LogLogic Juniper Networks JunOS Log Configuration Guide

Transcription

1 LogLogic Juniper Networks JunOS Log Configuration Guide Document Release: September 2011 Part Number: LL EL This manual supports LogLogic s Juniper Networks JunOS Release 1.0 and above, and LogLogic Software Release 5.1 and above until replaced by a new edition.

2 2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. andits licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA Tel: Fax: U.S. Toll Free:

3 Contents Preface About This Guide Technical Support Documentation Support Conventions Chapter 1 Configuring Juniper Networks JunOS Appliances and the LogLogic Appliance Introduction to Juniper Networks JunOS Prerequisites Configuring Juniper Networks JunOS Configuring a Juniper Appliance Enabling the LogLogic Appliance to Capture Log Data Adding a Juniper Networks JunOS Device Verifying the Configuration Chapter 2 How LogLogic Captures Juniper Networks JunOS Data Chapter 3 Troubleshooting LogLogic Real-Time Reports Troubleshooting Is your version of Juniper Networks JunOS supported? Is your LogLogic Appliance running Release 5.1 or above? If Juniper Networks JunOS or RT_FLOW events are not appearing on the LogLogic Appliance If events are not displaying on the LogLogic Appliance even after configuring Juniper Networks JunOS correctly Appendix A Event Reference LogLogic Support for Juniper Networks JunOS Events Component of the Structured Data Log JunOS Log Configuration Guide 3

4 4 JunOS Log Configuration Guide

5 Preface About This Guide LogLogic support for Juniper Networks JUNOS operating system enables LogLogic Appliances to capture logs from machines running Juniper Networks JunOS. Once the logs are captured and parsed, you can generate reports and create alerts on Juniper Networks JunOS operations. For more information on creating reports and alerts, see the LogLogic Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free LOGS Local EMEA or APAC: + 44 (0) or +44 (0) support@loglogic.com You can also visit the LogLogic Support website at: When contacting Customer Support, be prepared to provide: Your name, address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your message, please indicate the software name and version you are using, as well as the title and document date of your documentation. JunOS Log Configuration Guide 3

6 Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as file names, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 4 JunOS Log Configuration Guide

7 Chapter 1 Configuring Juniper Networks JunOS Appliances and the LogLogic Appliance This chapter describes the configuration steps that enable a LogLogic Appliance to capture Juniper Networks JunOS appliance logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Juniper Networks JunOS log data. Introduction to Juniper Networks JunOS Prerequisites Configuring Juniper Networks JunOS Enabling the LogLogic Appliance to Capture Log Data Verifying the Configuration Introduction to Juniper Networks JunOS Juniper Networks JunOS software is Juniper's single network operating system spanning routing, switching and security platforms. Delivering the power of one operating system, Juniper Networks JunOS software simplifies network operations and drives operational excellence to reduce the cost of innovation. Unlike other network operating systems, Juniper Networks JunOS software offers one operating system, enhanced through one release train, and developed based on one modular architecture the power of one differences. These differences allow Juniper Networks JunOS to provide carrier-class continuous systems availability, automated network operations, and the open innovation to quickly respond to rapid growth and change, while reducing complexity, cost, and risk. The logs produced by Juniper Networks JunOS include events from all of its application functions (i.e., firewall, VPN, switching, etc.) as well as local auditing of the Juniper Networks JunOS itself (e.g., appliance configuration changes, logins, daemon errors, etc.). Juniper Networks JunOS appliances can generate audit log messages via Syslog using a variety of log formats. The LogLogic Appliance supports Syslog events using the Juniper Networks JunOS Structured Data Format. The LogLogic Appliance acts as the Syslog Server for Juniper Networks JunOS appliances, and Juniper Networks JunOS sends Structured Data Formatted Syslog messages to the Appliance s Syslog Listener. The configuration procedures for Juniper Networks JunOS and the LogLogic Appliance depend upon your environment. JunOS Log Configuration Guide 5

