- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Syslog Reports
I have pointed our Juniper firewall to our Splunk installation for logging. My goal is develop a dashboard that we can pull up at any time that tell us the top 20 source addresses and the top 20 destinations in use over a given period of time. I am afraid that I have been striking out so far when it comes to figuring out the search strings needed to produce this dashboard. I am including one syslog event to show what variables there are:
2014-02-21 23:59:58 User.Info 172.16.1.1 1 2014-02-21T23:59:52.189 Hostname RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.58 reason="TCP RST" source-address="192.168.2.164" source-port="53232" destination-address="172.16.1.19" destination-port="445" service-name="junos-smb" nat-source-address="192.168.2.164" nat-source-port="53232" nat-destination-address="172.16.1.19" nat-destination-port="445" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="35" source-zone-name="Trust" destination-zone-name="Trust" session-id-32="206" packets-from-client="13" bytes-from-client="4274" packets-from-server="9" bytes-from-server="1575" elapsed-time="16" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/2.0"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mus,
Thank you for pointers. This did get me started.
What ended up helping a great deal was to switch to verbose logs (upper left hand side of search window) and then to click on the headings along the left side. I now have really great dashboards for my Juniper syslogs. Thank you for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mus,
Thank you for pointers. This did get me started.
What ended up helping a great deal was to switch to verbose logs (upper left hand side of search window) and then to click on the headings along the left side. I now have really great dashboards for my Juniper syslogs. Thank you for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi wilbuchanan,
this should be pretty easy according your provided log example. Splunk will create the fields for source-address and destination-address on it's own, so you just have to use these fields in your search like this:
PutYourBaseSearchHere | top limit=20 source-address destination-address
this will give you an table like report of each top 20 IP's
hope this helps to get you started ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome, please accept this answer if it was of help - thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mus,
Thank you for pointers. This did get me started.
What ended up helping a great deal was to switch to verbose logs (upper left hand side of search window) and then to click on the headings along the left side. I now have really great dashboards for my Juniper syslogs. Thank you for your help!
