Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[JSA] How the source IP address and destination IP address is determined from events

0

0

Article ID: KB33560 KB Last Updated: 24 Jul 2019Version: 2.0
Summary:

How is the source IP address or destination IP address determined if it is not available in the payload information of an event?

Cause:

The source sends an event to JSA that does not contain a source or destination IP address, such as a SSH login event. This event type will usually only contains a source IP address and no destination IP address.
<83>Jul 8 16:10:08 10.10.10.10 sshd[1004]: error: PAM: Authentication failure for user1 from 10.10.10.20

Solution:

When JSA receives and processes event data, it must assign an IP address to the source IP and destination IP fields. JSA looks in the following locations, to determine the IP address to use, in the following order:

  1. IP address fields in the payload information

    The availability of more detailed IP address information depends on each log source type, as well as the events themselves, as not all events will contain IP address fields. If the source IP address is available, the source IP field will be updated with this information. If the source IP information is not available, then it will remain as it was last set in the previous step. The same is true of destination IP information. If the destination information is not available, then it will remain set as either the syslog hostname field, if an IP was available; otherwise, it will remain set as the source of the packet.
     

  2. The hostname field in the syslog header

    JSA will look for an IP address in the hostname field of the syslog header, if available.

    Note: Not all syslog sources use proper headers.

    If an IP address is found, the source IP and destination IP fields are updated with this IP address. If the hostname field contains a textual hostname, then it is not used. JSA will not do a DNS lookup on a hostname, as it would take too much time to do for every event and would affect pipeline throughput capacity.
     

  3. The source IP address of the packet the event came from, when received by JSA

    The source IP and destination IP fields are set to the source IP address of the packet itself. This would be the device that sent the data to JSA.

    If a centralized syslog server is being used to forward events to JSA, you may often see the IP address of the syslog server in the source IP and destination IP fields. The best ways to avoid this is to do one of the following:

    • Set the log source device to send syslog directly to JSA.
    • Preserve the initial syslog headers, and have the originating devices configured to send an IP address in the hostname field of the syslog header.
    • Reconfigure your syslog server to prepend a new syslog header to the events it forwards to JSA, with the originating device's IP address in the hostname header field.

    Example:

    The following Cisco PIX firewall event is reported:

    <182>Dec 15 10:56:58 10.10.10.2 - Aug 15 2015 10:56:57: %PIX-5-304001: 10.10.10.113 Accessed URL <PUBLIC IP ADDRESS>:/rss20.xml

    Not shown here is that the source IP of this packet is that of a central syslog server. The central syslog server has an IP address of 10.10.10.5. JSA uses the source IP of the packet to first set both the source IP and destination IP fields to 10.10.10.5. 

    Cisco PIX firewall messages do not normally include standard syslog headers; however, the administrator of the syslog server configured the server to prepend a new syslog header to the event. The administrator of the centralized syslog server set the hostname field of the prepended syslog header as the IP address of the Cisco PIX firewall. This is seen in the above example as 10.10.10.2. As the syslog header is available and does contain an IP address in the hostname field, JSA now sets the source IP and destination IP fields to this IP address.

    JSA then parses any IP address fields from the payload Information of the event, if present. In the above example, we can see that the source IP is 10.10.10.113. It can also be seen in the above example that the destination address is <PUBLIC IP ADDRESS>; most likely a remote web server in this case.

    Note: It is recommended to configure log sources to include a complete, properly formatted syslog header that includes an IP address, rather than a text-based hostname

Modification History:
2019-07-08: Article reviewed for accuracy
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search