Collect Juniper NetScreen Firewall logs
This document explains how to set up Juniper NetScreen Firewall logs to be sent to Google Security Operations. The parser extracts fields using grok patterns, handling various syslog formats and JSON payloads. It then maps these extracted fields to the UDM, categorizing events as network connections, user logins, status updates, or generic events based on the presence of specific fields like IP addresses, usernames, and ports.
Before you begin
- Ensure that you have administrative access to your Juniper NetScreen Firewall.
- Ensure that you have a Google Security Operations instance.
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer ID from the Organization Details section.
Install the Bindplane agent
Windows installation
- Open the Command Prompt or PowerShell as an administrator.
- Run the following command: - msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
Linux installation
- Open a terminal with root or sudo privileges.
- Run the following command: - sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
Additional installation resources
- For additional installation options, consult this installation guide.
Configure the Bindplane agent to ingest Syslog and send to Google SecOps
- Access the configuration file: - Locate the config.yamlfile. Typically, it's in the/etc/bindplane-agent/directory on Linux or in the installation directory on Windows.
- Open the file using a text editor (for example, nano,vi, or Notepad).
 
- Locate the 
- Edit the - config.yamlfile as follows:- receivers: tcplog: # Replace the port and IP address as required listen_address: "0.0.0.0:54525" exporters: chronicle/chronicle_w_labels: compression: gzip # Adjust the path to the credentials file you downloaded in Step 1 creds: '/path/to/ingestion-authentication-file.json' # Replace with your actual customer ID from Step 2 customer_id: <customer_id> endpoint: malachiteingestion-pa.googleapis.com # Add optional ingestion labels for better organization ingestion_labels: log_type: SYSLOG namespace: juniper_firewall raw_log_field: body service: pipelines: logs/source0__chronicle_w_labels-0: receivers: - tcplog exporters: - chronicle/chronicle_w_labels
- Replace the port and IP address as required in your infrastructure. 
- Replace - <customer_id>with the actual customer ID.
- Update - /path/to/ingestion-authentication-file.jsonto the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.
Restart the Bindplane agent to apply the changes
- To restart the Bindplane agent in Linux, run the following command: - sudo systemctl restart bindplane-agent
- To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command: - net stop BindPlaneAgent && net start BindPlaneAgent
Configure Juniper Networks NetScreen firewall
- Sign in to the Juniper NetScreen web interface.
- Select Configuration > Report settings > Log settings.
- Select all the Event severity checkboxes.
- Click Apply.
- Select Configuration > Report settings > Syslog.
- Select the Enable syslog messages checkbox.
- In the Source interface list, select the NetScreen interface from which the syslog packets need to be sent.
- In the Syslog servers section, select the Enable checkbox and provide the following:
- IP/Hostname: enter the BindplaneIP address.
- Port: enter the Bindplaneport number.
- MDR facility: select Local0 facility level.
- Facility: select Local0 facility level.
 
- IP/Hostname: enter the 
- Click Apply.
UDM Mapping Table
| Log Field | UDM Mapping | Logic | 
|---|---|---|
| ACTION | security_result.action_details | Directly mapped from the ACTIONfield extracted via GROK and KV filters. | 
| APPLICATION | principal.application | Directly mapped from the APPLICATIONfield extracted via GROK and KV filters. | 
| application | target.application | Directly mapped from the applicationfield extracted via GROK. | 
| attack-name | security_result.threat_name | Directly mapped from the attack-namefield extracted via GROK. | 
| bytes-from-client | network.sent_bytes | Directly mapped from the bytes-from-clientfield extracted via GROK. | 
| bytes-from-server | network.received_bytes | Directly mapped from the bytes-from-serverfield extracted via GROK. | 
| command | target.process.command_line | Directly mapped from the commandfield extracted via GROK. | 
| destination-address | target.ip | Directly mapped from the destination-addressfield extracted via GROK. | 
| destination-port | target.port | Directly mapped from the destination-portfield extracted via GROK. | 
| destination-zone | additional.fields[].value.string_value | Directly mapped from the destination-zonefield extracted via GROK and KV filters. Thekeyis set todestination-zone. | 
| destination_zone-name | security_result.detection_fields[].value | Directly mapped from the destination_zone-namefield extracted via GROK. Thekeyis set todstzone. | 
| dst-nat-rule-name | security_result.detection_fields[].value | Directly mapped from the dst-nat-rule-namefield extracted via GROK. Thekeyis set todst-nat-rule-name. | 
| dst-nat-rule-type | security_result.detection_fields[].value | Directly mapped from the dst-nat-rule-typefield extracted via GROK. Thekeyis set todst-nat-rule-type. | 
| elapsed-time | network.session_duration.seconds | Directly mapped from the elapsed-timefield extracted via GROK. | 
