how to parse timestamp appending on syslog raw message

Jay Bhavsar 0 Reputation points
2024-03-12T18:38:54.86+00:00

how to parse timestamp appending on syslog raw message. Please see example below.

2024-03-12T17:51:51.755Z FW01 RT_FLOW - RT_FLOW_SESSION_CLOSE [xxxxxx reason="TCP FIN" source-address="xx.xx.xx.xx" source-port="xxxxx" destination-address="xx.xx.xx.xx" destination-port="xxxx" connection-tag="0" service-name="https" nat-source-address="xx.xx.xx.xx" nat-source-port="xxxx" nat-destination-address="xx.xx.xx.xx" nat-destination-port="xxx" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="xx-xxx-xxx" source-zone-name="xxxx" destination-zone-name="xxx" session-id="xxxx" packets-from-client="xx" bytes-from-client="xxx" packets-from-server="xx" bytes-from-server="xx" elapsed-time="1" application="xx" nested-application="xx" username="N/A" roles="N/A" packet-incoming-interface="xx" encrypted="No" application-category="Web" application-sub-category="miscellaneous" application-risk="2" application-characteristics="N/A" secure-web-proxy-session-type="NA" peer-session-id="0" peer-source-address="xxxxx" peer-source-port="0" peer-destination-address="xxxxx" peer-destination-port="0" hostname="NA" src-vrf-grp="N/A" dst-vrf-grp="N/A" tunnel-inspection="Off" tunnel-inspection-policy-set="root" session-flag="0" source-tenant="N/A" destination-service="N/A"]

JuniperSRX parser is not parsing below event. Can someone please help me with modifying JuniperSRX parser in Sentinel ?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
979 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,371 Reputation points Microsoft Employee
    2024-03-12T21:51:26.6266667+00:00

    @Jay Bhavsar

    Thank you for your post!

    To hopefully help point you in the right direction, I was able to look into some similar issues and based off your Syslog message, it seems that your log might not be formatted correctly per the sample messages. Sample Data - JuniperSRX JSON.

    image

    This parser assumes the raw log are formatted as follows:

    //
// <14>Nov 14 06:13:55 JuniperSRX_FW4 RT_FLOW session created 172.20.22.237/161->134.207.87.33/162 0x0 None 155.117.69.171/52344->134.207.87.33/162 0x0 source rule source-nat-rule N/A N/A 17 trust_to_Untrust_Internet trust untrust 25620 N/A(N/A) reth4.0 UNKNOWN UNKNOWN UNKNOWN
// <37>Nov 14 06:14:33 JuniperSRX_FW1 sshd Login failed for user 'root' from host '123.45.67.89'
// <38>Nov 14 06:13:47 JuniperSRX_FW2 sshd[42227] Disconnected from 183.13.25.46 [preauth]
// <14>Nov 14 06:21:12 JuniperSRX_FW1 RT_FLOW session closed TCP FIN: 172.20.21.51/49266->172.20.22.254/80 0x0 junos-http 172.20.21.51/49266->172.20.22.254/80 0x0 N/A N/A N/A N
//

    Additional Links:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

    0 comments