-
Notifications
You must be signed in to change notification settings - Fork 0
/
juniper.conf
113 lines (77 loc) · 9.06 KB
/
juniper.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
input {
udp {
port => 514
type => "syslog"
codec => plain {
charset => "ISO-8859-1"
}
workers => 8
buffer_size => 262144
receive_buffer_bytes => 33554432
queue_size => 16384
}
}
filter {
if [type] == "syslog" and "[email protected]" in [message] {
if "RT_FLOW_SESSION_CREATE" in [message] {
grok {
match => { "message" => "<14>1 %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:router} %{NOTSPACE} - %{NOTSPACE:action} \[%{NOTSPACE:junos-version} source-address=\"%{IP:src-address}\" source-port=\"%{NUMBER:src-port}\" destination-address=\"%{IP:dst-address}\" destination-port=\"%{NUMBER:dst-port}\" connection-tag=\"%{NUMBER:conn-tag}\" service-name=\"%{NOTSPACE:service-name}\" nat-source-address=\"%{IP:nat-src-address}\" nat-source-port=\"%{NUMBER:nat-src-port}\" nat-destination-address=\"%{IP:nat-dst-address}\" nat-destination-port=\"%{NUMBER:nat-dst-port}\" nat-connection-tag=\"%{NUMBER:nat-conn-tag}\" src-nat-rule-type=\"%{DATA:src-nat-rule-type}\" src-nat-rule-name=\"%{DATA:src-nat-rule-name}\" dst-nat-rule-type=\"%{DATA:dst-nat-rule-type}\" dst-nat-rule-name=\"%{DATA:dst-nat-rule-name}\" protocol-id=\"%{NUMBER:protocol-id}\" policy-name=\"%{NOTSPACE:policy-name}\" source-zone-name=\"%{NOTSPACE:src-zone-name}\" destination-zone-name=\"%{DATA:dst-zone-name}\" session-id-32=\"%{NUMBER:session-id-32}\" username=\"%{DATA:username}\" roles=\"%{DATA:roles}\" packet-incoming-interface=\"%{DATA:packet-incoming-interface}\" application=\"%{DATA:application}\" nested-application=\"%{DATA:nested-application}\" encrypted=\"%{DATA:encrypted}\" application-category=\"%{DATA:application-category}\" application-sub-category=\"%{DATA:application-sub-category}\" application-risk=\"%{DATA:application-risk}\" application-characteristics=\"%{DATA:application-characteristics}\" src-vrf-grp=\"%{DATA:src-vrf-grp}\" dst-vrf-grp=\"%{DATA:dst-vrf-grp}\"\]" }
}
}
if "RT_FLOW_SESSION_DENY" in [message] {
grok {
match => { "message" => "<14>1 %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:router} %{NOTSPACE} - %{NOTSPACE:action} \[%{NOTSPACE:junos-version} source-address=\"%{IP:src-address}\" source-port=\"%{NUMBER:src-port}\" destination-address=\"%{IP:dst-address}\" destination-port=\"%{NUMBER:dst-port}\" connection-tag=\"%{NUMBER:conn-tag}\" service-name=\"%{NOTSPACE:service-name}\" protocol-id=\"%{NUMBER:protocol-id}\" icmp-type=\"%{NUMBER:icmp-type}\" policy-name=\"%{NOTSPACE:policy-name}\" source-zone-name=\"%{NOTSPACE:src-zone-name}\" destination-zone-name=\"%{NOTSPACE:dst-zone-name}\" application=\"%{NOTSPACE:application}\" nested-application=\"%{NOTSPACE:nested-application}\" username=\"%{NOTSPACE:username}\" roles=\"%{NOTSPACE:roles}\" packet-incoming-interface=\"%{NOTSPACE:packet-incoming-interface}\" encrypted=\"%{NOTSPACE:encrypted}\" reason=\"%{DATA:reason}\" session-id-32=\"%{DATA:session-id-32}\" application-category=\"%{DATA:application-category}\" application-sub-category=\"%{DATA:application-sub-category}\" application-risk=\"%{DATA:application-risk}\" application-characteristics=\"%{DATA:application-characteristics}\" src-vrf-grp=\"%{NOTSPACE:src-vrf-grp}\" dst-vrf-grp=\"%{NOTSPACE:dst-vrf-grp}\"\]" }