8 Prerequisites Prior to configuring Juniper Networks JunOS appliances and the LogLogic Appliance, ensure that you meet the following prerequisites: Juniper Networks JunOS appliance running version 9.3 or Proper access permissions to make configuration changes. LogLogic Appliance running Release 5.1 or above installed with a Log Source Package that includes Juniper Networks JunOS support. Administrative access on the LogLogic Appliance. Configuring Juniper Networks JunOS This section describes how to enable a Juniper Networks JunOS appliance to send events to a syslog server (e.g., a LogLogic Appliance). You must enable and configure event logging and syslog on Juniper Networks JunOS-based appliances prior to configuring the LogLogic Appliance. IMPORTANT! The procedures in this section describe an installation for a single Juniper appliance. The steps must be repeated for each appliance where syslog alerting is needed. Configuring a Juniper Appliance When configuring Juniper Networks JunOS version 9.3, be sure the following tasks have been performed on the Juniper Networks JunOS appliance: 1. Configure the Juniper Networks JunOS appliance to send logs to the LogLogic Appliance (see Step 1 below) 2. Enable Logging Messages in Structured-Data Format (see Step 2 below) 3. Add the JuniperJunOS log-prefix Text String to System Log Messages (see Step 3 below) Note: This document does not describe all features and functionality within Juniper Networks JunOS regarding configuration and Syslog. For more information on these areas, see Juniper s Support Knowledge Base and the Juniper Product Documentation. 1. Directing Messages to a Remote Machine or the Other Routing Engine To direct system log messages to a remote machine or to the other Routing Engine on the routing platform, include the host statement at the [edit system syslog] hierarchy level: [edit system syslog] host (hostname other-routing-engine) { facility severity; explicit-priority; facility-override facility; log-prefix string; match "regular-expression"; } source-address source-address; 6 JunOS Log Configuration Guide

9 To direct system log messages to a remote machine, include the host hostname statement to specify the remote machine s IP version 4 (IPv4) address, IP version 6 (IPv6) address, or fully qualified hostname. The remote machine must be running the standard syslogd utility. Ref: pg 118, System Basics Configuration Guide or Juniper online guides. 2. Logging Messages in Structured-Data Format In Juniper Networks JunOS Release 8.3 and above, you can log messages to a file in structured-data format instead of the standard Juniper Networks JunOS format. Structured-data format provides more information without adding significant length, and makes it easier for automated applications to extract information from a message. The structured-data format complies with Internet draft draft-ietf-syslog-protocol-21.txt, The syslog Protocol, which at the time of this writing is accessible at all-ids/draft-ietf-syslog-protocol-21.txt. The draft establishes a standard message format regardless of the source or transport protocol for logged messages. To output messages to a file in structured-data format, include the structured-data statement at the [edit system syslog file filename] hierarchy level: [edit system syslog file filename] facility severity; structured-data { brief; } The optional brief statement suppresses the English-language text that appears by default at the end of a message to describe the error or event. For information about the fields in a structured-data format message, see the Juniper Networks JunOS System Log Messages Reference. Ref: pg 117, System Basics Configuration Guide or Juniper online guides. 3. Adding a Text String to System Log Messages To add a text string to every system log message directed to a remote machine or to the other Routing Engine, include the log-prefix statement at the [edit system syslog host] hierarchy level: [edit system syslog host (hostname other-routing-engine)] facility severity; log-prefix string; The string can contain any alphanumeric or special character except the equal sign (=) and the colon (:). It also cannot include the space character; do not enclose the string in quotation marks (" ") in an attempt to include spaces in it. A colon and a space are appended to the string when the system log messages are written to the log. The string is inserted after the identifier for the Routing Engine that generated the message. Example: Adding a String Add the string Juniper Networks JunOS to all messages to indicate that the router is a Juniper Networks JunOS router, and direct the messages to the remote machine hardware-logger.mycompany.com: [edit system syslog] host hardware-logger.mycompany.com { any info; log-prefix JuniperJunOS; } JunOS Log Configuration Guide 7

10 When these configuration statements are included on a Juniper Networks JunOS router called origin1, a message in the system logging file on hardware-logger looks like the following: Mar 9 17:33:23 origin1 JuniperJunOS: mgd[477]: UI_CMDLINE_READ_LINE: user 'root', command 'run show version' Ref: pg 122, System Basics Configuration Guide or Juniper online guides. Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to configure the LogLogic Appliance to capture Juniper Networks JunOS Syslog messages. Adding a Juniper Networks JunOS Device If you do not want to utilize the auto-identification feature, you can manually add a Juniper Networks JunOS device to the LogLogic Appliance before you redirect the logs. To add Juniper Networks JunOS as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 4. Type in the following information for the device: Name Name for the Juniper Networks JunOS device Description (optional) Description of the Juniper Networks JunOS device Device Type Select Juniper Networks JunOS from the drop-down menu Host IP IP address of the Juniper Networks JunOS appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. 8 JunOS Log Configuration Guide

