Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Events and Logs Overview

Use the Events and Logs page to get an overall, high‐level view of your network environment. You can view abnormal events, attacks, viruses, or worms when log data is correlated and analyzed.

This page provides administrators with an advanced filtering mechanism and provides visibility into actual events collected by the Log Collector. Using the time-frame slider, you can instantly focus on areas of unusual activity by dragging the time slider to the area of interest to you. The slider and the Custom button under Time Range remain at the top of each tab. Users select the time range, and then they can decide how to view the data, using the summary view or detail view tabs.

By default, you can view data for all the devices. To view data for a specific device, click on the link beside Devices and select a device.

Note:

Starting in Junos Space Security Director Release 21.2R1, Tenant Systems (TSYS) devices are also supported.

To access the Event Viewer page select Monitor > Events & Logs > All Events.

Events & Logs—Summary View

Click Summary View for a brief summary of all the events in your network. At the center of the page is critical information, including total number of events, viruses found, total number of interfaces that are down, number of attacks, CPU spikes, and system reboots. This data is refreshed automatically based on the selected time range. At the bottom of the page is a swim-lane view of different events that are happening at a specific time. The events include firewall, Web filtering, VPN, content filtering, antispam, antivirus, IPS, ATP Cloud, Screen, and Apptrack. Each event is color‐coded, with darker shades representing a higher level of activity. Each tabs provide deep information like type, and number of events occurring at that specific time.

See Table 1 the descriptions of the widgets in this view.

Table 1: Events and Logs Summary View Widgets

Widget

Description

Total Events

Total number of all the events that includes firewall, webfiltering, IPS, IPSec, content filtering, antispam, and antivirus events.

Virus Instances

Total number of virus instances running in the system.

Attacks

Total number of attacks on the firewall.

Interface Down

Total number of interfaces that are down.

CPU Spikes

Total number of times a CPU utilization spike has occurred.

Reboots

Total number of system reboots.

Sessions

Total number of sessions established through firewall.

Events & Logs—Detail View

Click Detail View for comprehensive details of events in a tabular format that includes sortable columns. You can sort the events using the Group by option. For example, you can sort the events based on severity. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.

Select the Export to CSV option from the grid settings pane to export and download the log data in CSV file.

The Legacy Node option is displayed in the event viewer after the legacy log collector node is added on the Logging Nodes page. We’ve added the legacy log collector support for read-only purpose to view existing log collector data. New logs should point to Security Director Insights VM as the log collector. Select the Legacy Node checkbox to view the existing log collector data. When you clear the Legacy Node checkbox, Security Director Insights log collector data is displayed.

See Table 2 for field descriptions.

Table 2: Events and Logs Detail Columns

Field

Description

Log Generated Time

The time when the log was generated on the SRX Series device.

Log Received Time

The time when the log was received on the log collector.

Event Name

The event name of the log

Source Country

The source country name.

Source IP

The source IP address from where the event occurred.

Destination Country

Destination country name from where the event occurred.

Destination IP

The destination IP address of the event.

Source Port

The source port of the event.

Destination Port

The destination port of the event.

Description

The description of the log.

Attack name

Attack name of the log: Trojan, worm, virus, and so on.

Threat Severity

The severity level of the threat.

Policy Name

The policy name in the log.

Content Security category or Virus Name

The Content Security category of the log.

URL

Accessed URL name that triggered the event.

Event category

The event category of the log.

User Name

The username of the log.

Action

Action taken for the event: warning, allow, and block.

Log Source

The IP address of the log source.

Application

The application name from which the events or logs are generated

Hostname

The host name in the log.

Service Name

The name of the application service. For example, FTP, HTTP, SSH, and so on.

Nested Application

The nested application in the log.

Source Zone

The source zone of the log.

Destination Zone

The destination zone of the log.

Protocol ID

The protocol ID in the log.

Roles

The role name associated with the log.

Reason

The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed.

NAT Source Port

The translated source port.

NAT Destination Port

The translated destination port.

NAT Source Rule Name

The NAT source rule name.

NAT Destination Rule Name

The NAT destination rule name.

NAT Source IP

The translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses.

NAT Destination IP

The translated (also called natted) destination IP address.

Traffic Session ID

The traffic session ID of the log.

Path Name

The path name of the log.

Logical system Name

The name of the logical system.

Rule Name

The name of the rule.

Profile Name

The name of the All events profile that triggered the event.

Client Hostname

Hostname of the client.

Malware Info

Information of the malware.

