SC4S, Properly Indexing Juniper Netscreen

jorob · ‎04-21-2021

I recently installed SC4S. For most logs it works as expected; however, it is improperly indexing Juniper Netscreen as osnix with sourctype: nix:syslog. I've tried adding a filter to identify specific IPs as netscreen but it did not work. Any assistance is appreciated

Example Raw Log:
<133>Apr 19 20:06:42 172.#.#.2/172.#.#.2 SC-NS1-SSG140: NetScreen device_id=SC-NS1-SSG140 [Root]system-notification-00257(traffic): start_time="2021-04-21 17:13:42" duration=0 policy_id=320001 service=tcp/port:8013 proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=52 src=10.#.#.133 dst=10.#.#.1 src_port=53563 dst_port=8013 session_id=0 reason=Traffic Denied

Splunk Results
SC-NS1-SSG140: NetScreen device_id=SC-NS1-SSG140 [Root]system-notification-00257(traffic): start_time="2021-04-21 17:13:42" duration=0 policy_id=320001 service=tcp/port:8013 proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=52 src=10.#.#.1 dst=10.#.#.133 src_port=53563 dst_port=8013 session_id=0 reason=Traffic Denied

host = 172.#.#.2/172..#.#.2
index = osnix
sc4s_fromhostip = 172.#.#.150
sc4s_syslog_facility = user
sc4s_syslog_format = rfc3164
sc4s_vendor_product = nix_syslog
source = program:SC-NS1-SSG140
sourcetype = nix:syslog

SC4S, Properly Indexing Juniper Netscreen

troubleshooting

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

SC4S, Properly Indexing Juniper Netscreen

troubleshooting

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?