Juniper Logs

Connecting Juniper logs to your Panther Console

Overview

Panther supports ingesting Juniper logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard Juniper logs to Panther

To connect these logs into Panther:

  1. Log in to the Panther Console.

  2. In the left sidebar, click Configure > Log Sources.

  3. Click Create New.

  4. Search for the log type you want to onboard, then click its tile.

  5. Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:

  6. Configure Juniper to push logs to the Data Transport source.

    • See Juniper's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Juniper.Access

Juniper.Access logs for all traffic coming to and from the box.

Reference: Juniper Documentation on Access Log Format.

schema: Juniper.Access
description: Juniper.Access logs for all traffic coming to and from the box.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-access-log.html
fields:
    - name: timestamp
      required: true
      description: Log entry timestamp
      type: timestamp
      timeFormats:
        - '%b %d %H:%M:%S'
      isEventTime: true
    - name: hostname
      description: The hostname of the appliance
      type: string
      indicators:
        - hostname
    - name: log_level
      description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.
      type: string
    - name: thread
      description: The specific thread that is handling the request or response.
      type: string
    - name: unique_request_key
      description: The key used to uniquely identify requests.
      type: string
    - name: type
      description: Whether the HTTP packet is a client request, or a server response (REQUEST,RESPONSE).
      type: string
    - name: stage
      description: Whether the HTTP packet is being logged before or after Security Engine processes it (and potentially manipulates it).
      type: string
    - name: proxy_client_ip
      description: The incoming client IP. Since WebApp Secure works around a Nginx proxy, the client IP will most-likely be '127.0.0.1'.
      type: string
      indicators:
        - ip
    - name: url
      description: The full request or response URL.
      type: string
      indicators:
        - domain

Juniper.Audit

The audit log contains log entries that indicate non-idempotent (state changing) actions performed on WebApp Secure.

Reference: Juniper Documentation on Audit Log Format.

schema: Juniper.Audit
description: Juniper.Audit The audit log contains log entries that indicate non-idempotent (state changing) actions performed on WebApp Secure.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-incident-log-format.html
fields:
    - name: timestamp
      required: true
      description: Log entry timestamp
      type: timestamp
      timeFormats:
        - '%b %d %H:%M:%S'
      isEventTime: true
    - name: hostname
      description: The hostname of the appliance
      type: string
      indicators:
        - hostname
    - name: log_level
      description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.
      type: string
    - name: message
      description: The message. Can indicate any of the previously mentioned actions.
      type: string
    - name: api_key
      description: The key used to perform the action described in the message.
      type: string
    - name: login_ip
      description: The IP address the user performed logged in from
      type: string
      indicators:
        - ip
    - name: username
      description: The user that performed the login
      type: string
      indicators:
        - username

Juniper.Firewall

Juniper.Firewall stores information about dropped packets from the iptables firewall.

Reference: Juniper Documentation on Firewall Log Format.

schema: Juniper.Firewall
description: Juniper.Firewall stores information about dropped packets from the iptables firewall.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-incident-log-format.html
fields:
    - name: timestamp
      required: true
      description: Log timestamp
      type: timestamp
      timeFormats:
        - '%b %d %H:%M:%S'
      isEventTime: true
    - name: hostname
      description: Hostname
      type: string
      indicators:
        - hostname
    - name: event
      description: Event name
      type: string
    - name: DST
      description: Destination IP address
      type: string
      indicators:
        - ip
    - name: DPT
      description: Destination port
      type: int
    - name: SRC
      description: Source IP address
      type: string
      indicators:
        - ip
    - name: SPT
      description: Source port
      type: int
    - name: TTL
      description: IP TTL in milliseconds
      type: bigint
    - name: ID
      description: Packet id
      type: bigint
    - name: MAC
      description: MAC address
      type: string
      indicators:
        - mac
    - name: LEN
      description: Packet length
      type: int
    - name: TOS
      description: Packet Type of Service field
      type: string
    - name: PREC
      description: Packet precedence bits
      type: string
    - name: RES
      description: Reserved bits
      type: string
    - name: RST
      description: Packet is RST
      type: boolean
    - name: SYN
      description: Packet is SYN
      type: boolean
    - name: DF
      description: Packet has do not fragment flag
      type: boolean
    - name: IN
      description: Input interface
      type: string
    - name: OUT
      description: Output interface
      type: string
    - name: PROTO
      description: Protocol
      type: string
    - name: WINDOW
      description: Transmit window
      type: int

Juniper.MWS

Juniper.MWS is the main log file for most WebApp Secure logging needs. All messages that don't have a specific log location are sent, by default, to mws.log.