}
}
date {
match => [ "timestamp","ISO8601" ]
target => "@timestamp"
remove_field => [ "timestamp" ]
remove_field => [ "message" ]
}
}
if [type] == "syslog" and "[email protected]" in [message] {
if "RT_FLOW_SESSION_CREATE" in [message] {
grok {
match => { "message" => "<14>1 %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:router} %{NOTSPACE} - %{NOTSPACE:action} \[%{NOTSPACE:junos-version} source-address=\"%{IP:src-address}\" source-port=\"%{NUMBER:src-port}\" destination-address=\"%{IP:dst-address}\" destination-port=\"%{NUMBER:dst-port}\" connection-tag=\"%{NUMBER:conn-tag}\" service-name=\"%{NOTSPACE:service-name}\" nat-source-address=\"%{IP:nat-src-address}\" nat-source-port=\"%{NUMBER:nat-src-port}\" nat-destination-address=\"%{IP:nat-dst-address}\" nat-destination-port=\"%{NUMBER:nat-dst-port}\" nat-connection-tag=\"%{NUMBER:nat-conn-tag}\" src-nat-rule-type=\"%{DATA:src-nat-rule-type}\" src-nat-rule-name=\"%{DATA:src-nat-rule-name}\" dst-nat-rule-type=\"%{DATA:dst-nat-rule-type}\" dst-nat-rule-name=\"%{DATA:dst-nat-rule-name}\" protocol-id=\"%{NUMBER:protocol-id}\" policy-name=\"%{NOTSPACE:policy-name}\" source-zone-name=\"%{NOTSPACE:src-zone-name}\" destination-zone-name=\"%{DATA:dst-zone-name}\" session-id-32=\"%{NUMBER:session-id-32}\" username=\"%{DATA:username}\" roles=\"%{DATA:roles}\" packet-incoming-interface=\"%{DATA:packet-incoming-interface}\" application=\"%{DATA:application}\" nested-application=\"%{DATA:nested-application}\" encrypted=\"%{DATA:encrypted}\" application-category=\"%{DATA:application-category}\" application-sub-category=\"%{DATA:application-sub-category}\" application-risk=\"%{DATA:application-risk}\" application-characteristics=\"%{DATA:application-characteristics}\" src-vrf-grp=\"%{DATA:src-vrf-grp}\" dst-vrf-grp=\"%{DATA:dst-vrf-grp}\"\]" }
}
}
if "RT_FLOW_SESSION_DENY" in [message] {
grok {
match => { "message" => "<14>1 %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:router} %{NOTSPACE} - %{NOTSPACE:action} \[%{NOTSPACE:junos-version} source-address=\"%{IP:src-address}\" source-port=\"%{NUMBER:src-port}\" destination-address=\"%{IP:dst-address}\" destination-port=\"%{NUMBER:dst-port}\" connection-tag=\"%{NUMBER:conn-tag}\" service-name=\"%{NOTSPACE:service-name}\" protocol-id=\"%{NUMBER:protocol-id}\" icmp-type=\"%{NUMBER:icmp-type}\" policy-name=\"%{NOTSPACE:policy-name}\" source-zone-name=\"%{NOTSPACE:src-zone-name}\" destination-zone-name=\"%{NOTSPACE:dst-zone-name}\" application=\"%{NOTSPACE:application}\" nested-application=\"%{NOTSPACE:nested-application}\" username=\"%{NOTSPACE:username}\" roles=\"%{NOTSPACE:roles}\" packet-incoming-interface=\"%{NOTSPACE:packet-incoming-interface}\" encrypted=\"%{NOTSPACE:encrypted}\" reason=\"%{DATA:reason}\" session-id-32=\"%{DATA:session-id-32}\" application-category=\"%{DATA:application-category}\" application-sub-category=\"%{DATA:application-sub-category}\" application-risk=\"%{DATA:application-risk}\" application-characteristics=\"%{DATA:application-characteristics}\" src-vrf-grp=\"%{NOTSPACE:src-vrf-grp}\" dst-vrf-grp=\"%{NOTSPACE:dst-vrf-grp}\"\]" }
