Juniper Logs
Connecting Juniper logs to your Panther Console
Panther supports ingesting Juniper logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.
To connect these logs into Panther:
- 1.Log in to the Panther Console.
- 2.In the left sidebar, click Configure > Log Sources.
- 3.Click Create New.
- 4.Search for the log type you want to onboard, then click its tile.
- 5.Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
- 6.Configure Juniper to push logs to the Data Transport source.
- See Juniper's documentation for instructions on pushing logs to your selected Data Transport source.
Required fields in all the tables are in bold.
Juniper.Access logs for all traffic coming to and from the box.
Column | Type | Description |
timestamp | timestamp | Log entry timestamp |
hostname | string | The hostname of the appliance |
log_level | string | The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR. |
thread | string | The specific thread that is handling the request or response. |
unique_request_key | string | This is a key used to uniquely identify requests. |
type | string | Whether the HTTP packet is a client request, or a server response (REQUEST,RESPONSE). |
stage | string | Whether the HTTP packet is being logged before or after Security Engine processes it (and potentially manipulates it). |
proxy_client_ip | string | The incoming client IP. Since WebApp Secure works around a Nginx proxy, the client IP will most-likely be '127.0.0.1'. |
url | string | The full request or response URL. |
p_log_type | string | Panther added field with type of log |
p_row_id | string | Panther added field with unique id (within table) |
p_event_time | timestamp | Panther added standardize event time (UTC) |
p_parse_time | timestamp | Panther added standardize log parse time (UTC) |
p_source_id | string | Panther added field with the source id |
p_source_label | string | Panther added field with the source label |
p_any_ip_addresses | [string] | Panther added field with collection of ip addresses associated with the row |
p_any_domain_names | [string] | Panther added field with collection of domain names associated with the row |
p_any_sha1_hashes | [string] | Panther added field with collection of SHA1 hashes associated with the row |
p_any_md5_hashes | [string] | Panther added field with collection of MD5 hashes associated with the row |
p_any_sha256_hashes | [string] | Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
The audit log contains log entries that indicate non-idempotent (state changing) actions performed on WebApp Secure.
Column | Type | Description |
timestamp | timestamp | Log entry timestamp |
hostname | string | The hostname of the appliance |
log_level | string | The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR. |
message | string | The message. Can indicate any of the previously mentioned actions. |
api_key | string | The key used to perform the action described in the message. |
login_ip | string | The IP address the user performed logged in from |
username | string | The user that performed the login |
p_log_type | string | Panther added field with type of log |
p_row_id | string | Panther added field with unique id (within table) |
p_event_time | timestamp | Panther added standardize event time (UTC) |
p_parse_time | timestamp | Panther added standardize log parse time (UTC) |
p_source_id | string | Panther added field with the source id |
p_source_label | string | Panther added field with the source label |
p_any_ip_addresses | [string] | Panther added field with collection of ip addresses associated with the row |
p_any_domain_names | [string] | Panther added field with collection of domain names associated with the row |
p_any_sha1_hashes | [string] | Panther added field with collection of SHA1 hashes associated with the row |
p_any_md5_hashes | [string] | Panther added field with collection of MD5 hashes associated with the row |
p_any_sha256_hashes | [string] | Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
Juniper.Firewall stores information about dropped packets from the iptables firewall.
Column | Type | Description |
timestamp | timestamp | Log timestamp |
hostname | string | Hostname |
event | string | Event name |
DST | string | Destination IP address |
DPT | int | Destination port |
SRC | string | Source IP address |
SPT | int | Source port |
TTL | bigint | IP TTL in milliseconds |
ID | bigint | Packet id |
MAC | string | MAC address |
LEN | int | Packet length |
TOS | string | Packet Type of Service field |
PREC | string | Packet precedence bits |
RST | boolean | Packet is RST |
SYN | boolean | Packet is SYN |
DF | boolean | Packet has do not fragment flag |
IN | string | Input interface |
OUT | string | Output interface |
PROTO | string | Protocol |
WINDOW | int | Transmit window |
p_log_type | string | Panther added field with type of log |
p_row_id | string | Panther added field with unique id (within table) |
p_event_time | timestamp | Panther added standardize event time (UTC) |
p_parse_time | timestamp | Panther added standardize log parse time (UTC) |
p_source_id | string | Panther added field with the source id |
p_source_label | string | Panther added field with the source label |
p_any_ip_addresses | [string] | Panther added field with collection of ip addresses associated with the row |
p_any_domain_names | [string] | Panther added field with collection of domain names associated with the row |
p_any_sha1_hashes | [string] | Panther added field with collection of SHA1 hashes associated with the row |
p_any_md5_hashes | [string] | Panther added field with collection of MD5 hashes associated with the row |
p_any_sha256_hashes | [string] | Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
Juniper.MWS is the main log file for most WebApp Secure logging needs. All messages that don't have a specific log location are sent, by default, to mws.log.
