Juniper Netscreen extractions
Overview
Details
NOTE:
THERE SEEMS TO BE AN ERROR WHEN UPGRADING THROUGH THE GUI. EVERYTHING IS SET PROPERLY IN THE BUNDLE, SO I'VE OPENED A TICKET WITH SPLUNK SUPPORT TO HELP GET THIS RESOLVED. IN THE MEANTIME, YOU CAN UPDATE THE APP BY MANUALLY INSTALLING/EXTRACTING IT. WILL LET YOU KNOW ONCE THIS IS RESOLVED. THANKS.
This adds the tag "fw" and globally exports it. If you have anything existing named "fw", please either rename your existing "fw" to something else, or disable the tag in this addon by creating and then editing the file "SPLUNK_HOME/etc/apps/netscreen/local/tags.conf" once it's installed. Add the following:
[sourcetype=netscreen]
fw = disabled
then save the file and restart Splunk to pick up this change.
This is a simple package that has much more robust and detailed extractions for Juniper Netscreen style firewall logs than I was able to find anywhere else. The main difference that I was never seeing in anything else available was that the timestamps being keyed off of were not those embedded in the FW messages themselves. This keys off of the "start_time" field for regular traffic; for other traffic it uses the timestamps embedded in the message text (usually near the very end of the line). All the fields extracted are based (where possible) on the documented Splunk CIM available online.
Note that these are written expressly for the log format that I was able to observe from our firewalls in testing. It's POSSIBLE that it may not conform exactly to your format, but as far as I'm aware, it should.
Also note that this adds an explicit sourcetype of "netscreen" for the data, so you may want to alias that if you use something else.
Release Notes
Version 1.6
- Bumped the version to make sure that the newest file is being served up. For any further GUI based upgrade issues, note that I now have a ticket open. Manual download and extraction should still work fine.
From 1.5:
- Hopefully this will clear up any installation issues. Modified the metadata file to be default.meta instead of local.meta, per the FAQ.
- Also removed some extraneous config stanzas in the meta file that might have been causing the GUI errors.
- Finally, repackaged the file as ".spl" instead of the old ".tar.gz", again, per the FAQ.
Version 1.5
- Hopefully this will clear up any installation issues. Modified the metadata file to be default.meta instead of local.meta, per the FAQ.
- Also removed some extraneous config stanzas in the meta file that might have been causing the GUI errors.
- Finally, repackaged the file as ".spl" instead of the old ".tar.gz", again, per the FAQ.
If there's STILL any install errors, please let me know.