Archive

splunk for juniper srx

New Member

hi ,
i have installed splunk for srx application ,i can see the srx logs from the search application but i can't see them in juniper srx application ,
how can i sove this issue

Tags (1)
0 Karma

Explorer

First you need to fix all of the queries that were imported as part of the application install. It is possible I am doing this the hard way, so maybe someone can give us ideas on how to clean up.

While in the SRX application (web browser) select Settings All Configurations
For each SRX Traffic savedsearch in the list, edit the query by replacing the 'srx_traffic' with sourcetype=srx_traffic
For each SRX Threat savedsearch in the list, edit the query by replacing the 'srx_threat' with sourcetype=srx_threat

The next step needs to be completed on the splunk server (console session for linux systems).

Locate the splunk directory. For us it was /opt/splunk/
Navigate to the following subfolder etc/apps/SplunkforJuniperSRX/default
edit macros.conf
Replace every instance of 'srx_traffic' with sourcetype=srx_traffic
Replace every instance of 'srx_threat' with sourcetype=srx_threat
Replace every instance of action!=CREATE with NOT (action=CREATE)

After completing these changes you should have a working traffic dashboard, but your threat dashboard may remain blank. I will address that issue in a follow on message.

0 Karma

Explorer

The last issue we saw on this was that our threat messages did not match what was being looked for by the transforms-extract. In reviewing our threat messages we noticed that the threat messages contained the following text:

  • RTIDS - RTSCREEN_IP

This is different from the default, and I am not sure if this excludes anything we might need. You should review your own threat messages to ensure that you are getting all of the threats properly tagged. You can update your srxthreat transformation by going to Settings\Fields\Field transformations and selecting srxtreat. The Regular Expression field should match what you see in your threat messages. For us it turned out to be (RTIDS - RTSCREEN_IP).

0 Karma

New Member

hi ,
i the srx_traffic on splunk for srx app does not show event .
i have made all steps on the read me file.
can you help to solve this issue

0 Karma

New Member

hi ,
i the srx_traffic on splunk for srx app does not show event .
i have made all steps on the read me file.
can you help to solve this issue

0 Karma

New Member

hi ,
i have resolve this issue,
i want to tell you that i'm new in splunk ; i want to know how can i generate report from the application for srx because when i try to make a report by example for the top destination address the appli find 100 event but shows nothing .

thanks for your help

0 Karma

Builder

Just thinking. You seem to have covered or checked the right areas. I don't know your experience level, but the inputs.conf data is correct? If you want to check that then post it here. Did you restart Splunk? 😉
If all of the above are ok, then take a look at the event data coming through from the native Search end.

0 Karma

New Member

do you have any other idea ,that can help me

0 Karma

New Member

i have made the all the steps figured in the readme file :

-change the source type in the inputs.conf file (etc/system/local) to srx_log
-edit the source type in the macros base of the application

but i still have the same issue .

thanks for your help

0 Karma

New Member

when i check search/report on srx data -->srx traffic ,the app put 'srxtraffic' in the search field but it foun 0 matching events ,and when i delete 'srxtraffic' and search for 'close' it show the resultat from the logs

0 Karma

Builder

Is it throwing you an error (and what is that), or are you seeing 'no results found'?

0 Karma