11 Figure 1 Adding a Device to the LogLogic Appliance 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Juniper Networks JunOS the LogLogic Appliance uses the device you just added if the hostname or IP match. Note: The Juniper RT_FLOW device is for JUNOS Real Time Flow events such as firewall events. If you would like to report only on Juniper RT_FLOW then you will need to uncomment out NO_SOURCE_SHARING:juniperRtFlow in the /loglogic/conf/non-ipsharing.txt file and restart the Appliance. JunOS Log Configuration Guide 9

12 Verifying the Configuration The section describes how to verify that the configuration changes made to Juniper Networks JunOS or Juniper RT_FLOW and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. 3. Locate the IP address for each Juniper Networks JunOS device. If the device name (Juniper JunOS or Juniper RT_FLOW) appears in the list of devices, then the configuration is correct. Figure 2 Verification of the Juniper Networks JunOS Configuration If the device does not appear in the Log Source Status tab, check the Juniper Networks JunOS logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Juniper Networks JunOS configuration and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Juniper Networks JunOS by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time Reports on page 11. If the device name appears in the list of devices but event data for the device is not appearing within your reports see, Chapter 3 Troubleshooting for more information. 10 JunOS Log Configuration Guide

13 Chapter 2 How LogLogic Captures Juniper Networks JunOS Data This chapter describes LogLogic's support for Juniper Networks JunOS appliance logs. LogLogic enables you to capture Juniper Networks JunOS log data to monitor syslog events. Juniper Networks JunOS versions 9.3 and 10.4 support two streamed event formats through Syslog (e.g., Standard Syslog Format and Structured-Data Format). Regardless of the Juniper Networks JunOS version, the LogLogic Appliance supports only Juniper Networks JunOS firewall events in Structured-Data Format. Juniper Networks JunOS generates Syslog messages in Structured-Data Format, then the messages are sent via syslog to the Syslog Listener on the LogLogic Appliance. Once the data is captured you can generate reports. In addition, you can create alerts to notify you of issues on your Juniper Networks JunOS appliance. For more information on creating reports and alerts, see the LogLogic s Guide and LogLogic Online Help. Note: The LogLogic Appliance captures all messages from the Juniper Networks JunOS appliance, but includes only specific messages for report/alert generation. For more information, see Component of the Structured Data Log on page 29 for sample log messages for each event and event to category mapping. LogLogic Real-Time Reports LogLogic provides pre-configured Real-Time Reports for Juniper JunOS data. The following Real-Time Reports are available: All Unparsed Events Displays data for all events retrieved from the Microsoft Windows log for a specified time interval Accepted Displays summary of IP connections that were accepted by the device Denied Displays summary of IP connections that were denied by the device Application Distribution Displays summarization of accepted traffic by application ports through selected firewall device Displays Attack type events Access Displays data access and changes done to data during a specified time interval Authentication Displays identity and access related events during a specified time interval Displays last activity by specific users To access LMI 5 Real-Time Reports: 1. In the top navigation pane, click Reports 2. Click Network. The following Real-Time Reports are available: Accepted Application Distribution Denied JunOS Log Configuration Guide 11

14 3. Click Threat Management. The following Real-Time Report is available: 4. Click Access Control. The following Real-Time Reports are available: Access Authentication 5. Click Operational. The following Real-Time Report is available: All Unparsed Events 12 JunOS Log Configuration Guide

15 Chapter 3 Troubleshooting This chapter contains troubleshooting information regarding the configuration and/or use of log collection for Juniper Networks JunOS appliance logs. Troubleshooting Is your version of Juniper Networks JunOS supported? For more information, see Prerequisites on page 6. Is your LogLogic Appliance running Release 5.1 or above? If you are running a release prior to 5.1, you might require an upgrade. Contact LogLogic Support for more information. If Juniper Networks JunOS or RT_FLOW events are not appearing on the LogLogic Appliance... Juniper Networks JunOS might not be configured correctly. Make sure that logging is configured using the Structured-Data Format, Syslog is configured, and that a Syslog Server (i.e., the LogLogic Appliance) has been defined. Also be sure that for Juniper Networks JunOS events, the log-prefix 'JuniperJunOS' is being used. If events are not displaying on the LogLogic Appliance even after configuring Juniper Networks JunOS correctly... Juniper Networks JunOS sends the logs, via Syslog, to the LogLogic Appliance. Make sure that the syslog port is enabled on Juniper Networks JunOS. For more information on supported protocols and ports, see the LogLogic Administration Guide. JunOS Log Configuration Guide 13