Logical Subsystem Name

The name of the logical system in JSA logs.

Advanced Search

You can perform advanced search of all events using the search text box present above the grid. It includes the logical operators as part of the filter string. Enter the search string in the text box and based on your input, a list of items from the filter context menu is displayed. You can select a value from the list and then select a valid operator based on which you want to perform the advanced search operation. Press Spacebar to provide AND operator and OR operator. After you have entered the search string, press Enter to display the search result in the grid.

In the search text box, when you hover over the icon, it displays an example filter condition. When you start entering the search string, the icon indicates whether the filter string is valid or not. While entering a search criteria, when you press backspace at any point of time, only one character is deleted.

Starting in Junos Space Security Director Release 19.2R1, in addition to the manual search using keywords, you can drag and drop the values from non-empty cells in the grid into the event viewer search bar. The value is added as the search criterion and the search results are displayed. You can drag and drop only searchable cells. When you hover over the rows in event viewer, searchable cells are displayed with blue background. If a cell is not searchable, there is no change in the background color. If you drag a searchable cell without any value or if the value = ’–’, you cannot drop the contents of such cells. If the search bar already has a search criterion, all the subsequent drag and drop search criteria are prepended by ‘AND’. After dropping the value in the search bar, the search condition is refreshed in the grid. This applies to both simple and complex search filters.

You can perform complex filtering using AND and OR logical operators, and brackets to group the search tokens.

For example: (Name = one and id = 11) or (Name = two and id = 12)

The precedence level of the AND logical operator is higher than OR. In the following filter query, Condition2 AND Condition3 is evaluated before the OR operator.

For example: Condition1 OR Condition2 AND Condition3

To override this, use parentheses explicitly. In the below filter query, expression inside the parentheses is evaluated first.

For example: ( Condition1 OR Condition2 ) AND Condition3

Table 3: Filter Rules

Filter Rule

Example

Enter a comma for an OR filter.

Name=test,site is the same as Name=test OR Name=site

Enter parentheses to combine AND and OR functionality.

Source Country = France AND (Event Name = RT_Flowsession_Close OR Event Category = Firewall)

Enter double quotes for terms with spaces.

"San Jose"

Following are some of the examples for event log filters:

  • Specific events originating from or landing within United States

    Source Country = United States OR Destination Country = United States AND Event Name = IDP_ATTACK_LOG_EVENT, IDP_ATTACK_LOG_EVENT_LS, IDP_APPDDOS_APP_ATTACK_EVENT_LS, IDP_APPDDOS_APP_STATE_EVENT, IDP_APPDDOS_APP_STATE_EVENT_LS, AV_VIRUS_DETECTED_MT, AV_VIRUS_DETECTED, ANTISPAM_SPAM_DETECTED_MT, ANTISPAM_SPAM_DETECTED_MT_LS, FWAUTH_FTP_USER_AUTH_FAIL, FWAUTH_FTP_USER_AUTH_FAIL_LS, FWAUTH_HTTP_USER_AUTH_FAIL, FWAUTH_HTTP_USER_AUTH_FAIL_LS, FWAUTH_TELNET_USER_AUTH_FAIL, FWAUTH_TELNET_USER_AUTH_FAIL_LS, FWAUTH_WEBAUTH_FAIL,FWAUTH_WEBAUTH_FAIL_LS

  • Traffic between zone pairs for policy – IDP2

    Source Zone = trust AND Destination Zone = untrust,internal AND Policy Name = IDP2

  • Events with specific sources IPs or events hitting htp, tftp, http, and unknown applications coming from host DC-SRX1400-1 or vSRX Virtual Firewall-75.

    Application = tftp,ftp,http,unknown OR Source IP = 192.168.34.10,192.168.1.26 AND Hostname = dc-srx1400-1,vSRX Virtual Firewall-75

Role-Based Access Control for Event Viewer

Role-Based Access Control (RBAC) has the following impact on the Event Viewer:

  • You must have Security Analyst or Security Architect or have permissions equivalent to that role to access the event viewer.

  • You cannot view event logs created in other domains. However, a super user or any user with an appropriate role who can access a global domain can view logs in a subdomain, if a subdomain is created with visibility to the parent domain.

  • You can only view logs from the devices that you can access and that belong to your domain.

  • You can only view, not edit, a policy if you do not have edit permissions.

  • The user role under Administration > Users & Roles must have Event Viewer > View Device Logs option is enabled to view or read logs.

Release History Table
Release
Description
16.1
You can perform advanced search of all events using the search text box present above the grid.