Reference: Juniper Documentation on MWS Log Format.

schema: Juniper.MWS
description: Juniper.MWS is the main log file for most WebApp Secure logging needs. All messages that don't have a specific log location are sent, by default, to mws.log.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-mws-log.html
fields:
    - name: timestamp
      description: The date of the log entry, in UTC.
      type: timestamp
      timeFormats:
        - '%b %d %H:%M:%S'
      isEventTime: true
    - name: hostname
      description: The appliance hostname.
      type: string
      indicators:
        - hostname
    - name: log_level
      description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.
      type: string
    - name: service_name
      description: The WebApp Secure service that generated the log entry.
      type: string
    - name: service_component
      description: The specific component that is issuing the log message.
      type: string
    - name: log_message
      description: The message. This can be anything, but usually contains information to help you narrow down problems or confirm certain events have occurred as they should.
      type: string

Juniper.Postgres

Juniper.Postgres contains logs of manipulations on the schema of the database that WebApp Secure uses, as well as any errors that occurred during database operations.

Reference: Juniper Documentation on Postgres Log Format.

schema: Juniper.Postgres
description: Juniper.Postgres contains logs of manipulations on the schema of the database that WebApp Secure uses, as well as any errors that occurred during database operations.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-postgres-log.html
fields:
    - name: timestamp
      required: true
      description: Log entry timestamp
      type: timestamp
      timeFormats:
        - '%b %d %H:%M:%S'
      isEventTime: true
    - name: hostname
      description: The hostname of the machine
      type: string
    - name: pid
      description: The process ID of the postgres instance.
      type: int
    - name: group_id_major
      description: Group id major number
      type: int
    - name: group_id_minor
      description: Group id minor number
      type: int
    - name: sql_error_code
      description: The SQL error code.
      type: string
    - name: session_id
      description: A somewhat unique session identifier that can be used to search for specific lines in the log.
      type: string
      indicators:
        - trace_id
    - name: message_type
      description: The type of the message. Can be LOG, WARNING, ERROR, or STATEMENT.
      type: string
    - name: message
      description: The message.
      type: string

Juniper.Security

Juniper.Security Webapp Secure is configured to log security incidents to mws-security.log. All security alerts should be sent to security.log (previously named security-alert.log). There are different types of security incidents that will be a part of this log: new profiles, security incidents, new counter responses.

Reference: Juniper Documentation on Security Log Format.

schema: Juniper.Security
description: |-
    Juniper.Security Webapp Secure is configured to log security incidents to mws-security.log.
    All security alerts should be sent to security.log (previously named security-alert.log).
    There are different types of security incidents that will be a part of this log: new profiles, security incidents, new counter responses.
referenceURL: https://www.juniper.net/documentation/en_US/webapp5.6/topics/reference/w-a-s-log-format.html
fields:
    - name: timestamp
      required: true
      description: Log entry timestamp
      type: timestamp
      timeFormats:
        - '%b %d %H:%M:%S'
      isEventTime: true
    - name: hostname
      description: The hostname of the appliance
      type: string
      indicators:
        - hostname
    - name: log_level
      description: The importance level of a log entry. Can be TRACE, DEBUG, INFO, WARN, or ERROR.
      type: string
    - name: service
      description: The WebApp Secure service that triggered the security log entry.
      type: string
    - name: category
      description: Log entry category
      type: string
    - name: profile_id
      description: The numerical ID assigned to the Profile that caused the security alert, or the profile ID that received a Response.
      type: string
    - name: profile_name
      description: The friendly name assigned to the Profile that caused the security alert, or the Profile that received a Response.
      type: string
    - name: pubkey
      description: The Public ID that can be used in conjunction with the Support_Processor to unblock Profiles.
      type: string
    - name: incident
      description: The name of the incident that triggered this security alert.
      type: string
    - name: severity
      description: The numerical severity of the incident that triggered this security alert. This can be a number from 0 to 4, inclusive.
      type: smallint
    - name: source_ip
      description: The IP the request that generated this alert originated from.
      type: string
      indicators:
        - ip
    - name: user_agent
      description: The client's user agent string that generated this alert.
      type: string
    - name: url
      description: The request URL that generated this alert.
      type: string
      indicators:
        - url
    - name: count
      description: The number of times the profile triggered this incident. This is used for certain incidents to decide whether or not to elevate the profile or increase the responses on the profile.
      type: int
    - name: fake_response
      description: Whether or not (true or false) the response sent back to the client was a fake one created by WebApp Secure.
      type: boolean
    - name: response_code
      description: The numerical code for the response issued.
      type: string
    - name: response_name
      description: The friendly name for the response issued on the profile indicated in the alert.
      type: string
    - name: created_date
      description: The date and time the response was created.
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S.%f'
    - name: delay_date
      description: The date and time the response is set to be delayed until.
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S.%f'
    - name: expiration_date
      description: The date and time the response is set to expire.
      type: timestamp
      timeFormats:
        - '%Y-%m-%d %H:%M:%S.%f'
    - name: response_config
      description: The configuration used in this response. Displayed as an XML-like node.
      type: string
    - name: silent_running
      description: Whether or not this Counter Response was set to be silent with the Silent Running service at the time of activation.
      type: boolean

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated