 Karma

Path Finder

not work, error occur as below:

Error in 'stats' command: Repeated group-by field 'src'.
0 Karma

Motivator

I dont think you can have table with MB and GB as per your example...But you can have another column for GB,here is an example :

sourcetype=<sourcetype assigned to your netscreen syslog data> | stats sum(sent) AS TotalSent by src, sum(rcvd) AS TotalRcvd by src | eval TotalSentMB=round(TotalSent/1024/1024,2) | eval TotalRcvdMB=round(TotalRcvd/1024/1024,2) | eval TotalMB=round((TotalSent+TotalRcvd)/1024/1024,2) | eval TotalGB=round((TotalSent+TotalRcvd)/1024/1024/1024,2) | table src TotalSentMB TotalRcvdMB TotalMB TotalGB
0 Karma