Re: Juniper SRX 380

abeaulieu · ‎10-20-2021

Hi all, asking for a friend.

I have a Juniper SRX380 for my firewall, and I am trying to bring data into Splunk on-prem. On the Juniper side, I configured to send to Splunk using the CLI with these commands (below), then committed the configuration:

set security log mode stream

set security log source-address <SRXip>

set security log stream Splunk format sd-syslog

set security log stream Splunk host <splunkhostIP>

set system syslog host <splunkhostIP> port 1514

One the Splunk side, I configured a UDP listener on port 1514, and gave it the optional "Select from connection", and plopped the SRXip there. I set the source type to be "juniper" from the Juniper-TA.

I used wireshark to do a pcap analysis, and noticed that the SRX wasn't communicating with Splunk, I have a hunch that its a Juniper issue, but I'm not a Juniper expert.

Problem is that no data is still coming in. Is there something wrong that I did on either the Juniper side or the Splunk side? Also, I made sure UDP port 1514 was opened. Any trouble shooting tips would be appreciated.

Chef · ‎10-20-2021

Hi abeaulieu,

If the traffic isn't even reaching Splunk the only thing I can think to check is the routing table on your Juniper firewall. It's possible a static route isn't configured for the Splunk server so it's sending syslog data down the wrong path.

You could also try opening TCP 1514 as well and attempting to telnet from the firewall to your Splunk system on that port. If the telnet succeeds you know the network is ok and the problem is with the Juniper firewall sending the syslog data (do you have to commit the changes?).

Hope this helps!

Juniper SRX 380

host

syslog

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Enterprise Security Content Update (ESCU) | New Releases

Are you a member of the Splunk Community?