Thank you for your post!
To hopefully help point you in the right direction, I was able to look into some similar issues and based off your Syslog message, it seems that your log might not be formatted correctly per the sample messages. Sample Data - JuniperSRX JSON.
- For more info - Juniper SRX Issue with parser #2428
This parser assumes the raw log are formatted as follows:
//
// <14>Nov 14 06:13:55 JuniperSRX_FW4 RT_FLOW session created 172.20.22.237/161->134.207.87.33/162 0x0 None 155.117.69.171/52344->134.207.87.33/162 0x0 source rule source-nat-rule N/A N/A 17 trust_to_Untrust_Internet trust untrust 25620 N/A(N/A) reth4.0 UNKNOWN UNKNOWN UNKNOWN
// <37>Nov 14 06:14:33 JuniperSRX_FW1 sshd Login failed for user 'root' from host '123.45.67.89'
// <38>Nov 14 06:13:47 JuniperSRX_FW2 sshd[42227] Disconnected from 183.13.25.46 [preauth]
// <14>Nov 14 06:21:12 JuniperSRX_FW1 RT_FLOW session closed TCP FIN: 172.20.21.51/49266->172.20.22.254/80 0x0 junos-http 172.20.21.51/49266->172.20.22.254/80 0x0 N/A N/A N/A N
//
Additional Links:
- Juniper SRX parser doesnt work. #3268
- Juniper SRX Parser update for perf improvement #3847
- SRX Getting Started - Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices
- Security Policies User Guide for Security Devices
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.