Juniper Logs

Connecting Juniper logs to your Panther Console
Overview
Panther supports ingesting Juniper logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.
How to onboard Juniper logs to Panther
To connect these logs into Panther:
1.Log in to the Panther Console.
2.In the left sidebar, click Configure > Log Sources.
3.Click Create New.
4.Search for the log type you want to onboard, then click its tile.
5.Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
​AWS SQS​
​AWS S3 bucket​
6.Configure Juniper to push logs to the Data Transport source.
See Juniper's documentation for instructions on pushing logs to your selected Data Transport source.
Supported log types
Juniper.Access
Juniper.Access logs for all traffic coming to and from the box. 
Reference: Juniper Documentation on Access Log Format.​
schema: Juniper.Access
description: Juniper.Access logs for all traffic coming to and from the box.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-access-log.html
fields:
 - name: timestamp
 required: true
 description: Log entry timestamp
 type: timestamp
 timeFormats:
 - '%b %d %H:%M:%S'
 isEventTime: true
 - name: hostname
 description: The hostname of the appliance
 type: string
 indicators:
 - hostname
 - name: log_level
 description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.
 type: string
 - name: thread
 description: The specific thread that is handling the request or response.
 type: string
 - name: unique_request_key
 description: The key used to uniquely identify requests.
 type: string
 - name: type
 description: Whether the HTTP packet is a client request, or a server response (REQUEST,RESPONSE).
 type: string
 - name: stage
 description: Whether the HTTP packet is being logged before or after Security Engine processes it (and potentially manipulates it).
 type: string
 - name: proxy_client_ip
 description: The incoming client IP. Since WebApp Secure works around a Nginx proxy, the client IP will most-likely be '127.0.0.1'.
 type: string
 indicators:
 - ip
 - name: url
 description: The full request or response URL.
 type: string
 indicators:
 - domain
Juniper.Audit
The audit log contains log entries that indicate non-idempotent (state changing) actions performed on WebApp Secure. 
Reference: Juniper Documentation on Audit Log Format.​
schema: Juniper.Audit
description: Juniper.Audit The audit log contains log entries that indicate non-idempotent (state changing) actions performed on WebApp Secure.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-incident-log-format.html
fields:
 - name: timestamp
 required: true
 description: Log entry timestamp
 type: timestamp
 timeFormats:
 - '%b %d %H:%M:%S'
 isEventTime: true
 - name: hostname
 description: The hostname of the appliance
 type: string
 indicators:
 - hostname
 - name: log_level
 description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.
 type: string
 - name: message
 description: The message. Can indicate any of the previously mentioned actions.
 type: string
 - name: api_key
 description: The key used to perform the action described in the message.
 type: string
 - name: login_ip
 description: The IP address the user performed logged in from
 type: string
 indicators:
 - ip
 - name: username
 description: The user that performed the login
 type: string
 indicators:
 - username
Juniper.Firewall
Juniper.Firewall stores information about dropped packets from the iptables firewall. 
Reference: Juniper Documentation on Firewall Log Format.​
schema: Juniper.Firewall
description: Juniper.Firewall stores information about dropped packets from the iptables firewall.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-incident-log-format.html
fields:
 - name: timestamp
 required: true
 description: Log timestamp
 type: timestamp
 timeFormats:
 - '%b %d %H:%M:%S'
 isEventTime: true
 - name: hostname
 description: Hostname
 type: string
 indicators:
 - hostname
 - name: event
 description: Event name
 type: string
 - name: DST
 description: Destination IP address
 type: string
 indicators:
 - ip
 - name: DPT
 description: Destination port
 type: int
 - name: SRC
 description: Source IP address
 type: string
 indicators:
 - ip
 - name: SPT
 description: Source port
 type: int
 - name: TTL
 description: IP TTL in milliseconds
 type: bigint
 - name: ID
 description: Packet id
 type: bigint
 - name: MAC
 description: MAC address
 type: string
 indicators:
 - mac
 - name: LEN
 description: Packet length
 type: int
 - name: TOS
 description: Packet Type of Service field
 type: string
 - name: PREC
 description: Packet precedence bits
 type: string
 - name: RES
 description: Reserved bits
 type: string
 - name: RST
 description: Packet is RST
 type: boolean
 - name: SYN
 description: Packet is SYN
 type: boolean
 - name: DF
 description: Packet has do not fragment flag
 type: boolean
 - name: IN
 description: Input interface
 type: string
 - name: OUT
 description: Output interface
 type: string
 - name: PROTO
 description: Protocol
 type: string
 - name: WINDOW
 description: Transmit window
 type: int
Juniper.MWS
Juniper.MWS is the main log file for most WebApp Secure logging needs. All messages that don't have a specific log location are sent, by default, to mws.log. 
