Reporting

Juniper SSG (screenos)Traffic report

tmichiels
Explorer

Being a newbie with splunk, I don't get much further than installing splunk and having a listener set up to which the SSG sends it syslog data.

I need to make traffic reports out of the traffic logs from certain firewall policies.

The output should be a table with following colums:

Source IP | total recv'd data | total sent data | total of recv'd+sent

192.168.1.x | 400 MB | 100 MB | 500 MB

192.168.1.y | 150 MB | 1 GB | 1,15 GB

...

The input is, as said, ScreenOS syslog data in the form of:

Aug 9 19:39:56 192.168.163.2 gw0-NLA: NetScreen device_id=gw0-NLA [Root]system-notification-00257(traffic): start_time="2011-08-09 19:39:51" duration=5 policy_id=1 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=134 rcvd=70 src=192.168.163.26 dst=193.203.32.20 src_port=4090 dst_port=80 src-xlated ip=81.83.5.18 port=3303 dst-xlated ip=193.203.32.20 port=80 session_id=15683 reason=Close - TCP RST
Aug 9 19:39:56 192.168.163.2 gw0-NLA: NetScreen device_id=gw0-NLA [Root]system-notification-00257(traffic): start_time="2011-08-09 19:39:52" duration=4 policy_id=1 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=198 rcvd=70 src=192.168.163.26 dst=193.203.32.20 src_port=3789 dst_port=80 src-xlated ip=81.83.5.18 port=4243 dst-xlated ip=193.203.32.20 port=80 session_id=15984 reason=Close - TCP RST
Aug 9 19:39:56 192.168.163.2 gw0-NLA: NetScreen device_id=gw0-NLA [Root]system-notification-00257(traffic): start_time="2011-08-09 19:39:25" duration=31 policy_id=1 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=11610 rcvd=318968 src=192.168.163.26 dst=193.203.32.39 src_port=3293 dst_port=80 src-xlated ip=81.83.5.18 port=2988 dst-xlated ip=193.203.32.39 port=80 session_id=15342 reason=Close - TCP RST
gw0-NLA

Does somebody has experience with this and could give me some hints?

thanks!

0 Karma

cmeinco
Path Finder

Note the issue with your raw data, "src-xlated ip" and "dst-xlated ip" are being extracted as "ip" because of the space. I used rex to pull them together. It would be better to change the log format. The next step would be to take this regex and add it to an extract and transform.

assuming sent/received is in bytes, here is a good start for you:

NetScreen | rex field=_raw "src-xlated ip=(?<src_ip>[\d+\.]+)" | rename src_ip AS "Source IP" | stats sum(sent) AS sentBytes sum(rcvd) AS rcvdBytes sum(eval(sent+rcvd)) AS total by "Source IP"
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...