| encrypted | security_result.detection_fields[].value | Directly mapped from the encryptedfield extracted via GROK. Thekeyis set toencrypted. | 
| event_time | metadata.event_timestamp | The timestamp is extracted from the raw log using various GROK patterns, prioritizing event_time, thenTIMESTAMP_ISO8601, and finallySYSLOGTIMESTAMP. It is then converted to a timestamp object. | 
| host | principal.hostname,intermediary.hostname | If typeisNetScreen, mapped tointermediary.hostname. Otherwise, mapped toprincipal.hostname. | 
| host_ip | intermediary.ip | Directly mapped from the host_ipfield extracted via GROK. | 
| icmp-type | network.icmp_type | Directly mapped from the icmp-typefield extracted via GROK. | 
| ident | target.application | Directly mapped from the identfield extracted via GROK and JSON filters. | 
| inbound-bytes | network.received_bytes | Directly mapped from the inbound-bytesfield extracted via GROK. | 
| inbound-packets | network.received_packets | Directly mapped from the inbound-packetsfield extracted via GROK. | 
| ip | principal.ip,intermediary.ip | If typeisNetScreen, mapped tointermediary.ip. Otherwise, mapped toprincipal.hostname. | 
| message | security_result.description | If the message is JSON and the log_message_datafield is not present, themessagefield is used as the description. | 
| msg_data | security_result.summary | Directly mapped from the msg_datafield extracted via GROK. | 
| nat-destination-address | target.nat_ip | Directly mapped from the nat-destination-addressfield extracted via GROK. | 
| nat-destination-port | target.nat_port | Directly mapped from the nat-destination-portfield extracted via GROK. | 
| nat-source-address | principal.nat_ip | Directly mapped from the nat-source-addressfield extracted via GROK. | 
| nat-source-port | principal.nat_port | Directly mapped from the nat-source-portfield extracted via GROK. | 
| outbound-bytes | network.sent_bytes | Directly mapped from the outbound-bytesfield extracted via GROK. | 
| outbound-packets | network.sent_packets | Directly mapped from the outbound-packetsfield extracted via GROK. | 
| packets-from-client | network.sent_packets | Directly mapped from the packets-from-clientfield extracted via GROK. | 
| packets-from-server | network.received_packets | Directly mapped from the packets-from-serverfield extracted via GROK. | 
| packet-incoming-interface | security_result.detection_fields[].value | Directly mapped from the packet-incoming-interfacefield extracted via GROK. Thekeyis set topacket-incoming-interface. | 
| pid | target.process.pid | Directly mapped from the pidfield extracted via GROK and JSON filters. | 
| policy-name | security_result.rule_name | Directly mapped from the policy-namefield extracted via GROK. | 
| PROFILE | additional.fields[].value.string_value | Directly mapped from the PROFILEfield extracted via GROK and KV filters. Thekeyis set toPROFILE. | 
| protocol-id,protocol-name | network.ip_protocol | Mapped from the protocol-idorprotocol-namefield extracted via GROK. The value is converted to the corresponding IP protocol enum. | 
| REASON | additional.fields[].value.string_value | Directly mapped from the REASONfield extracted via GROK and KV filters. Thekeyis set toREASON. | 
| reason | security_result.description | Directly mapped from the reasonfield extracted via GROK. | 
| rule-name | security_result.rule_name | Directly mapped from the rule-namefield extracted via GROK. | 
| SESSION_ID | network.session_id | Directly mapped from the SESSION_IDfield extracted via GROK and KV filters. | 
| service-name | security_result.detection_fields[].value | Directly mapped from the service-namefield extracted via GROK. Thekeyis set tosrvname. | 
| source-address | principal.ip | Directly mapped from the source-addressfield extracted via GROK. | 
| source-port | principal.port | Directly mapped from the source-portfield extracted via GROK. | 
| source-zone | additional.fields[].value.string_value | Directly mapped from the source-zonefield extracted via GROK and KV filters. Thekeyis set tosource-zone. | 
| source_zone-name | security_result.detection_fields[].value | Directly mapped from the source_zone-namefield extracted via GROK. Thekeyis set tosrczone. | 
| src-nat-rule-name | security_result.detection_fields[].value | Directly mapped from the src-nat-rule-namefield extracted via GROK. Thekeyis set tosrc-nat-rule-name. | 
| src-nat-rule-type | security_result.detection_fields[].value | Directly mapped from the src-nat-rule-typefield extracted via GROK. Thekeyis set tosrc-nat-rule-type. | 
| subtype | metadata.product_event_type | Directly mapped from the subtypefield extracted via GROK. | 
| threat-severity | security_result.severity_details | Directly mapped from the threat-severityfield extracted via GROK. | 
| time | metadata.event_timestamp | Directly mapped from the timefield extracted via GROK and JSON filters. Converted to timestamp object. | 
| username | target.user.userid | Directly mapped from the usernamefield extracted via GROK. | 
| metadata.log_type | Hardcoded to JUNIPER_FIREWALL. Hardcoded toJUNIPER_FIREWALLorNetScreenbased on thetypefield. Hardcoded toJUNIPER_FIREWALL. Set to ALLOW or BLOCK based on logic in the parser. Set to LOW, MEDIUM, HIGH, INFORMATIONAL, or CRITICAL based on thesubtypeandseverity_detailsfields. | 
Need more help? Get answers from Community members and Google SecOps professionals.