Reference: Juniper Documentation on MWS Log Format. 
schema: Juniper.MWS
description: Juniper.MWS is the main log file for most WebApp Secure logging needs. All messages that don't have a specific log location are sent, by default, to mws.log.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-mws-log.html
fields:
 - name: timestamp
 description: The date of the log entry, in UTC.
 type: timestamp
 timeFormats:
 - '%b %d %H:%M:%S'
 isEventTime: true
 - name: hostname
 description: The appliance hostname.
 type: string
 indicators:
 - hostname
 - name: log_level
 description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.
 type: string
 - name: service_name
 description: The WebApp Secure service that generated the log entry.
 type: string
 - name: service_component
 description: The specific component that is issuing the log message.
 type: string
 - name: log_message
 description: The message. This can be anything, but usually contains information to help you narrow down problems or confirm certain events have occurred as they should.
 type: string
Juniper.Postgres
Juniper.Postgres contains logs of manipulations on the schema of the database that WebApp Secure uses, as well as any errors that occurred during database operations. 
Reference: Juniper Documentation on Postgres Log Format.​
schema: Juniper.Postgres
description: Juniper.Postgres contains logs of manipulations on the schema of the database that WebApp Secure uses, as well as any errors that occurred during database operations.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-postgres-log.html
fields:
 - name: timestamp
 required: true
 description: Log entry timestamp
 type: timestamp
 timeFormats:
 - '%b %d %H:%M:%S'
 isEventTime: true
 - name: hostname
 description: The hostname of the machine
 type: string
 - name: pid
 description: The process ID of the postgres instance.
 type: int
 - name: group_id_major
 description: Group id major number
 type: int
 - name: group_id_minor
 description: Group id minor number
 type: int
 - name: sql_error_code
 description: The SQL error code.
 type: string
 - name: session_id
 description: A somewhat unique session identifier that can be used to search for specific lines in the log.
 type: string
 indicators:
 - trace_id
 - name: message_type
 description: The type of the message. Can be LOG, WARNING, ERROR, or STATEMENT.
 type: string
 - name: message
 description: The message.
 type: string
Juniper.Security
Juniper.Security Webapp Secure is configured to log security incidents to mws-security.log. All security alerts should be sent to security.log (previously named security-alert.log). There are different types of security incidents that will be a part of this log: new profiles, security incidents, new counter responses.
Reference: Juniper Documentation on Security Log Format.​
schema: Juniper.Security
description: |-
 Juniper.Security Webapp Secure is configured to log security incidents to mws-security.log.
 All security alerts should be sent to security.log (previously named security-alert.log).
 There are different types of security incidents that will be a part of this log: new profiles, security incidents, new counter responses.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-log-format.html
fields:
 - name: timestamp
 required: true
 description: Log entry timestamp
 type: timestamp
 timeFormats:
 - '%b %d %H:%M:%S'
 isEventTime: true
 - name: hostname
 description: The hostname of the appliance
 type: string
 indicators:
 - hostname
 - name: log_level
 description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.
 type: string
 - name: service
 description: The WebApp Secure service that triggered the security log entry.
 type: string
 - name: category
 description: Log entry category
 type: string
 - name: profile_id
 description: The numerical ID assigned to the Profile that caused the security alert, or the profile ID that received a Response.
 type: string
 - name: profile_name
 description: The friendly name assigned to the Profile that caused the security alert, or the Profile that received a Response.
 type: string
 - name: pubkey
 description: The Public ID that can be used in conjunction with the Support_Processor to unblock Profiles.
 type: string
 - name: incident
 description: The name of the incident that triggered this security alert.
 type: string
 - name: severity
 description: The numerical severity of the incident that triggered this security alert. This can be a number from 0 to 4, inclusive.
 type: smallint
 - name: source_ip
 description: The IP the request that generated this alert originated from.
 type: string
 indicators:
 - ip
 - name: user_agent
 description: The client's user agent string that generated this alert.
 type: string
 - name: url
 description: The request URL that generated this alert.
 type: string
 indicators:
 - url
 - name: count
 description: The number of times the profile triggered this incident. This is used for certain incidents to decide whether or not to elevate the profile or increase the responses on the profile.
 type: int
 - name: fake_response
 description: Whether or not (true or false) the response sent back to the client was a fake one created by WebApp Secure.
 type: boolean
 - name: response_code
 description: The numerical code for the response issued.
 type: string
 - name: response_name
 description: The friendly name for the response issued on the profile indicated in the alert.
 type: string
 - name: created_date
 description: The date and time the response was created.
 type: timestamp
 timeFormats:
 - '%Y-%m-%d %H:%M:%S.%f'
 - name: delay_date
 description: The date and time the response is set to be delayed until.
 type: timestamp
 timeFormats:
 - '%Y-%m-%d %H:%M:%S.%f'
 - name: expiration_date
 description: The date and time the response is set to expire.
 type: timestamp
 timeFormats:
 - '%Y-%m-%d %H:%M:%S.%f'
 - name: response_config
 description: The configuration used in this response. Displayed as an XML-like node.
 type: string
 - name: silent_running
 description: Whether or not this Counter Response was set to be silent with the Silent Running service at the time of activation.
 type: boolean
Jamf Pro Logs
Lacework Logs
Last modified 2mo ago