16 14 JunOS Log Configuration Guide

17 Appendix A Event Reference This appendix lists the LogLogic-supported Juniper Networks JunOS appliance log formats and provides sample log messages for each format. It also provides a list of identifiers for the type of hardware platform that generated the message in Table 2 on page 29. LogLogic Support for Juniper Networks JunOS Events The following list describes the contents of each of the columns in the table below. Event ID Not Applicable (N/A) Agile Reports/Search Defines if the Juniper JUNOS or RT_FLOW event is available through the LogLogic Agile Reporting engine or through the search capabilities. If the event is available through the Agile Report engine, then you can use LogLogic s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. Title/Comments Juniper JUNOS or RT_FLOW Event Event Category Defines which category the event belong to. Event Type/TAG JUNOS system log message tag, which uniquely identifies the message such as RT_FLOW_SESSION_CREATE or RT_FLOW_SESSION_DENY. Appears In Reports LogLogic-provided reports that the event appears in. Sample Log Message Sample Juniper JUNOS or RT_FLOW log messages converted into text (.txt) format. JunOS Log Configuration Guide 17

18 Table 1 Juniper Networks JunOS Syslog Messages Supported by the LogLogic Appliance Serial No. Ver. Agile Reports/ Search Title/ Comments Event Category Event Type/TAG 1 9.X Agile RT_FLOW Connectivity RT_FLOW_SESSION_C REATE 2 9.X Agile RT_FLOW Connectivity RT_FLOW_SESSION_C LOSE 3 9.X Agile RT_FLOW Connectivity RT_FLOW_SESSION_D ENY 4 9.X Agile JuniperJunOS Connectivity ASP_SFW_CREATE_AC CEPT_FLOW 5 9.X Agile JuniperJunOS Connectivity ASP_SFW_FTP_ACTIVE _ACCEPT 6 9.X Agile JuniperJunOS Connectivity ASP_SFW_FTP_PASSIV E_ACCEPT 7 9.X Agile JuniperJunOS Connectivity ASP_SFW_RULE_ACCE PT 8 9.X Agile JuniperJunOS Connectivity FLOW_SESSION_CREA TE 9 9.X Agile JuniperJunOS Connectivity FLOW_SESSION_CLOS E Appears in Reports Accepted, Application Distribution Accepted Denied Accepted, Application Distribution Accepted, Application Distribution Accepted, Application Distribution Accepted, Application Distribution Accepted, Application Distribution Accepted, Application Distribution 10 9.X Agile JuniperJunOS Connectivity FLOW_SESSION_DENY Denied 11 9.X Agile JuniperJunOS Connectivity ASP_SFW_RULE_DISC ARD 12 9.X Agile JuniperJunOS Connectivity ASP_SFW_RULE_REJE CT 13 9.X Agile JuniperJunOS