Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[JSA] Junos and SRX events appear as UNKNOWN

0

0

Article ID: KB15216 KB Last Updated: 21 Jun 2019Version: 3.0
Summary:
JSA only supports structured syslog format from Junos and SRX devices.
Symptoms:
If syslog is configured in a non-structured format it will appear as unknown.
Solution:
Configure the syslog to be sent in structured format

Control Plane:

[edit system syslog file filename]
facility severity;
structured-data {
brief;
}


Data Plane:
[edit security log]
mode stream;
format sd-syslog {
}





If problem persists, please refers to KB15214 JSA events appear as unknown or incorrectly parsed.


Troubleshooting tip:
To see the log format, from JSA Log Activity, open the specific event and copy & paste the whole content of Payload to notepad.

Example of Junos structured syslog format:
Feb 10 17:06:40 juniper.junos.test.com 2009-02-10T13:26:15.183 SRX210 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.36 source-address="192.168.1.10" source-port="16683" destination-address="10.0.1.27" destination-port="80" protocol-id="6" policy-name="HTTP-Authentication"]
Feb 10 17:06:41 juniper.junos.test.com 2009-02-10T13:26:15.982 SRX210 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.36 source-address="192.168.1.11" source-port="19969" destination-address="10.0.1.27" destination-port="80" protocol-id="6" policy-name="HTTP-Authentication"]


Example of Junos non-structured syslog format:
<70>Mar 23 17:51:45 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.254.152.70/138->10.254.152.255/138,17: default-permit
<70>Mar 23 17:47:52 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: 192.168.200.51/137->192.168.200.255/137,17: default-permit, 12(936) 0(0) 75
<70>Mar 23 17:46:44 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: 10.254.152.70/138->10.254.152.255/138,17: default-permit, 1(240) 0(0) 60
<70>Mar 23 17:46:45 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.254.152.70/138->10.254.152.255/138,17: default-permit
Modification History:
2019-05-20: Updated STRM references to JSA.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search