Column | Type | Description |
timestamp | timestamp | The date of the log entry, in UTC. |
hostname | string | The appliance hostname. |
log_level | string | The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR. |
service_name | string | The WebApp Secure service that generated the log entry. |
service_component | string | The specific component that is issuing the log message. |
log_message | string | The message. This can be anything, but usually contains information to help you narrow down problems or confirm certain events have occurred as they should. |
p_log_type | string | Panther added field with type of log |
p_row_id | string | Panther added field with unique id (within table) |
p_event_time | timestamp | Panther added standardize event time (UTC) |
p_parse_time | timestamp | Panther added standardize log parse time (UTC) |
p_source_id | string | Panther added field with the source id |
p_source_label | string | Panther added field with the source label |
p_any_ip_addresses | [string] | Panther added field with collection of ip addresses associated with the row |
p_any_domain_names | [string] | Panther added field with collection of domain names associated with the row |
p_any_sha1_hashes | [string] | Panther added field with collection of SHA1 hashes associated with the row |
p_any_md5_hashes | [string] | Panther added field with collection of MD5 hashes associated with the row |
p_any_sha256_hashes | [string] | Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
Juniper.Postgres contains logs of manipulations on the schema of the database that WebApp Secure uses, as well as any errors that occurred during database operations.
Column | Type | Description |
timestamp | timestamp | Log entry timestamp |
hostname | string | The hostname of the appliance |
pid | int | The process ID of the Postgres instance. |
group_id_major | int | Group id major number |
group_id_minor | int | Group id minor number |
sql_error_code | string | The SQL error code. |
session_id | string | A somewhat unique session identifier that can be used to search for specific lines in the log. |
message_type | string | The type of the message. Can be LOG, WARNING, ERROR, or STATEMENT. |
message | string | The message. |
p_log_type | string | Panther added field with type of log |
p_row_id | string | Panther added field with unique id (within table) |
p_event_time | timestamp | Panther added standardize event time (UTC) |
p_parse_time | timestamp | Panther added standardize log parse time (UTC) |
p_source_id | string | Panther added field with the source id |
p_source_label | string | Panther added field with the source label |
p_any_ip_addresses | [string] | Panther added field with collection of ip addresses associated with the row |
p_any_domain_names | [string] | Panther added field with collection of domain names associated with the row |
p_any_sha1_hashes | [string] | Panther added field with collection of SHA1 hashes associated with the row |
p_any_md5_hashes | [string] | Panther added field with collection of MD5 hashes associated with the row |
p_any_sha256_hashes | [string] | Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
Juniper.Security Webapp Secure is configured to log security incidents to mws-security.log. All security alerts should be sent to security.log (previously named security-alert.log). There are different types of security incidents that will be a part of this log: new profiles, security incidents, new counter responses.
Column | Type | Description |
timestamp | timestamp | Log entry timestamp |
hostname | string | The hostname of the appliance |
log_level | string | The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR. |
service | string | The WebApp Secure service that triggered the security log entry. |
category | string | Log entry category |
profile_id | string | The numerical ID assigned to the Profile that caused the security alert, or the profile ID that received a Response. |
profile_name | string | The friendly name assigned to the Profile that caused the security alert, or the Profile that received a Response. |
pubkey | string | The Public ID that can be used in conjunction with the Support_Processor to unblock Profiles. |
incident | string | The name of the incident that triggered this security alert. |
severity | smallint | The numerical severity of the incident that triggered this security alert. This can be a number from 0 to 4, inclusive. |
source_ip | string | The IP the request that generated this alert originated from. |
user_agent | string | The client's user agent string that generated this alert. |
url | string | The request URL that generated this alert. |
count | int | The number of times the profile triggered this incident. This is used for certain incidents to decide whether or not to elevate the profile or increase the responses on the profile. |
fake_response | boolean | Whether or not (true or false) the response sent back to the client was a fake one created by WebApp Secure. |
response_code | string | The numerical code for the response issued. |
response_name | string | The friendly name for the response issued on the profile indicated in the alert. |
created_date | timestamp | The date and time the response was created. |
delay_date | timestamp | The date and time the response is set to be delayed until. |
expiration_date | timestamp | The date and time the response is set to expire. |
response_config | string | The configuration used in this response. Displayed as an XML-like node. |
silent_running | boolean | Whether or not this Counter Response was set to be silent with the Silent Running service at the time of activation. |
p_log_type | string | Panther added field with type of log |
p_row_id | string | Panther added field with unique id (within table) |
p_event_time | timestamp | Panther added standardize event time (UTC) |
p_parse_time | timestamp | Panther added standardize log parse time (UTC) |
p_source_id | string | Panther added field with the source id |
p_source_label | string | Panther added field with the source label |
p_any_ip_addresses | [string] | Panther added field with collection of ip addresses associated with the row |
p_any_domain_names | [string] | Panther added field with collection of domain names associated with the row |
p_any_sha1_hashes | [string] | Panther added field with collection of SHA1 hashes associated with the row |
p_any_md5_hashes | [string] | Panther added field with collection of MD5 hashes associated with the row |
p_any_sha256_hashes | [string] | Panther added field with collection of SHA256 hashes of any algorithm associated with the row |
Last modified 28d ago