Connectivity ASP_SFW_CREATE_DI SCARD_FLOW Denied Denied Denied Sample Log Message <123> T18:28: srx_hostname RT_FLOW - RT_FLOW_SESSION_CREATE [junos@ source-address=" " source-port="52743" destination-address=" " destination-port="80" protocol-id="6" policy-name="srx_security_policy"] <456> T18:28: srx_hostname RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@ reason="tcp FIN" source-address=" " source-port="50854" destination-address=" " destination-port="80" protocol-id="6" policy-name="srx_security_policy" inbound-packets="4" inbound-bytes="408" outbound-packets="5" outbound-bytes="2482" elapsed-time="1"] <789> T18:28: host-01-bot RT_FLOW - RT_FLOW_SESSION_DENY [junos@ source-address=" " source-port="52743" destination-address=" " destination-port="80" protocol-id="6" icmp-type="5" policy-name="lab"] <190>Jul 15 10:47:39 JuniperJunOS: asp[8265]: ASP_SFW_CREATE_ACCEPT_FLOW: 6 error-1: proto 8 (ICMP) application: PING, ge-0/0/ :1453 -> :23, event-type nat-information <190>Jul 15 10:48:39 JuniperJunOS: asp[8265]: ASP_SFW_FTP_ACTIVE_ACCEPT: 6 error-1: proto 8 (ICMP) application: PING, ge-0/0/ :1453 -> :23, event-type nat-information <190>Jul 15 10:49:39 JuniperJunOS: asp[8265]: ASP_SFW_FTP_PASSIVE_ACCEPT: 6 error-1: proto 8 (ICMP) application: PING, ge-0/0/ :1453 -> :23, event-type nat-information <190>Jul 15 10:50:39 JuniperJunOS: asp[8265]: ASP_SFW_RULE_ACCEPT: 4 error-1: proto 6 (TCP) application: TELNET, ge-0/0/ :1453 -> :23, event-type rule-set: rule-set-1, rule: rule-1, term: term-1 <14>Jul 22 01:29:49 JuniperJunOS: RT_FLOW: FLOW_SESSION_CREATE: session created /29449-> /512,1: Allow_ALL <14>Jul 22 01:29:50 JuniperJunOS: RT_FLOW: FLOW_SESSION_CLOSE: session closed response received: /28681-> /512,1: Allow_ALL, 2, 74,74 5 <14>Jul 30 07:08:48 JuniperJunOS: RT_FLOW: FLOW_SESSION_DENY: session denied / 5632-> /17163,1(8): BLOCK_PING <190>Jul 15 10:51:39 JuniperJunOS: asp[8265]: ASP_SFW_RULE_DISCARD: 4 error-1: proto 6 (TCP) application: TELNET, ge-0/0/ :1453 -> :23, event-type rule-set: rule-set-1, rule: rule-1, term: term-1 <190>Jul 15 10:52:39 JuniperJunOS: asp[8265]: ASP_SFW_RULE_REJECT: 4 error-1: proto 6 (TCP) application: TELNET, ge-0/0/ :1453 -> :23, event-type rule-set: rule-set-1, rule: rule-1, term: term-1 <190>Jul 15 10:53:39 JuniperJunOS: asp[8265]: ASP_SFW_CREATE_DISCARD_FLOW: 4 error-1: proto 6 (TCP) application: TELNET, ge-0/0/ :1453 -> :23, event-type 18 JunOS Log Configuration Guide