}
}
date {
match => [ "timestamp","ISO8601" ]
target => "@timestamp"
remove_field => [ "timestamp" ]
remove_field => [ "message" ]
}
}
if [type] == "syslog" and "[email protected]" in [message] {
if "RT_FLOW_SESSION_CREATE" in [message] {
grok {
match => { "message" => "<14>1 %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:router} %{NOTSPACE} - %{NOTSPACE:action} \[%{NOTSPACE:junos-version} source-address=\"%{IP:src-address}\" source-port=\"%{NUMBER:src-port}\" destination-address=\"%{IP:dst-address}\" destination-port=\"%{NUMBER:dst-port}\" service-name=\"%{NOTSPACE:service-name}\" nat-source-address=\"%{IP:nat-src-address}\" nat-source-port=\"%{NUMBER:nat-src-port}\" nat-destination-address=\"%{IP:nat-dst-address}\" nat-destination-port=\"%{NUMBER:nat-dst-port}\" src-nat-rule-type=\"%{DATA:src-nat-rule-type}\" src-nat-rule-name=\"%{DATA:src-nat-rule-name}\" dst-nat-rule-type=\"%{DATA:dst-nat-rule-type}\" dst-nat-rule-name=\"%{DATA:dst-nat-rule-name}\" protocol-id=\"%{NUMBER:protocol-id}\" policy-name=\"%{NOTSPACE:policy-name}\" source-zone-name=\"%{NOTSPACE:src-zone-name}\" destination-zone-name=\"%{DATA:dst-zone-name}\" session-id-32=\"%{NUMBER:session-id-32}\" username=\"%{DATA:username}\" roles=\"%{DATA:roles}\" packet-incoming-interface=\"%{DATA:packet-incoming-interface}\" application=\"%{DATA:application}\" nested-application=\"%{DATA:nested-application}\" encrypted=\"%{DATA:encrypted}\"\]" }
}
}
if "RT_FLOW_SESSION_DENY" in [message] {
grok {
match => { "message" => "<14>1 %{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:router} %{NOTSPACE} - %{NOTSPACE:action} \[%{NOTSPACE:junos-version} source-address=\"%{IP:src-address}\" source-port=\"%{NUMBER:src-port}\" destination-address=\"%{IP:dst-address}\" destination-port=\"%{NUMBER:dst-port}\" service-name=\"%{NOTSPACE:service-name}\" protocol-id=\"%{NUMBER:protocol-id}\" icmp-type=\"%{NUMBER:icmp-type}\" policy-name=\"%{NOTSPACE:policy-name}\" source-zone-name=\"%{NOTSPACE:src-zone-name}\" destination-zone-name=\"%{NOTSPACE:dst-zone-name}\" application=\"%{NOTSPACE:application}\" nested-application=\"%{NOTSPACE:nested-application}\" username=\"%{NOTSPACE:username}\" roles=\"%{NOTSPACE:roles}\" packet-incoming-interface=\"%{NOTSPACE:packet-incoming-interface}\" encrypted=\"%{NOTSPACE:encrypted}\" reason=\"%{DATA:reason}\"]" }
}
}
date {
match => [ "timestamp","ISO8601" ]
target => "@timestamp"
remove_field => [ "timestamp" ]
remove_field => [ "message" ]
}
}
}
output {
if [type] == "syslog" and "junos" in [junos-version] {
elasticsearch {
hosts => ["localhost:9200"]
index => "juniper-%{+YYYY.MM.dd}"
}
}
}