Splunk Enterprise

SC4S, Properly Indexing Juniper Netscreen

jorob
Explorer

I recently installed SC4S. For most logs it works as expected; however, it is improperly indexing Juniper Netscreen as osnix with sourctype: nix:syslog. I've tried adding a filter to identify specific IPs as netscreen but it did not work. Any assistance is appreciated


Example Raw Log:
<133>Apr 19 20:06:42 172.#.#.2/172.#.#.2 SC-NS1-SSG140: NetScreen device_id=SC-NS1-SSG140 [Root]system-notification-00257(traffic): start_time="2021-04-21 17:13:42" duration=0 policy_id=320001 service=tcp/port:8013 proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=52 src=10.#.#.133 dst=10.#.#.1 src_port=53563 dst_port=8013 session_id=0 reason=Traffic Denied


Splunk Results
SC-NS1-SSG140: NetScreen device_id=SC-NS1-SSG140 [Root]system-notification-00257(traffic): start_time="2021-04-21 17:13:42" duration=0 policy_id=320001 service=tcp/port:8013 proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=52 src=10.#.#.1 dst=10.#.#.133 src_port=53563 dst_port=8013 session_id=0 reason=Traffic Denied

host = 172.#.#.2/172..#.#.2
index = osnix
sc4s_fromhostip = 172.#.#.150
sc4s_syslog_facility = user
sc4s_syslog_format = rfc3164
sc4s_vendor_product = nix_syslog
source = program:SC-NS1-SSG140
sourcetype = nix:syslog

Labels (1)
Tags (1)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!