19 Serial No. Ver. Agile Reports/ Search Title/ Comments Event Category Event Type/TAG 14 9.X Agile JuniperJunOS Connectivity ASP_SFW_CREATE_RE JECT_FLOW 15 9.X Agile JuniperJunOS Connectivity ASP_SFW_NO_RULE_D ROP 16 9.X Agile JuniperJunOS IDS ASP_IDS_LIMIT_FLOW_ RATE_BY_DEST 17 9.X Agile JuniperJunOS IDS ASP_IDS_LIMIT_FLOW_ RATE_BY_PAIR 18 9.X Agile JuniperJunOS IDS ASP_IDS_LIMIT_FLOW_ RATE_BY_SRC 19 9.X Agile JuniperJunOS IDS ASP_IDS_LIMIT_OPEN_ FLOWS_BY_DEST 20 9.X Agile JuniperJunOS IDS ASP_IDS_LIMIT_OPEN_ FLOWS_BY_PAIR 21 9.X Agile JuniperJunOS IDS ASP_IDS_LIMIT_OPEN_ FLOWS_BY_SRC 22 9.X Agile JuniperJunOS IDS ASP_IDS_LIMIT_PKT_R ATE_BY_DEST 23 9.X Agile JuniperJunOS IDS ASP_IDS_LIMIT_PKT_R ATE_BY_PAIR 24 9.X Agile JuniperJunOS IDS ASP_IDS_LIMIT_PKT_R ATE_BY_SRC 25 9.X Agile JuniperJunOS IDS ASP_SFW_APP_MSG_T OO_LONG 26 9.X Agile JuniperJunOS IDS ASP_SFW_ICMP_HEAD ER_LEN_ERROR 27 9.X Agile JuniperJunOS IDS ASP_SFW_ICMP_ERRO R_DROP 28 9.X Agile JuniperJunOS IDS ASP_SFW_ICMP_PACK ET_ERROR_LENGTH Appears in Reports Denied Denied Sample Log Message <190>Jul 15 10:54:39 JuniperJunOS: asp[8265]: ASP_SFW_CREATE_REJECT_FLOW: 4 error-1: proto 6 (TCP) application: TELNET, ge-0/0/ :1453 -> :23, event-type <190>Jul 15 10:55:39 JuniperJunOS: asp[8265]: ASP_SFW_NO_RULE_DROP: error-1: proto 6 (TCP), ge-0/0/ :1453 -> :23, event-type <190>Jul 15 09:25:39 JuniperJunOS: asp[8265]: ASP_IDS_LIMIT_FLOW_RATE_BY_DEST: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, limit flow rate by destination address <190>Jul 15 09:26:39 JuniperJunOS: asp[8265]: ASP_IDS_LIMIT_FLOW_RATE_BY_PAIR: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, limit flow rate by pair <190>Jul 15 09:27:39 JuniperJunOS: asp[8265]: ASP_IDS_LIMIT_FLOW_RATE_BY_SRC: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, limit flow rate by source address <190>Jul 15 09:28:39 JuniperJunOS: asp[8265]: ASP_IDS_LIMIT_OPEN_FLOWS_BY_DEST: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, limit open flow rate by destination address <190>Jul 15 09:29:39 JuniperJunOS: asp[8265]: ASP_IDS_LIMIT_OPEN_FLOWS_BY_PAIR: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, limit open flow rate by pair <190>Jul 15 09:30:39 JuniperJunOS: asp[8265]: ASP_IDS_LIMIT_OPEN_FLOWS_BY_SRC: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, limit open flow rate by source address <190>Jul 15 09:31:39 JuniperJunOS: asp[8265]: ASP_IDS_LIMIT_PKT_RATE_BY_DEST: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, limit packet rate by destination address <190>Jul 15 09:32:39 JuniperJunOS: asp[8265]: ASP_IDS_LIMIT_PKT_RATE_BY_PAIR: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, limit packet rate by pair <190>Jul 15 09:33:39 JuniperJunOS: asp[8265]: ASP_IDS_LIMIT_PKT_RATE_BY_SRC: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, limit packet rate by pair <190>Jul 15 10:55:39 JuniperJunOS: asp[8265]: ASP_SFW_APP_MSG_TOO_LONG: error-1: proto 6 (TCP), ge-0/0/ :1453 -> :23, event-type <190>Jul 15 09:35:39 JuniperJunOS: asp[8265]: ASP_SFW_ICMP_HEADER_LEN_ERROR: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, ICMP header length check failed <190>Jul 15 09:34:39 JuniperJunOS: asp[8265]: ASP_SFW_ICMP_ERROR_DROP: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, limit packet rate by source address <190>Jul 15 09:36:39 JuniperJunOS: asp[8265]: ASP_SFW_ICMP_PACKET_ERROR_LENGTH: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, ICMP packet length greater than 64K JunOS Log Configuration Guide 19

20 Serial No. Ver. Agile Reports/ Search Title/ Comments Event Category Event Type/TAG 29 9.X Agile JuniperJunOS IDS ASP_SFW_IP_FRAG_AS SEMBLY_TIMEOUT 30 9.X Agile JuniperJunOS IDS ASP_SFW_IP_FRAG_O VERLAP 31 9.X Agile JuniperJunOS IDS ASP_SFW_IP_OPTION_ DROP_PACKET 32 9.X Agile JuniperJunOS IDS ASP_SFW_IP_PACKET_ CHECKSUM_ERROR 33 9.X Agile JuniperJunOS IDS ASP_SFW_IP_PACKET_ DST_BAD 34 9.X Agile JuniperJunOS IDS ASP_SFW_IP_PACKET_ FRAG_LEN_INV 35 9.X Agile JuniperJunOS IDS ASP_SFW_IP_PACKET_ INCORRECT_LEN 36 9.X Agile JuniperJunOS IDS ASP_SFW_IP_PACKET_ LAND_ATTACK 37 9.X Agile JuniperJunOS IDS ASP_SFW_IP_PACKET_ NOT_VERSION_ X Agile JuniperJunOS IDS ASP_SFW_IP_PACKET_ SRC_BAD 39 9.X Agile JuniperJunOS IDS ASP_SFW_IP_PACKET_ PROTOCOL_ERROR 40 9.X Agile JuniperJunOS IDS ASP_SFW_IP_PACKET_ TOO_LONG 41 9.X Agile JuniperJunOS IDS ASP_SFW_IP_PACKET_ TOO_SHORT 42 9.X Agile JuniperJunOS IDS ASP_SFW_IP_PACKET_ TTL_ERROR 43 9.X Agile JuniperJunOS IDS ASP_SFW_PING_DUPLI CATED_SEQNO Appears in Reports Sample Log Message <190>Jul 15 09:37:39 JuniperJunOS: asp[8265]: ASP_SFW_IP_FRAG_ASSEMBLY_TIMEOUT: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, IP fragment assembly timeout <190>Jul 15 10:47:39 JuniperJunOS: asp[8265]: ASP_SFW_CREATE_ACCEPT_FLOW: 6 error-1: proto 8 (ICMP) application: PING, ge-0/0/ :1453 -> :23, event-type nat-information <190>Jul 15 09:39:39 JuniperJunOS: asp[8265]: ASP_SFW_IP_OPTION_DROP_PACKET: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, SFW discard packet contains non-configured IP option types <190>Jul 15 09:40:39 JuniperJunOS: asp[8265]: ASP_SFW_IP_PACKET_CHECKSUM_ERROR: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, IP packet with checksum error <190>Jul 15 09:41:39 JuniperJunOS: asp[8265]: ASP_SFW_IP_PACKET_DST_BAD: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, IP packet with broadcast destination address <190>Jul 15 09:42:39 JuniperJunOS: asp[8265]: ASP_SFW_IP_PACKET_FRAG_LEN_INV: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, IP fragment length error <190>Jul 15 09:43:39 JuniperJunOS: asp[8265]: ASP_SFW_IP_PACKET_INCORRECT_LEN: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, IP packet with incorrect length <190>Jul 15 09:44:39 JuniperJunOS: asp[8265]: ASP_SFW_IP_PACKET_LAND_ATTACK: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, Land attack <190>Jul 15 09:45:39 JuniperJunOS: asp[8265]: ASP_SFW_IP_PACKET_NOT_VERSION_4: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, IP packet with version other than 4 <190>Jul 15 09:47:39 JuniperJunOS: asp[8265]: ASP_SFW_IP_PACKET_SRC_BAD: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, Illegal source address <190>Jul 15 09:46:39 JuniperJunOS: asp[8265]: ASP_SFW_IP_PACKET_PROTOCOL_ERROR: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, IP protocol number 0 or 255 <190>Jul 15 09:48:39 JuniperJunOS: asp[8265]: ASP_SFW_IP_PACKET_TOO_LONG: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, IP packet length greater than 64K <190>Jul 15 09:49:39 JuniperJunOS: asp[8265]: ASP_SFW_IP_PACKET_TOO_SHORT: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, IP packet too short <190>Jul 15 09:50:39 JuniperJunOS: asp[8265]: ASP_SFW_IP_PACKET_TTL_ERROR: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, IP packet with TTL equal to 0 <190>Jul 15 09:51:39 JuniperJunOS: asp[8265]: ASP_SFW_PING_DUPLICATED_SEQNO: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, ICMP echo request dropped, because sequence number duplicated 20 JunOS Log Configuration Guide

21 Serial No. Ver. Agile Reports/ Search Title/ Comments Event Category Event Type/TAG 44 9.X Agile JuniperJunOS IDS ASP_SFW_PING_MISM ATCHED_SEQNO 45 9.X Agile JuniperJunOS IDS ASP_SFW_PING_OUTO F_SEQNO_CACHE 46 9.X Agile JuniperJunOS IDS ASP_SFW_SYN_DEFEN SE 47 9.X Agile JuniperJunOS IDS ASP_SFW_TCP_BAD_S YN_COOKIE_RESP 48 9.X Agile JuniperJunOS IDS ASP_SFW_TCP_FLAGS _ERROR 49 9.X Agile JuniperJunOS IDS ASP_SFW_TCP_NON_S YN_FIRST_PACKET 50 9.X Agile JuniperJunOS IDS ASP_SFW_TCP_HEADE R_LEN_ERROR 51 9.X Agile JuniperJunOS IDS ASP_SFW_TCP_PORT_ ZERO 52 9.X Agile JuniperJunOS IDS ASP_SFW_TCP_RECON STRUCT_DROP 53 9.X Agile JuniperJunOS IDS ASP_SFW_TCP_SEQNO _AND_FLAGS_ZERO 54 9.X Agile JuniperJunOS IDS ASP_SFW_TCP_SEQNO _ZERO_FLAGS_SET 55 9.X Agile JuniperJunOS IDS ASP_SFW_UDP_HEADE R_LEN_ERROR 56 9.X Agile JuniperJunOS IDS ASP_SFW_UDP_PORT_ ZERO 57 9.X Agile JuniperJunOS IDS ASP_SFW_VERY_BAD_ PACKET 58 9.X Agile JuniperJunOS IDS ASP_IDS_TCP_SYN_AT TACK Appears in Reports Sample Log Message <190>Jul 15 09:52:39 JuniperJunOS: asp[8265]: ASP_SFW_PING_MISMATCHED_SEQNO: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, ICMP echo reply dropped. No matching sequence number <190>Jul 15 09:53:39 JuniperJunOS: asp[8265]: ASP_SFW_PING_OUTOF_SEQNO_CACHE: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, ICMP echo request dropped. Too many echo requests without echo reply <190>Jul 15 09:54:39 JuniperJunOS: asp[8265]: ASP_SFW_SYN_DEFENSE: asp 3: proto 6 (TCP), ge-0/ 0/ :80 -> :2345, ICMP echo request dropped. Too many echo requests without echo reply <190>Jul 15 09:55:39 JuniperJunOS: asp[8265]: ASP_SFW_TCP_BAD_SYN_COOKIE_RESP: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, ICMP echo request dropped. Too many echo requests without echo reply <190>Jul 15 09:56:39 JuniperJunOS: asp[8265]: ASP_SFW_TCP_FLAGS_ERROR: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, TCP FIN/RST or SYN/(URG FIN RST) flags set <190>Jul 15 09:58:39 JuniperJunOS: asp[8265]: ASP_SFW_TCP_NON_SYN_FIRST_PACKET: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, First packet of TCP session not SYN <190>Jul 15 09:57:39 JuniperJunOS: asp[8265]: ASP_SFW_TCP_HEADER_LEN_ERROR: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, TCP header length check failed <190>Jul 15 09:59:39 JuniperJunOS: asp[8265]: ASP_SFW_TCP_PORT_ZERO: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :0, TCP source or destination port zero <190>Jul 15 10:00:39 JuniperJunOS: asp[8265]: ASP_SFW_TCP_RECONSTRUCT_DROP: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, <190>Jul 15 10:02:39 JuniperJunOS: asp[8265]: ASP_SFW_TCP_SEQNO_AND_FLAGS_ZERO: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, TCP seq number zero and no flags set <190>Jul 15 10:03:39 JuniperJunOS: asp[8265]: ASP_SFW_TCP_SEQNO_ZERO_FLAGS_SET: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, TCP seq number zero and FIN/PSH/ RST flags set <190>Jul 15 10:03:39 JuniperJunOS: asp[8265]: ASP_SFW_TCP_SEQNO_ZERO_FLAGS_SET: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, TCP seq number zero and FIN/PSH/ RST flags set <190>Jul 15 10:05:39 JuniperJunOS: asp[8265]: ASP_SFW_UDP_PORT_ZERO: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :0, UDP source or destination port zero <190>Jul 15 10:07:39 JuniperJunOS: asp[8265]: ASP_SFW_VERY_BAD_PACKET: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, <190>Jul 15 10:09:39 JuniperJunOS: asp[8265]: ASP_IDS_TCP_SYN_ATTACK: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, TCP SYN flood attack JunOS Log Configuration Guide 21

22 Serial No. Ver. Agile Reports/ Search Title/ Comments Event Category Event Type/TAG 59 9.X Agile JuniperJunOS IDS ASP_SFW_TCP_SCAN 60 9.X Agile JuniperJunOS IDS ASP_SFW_UDP_SCAN 61 9.X Agile JuniperJunOS IDS ASP_SFW_NO_IP_PAC KET 62 9.X Agile JuniperJunOS IPS RT_SCREEN_ICMP 63 9.X Agile JuniperJunOS IPS RT_SCREEN_ICMP_FL OOD 64 9.X Agile JuniperJunOS IPS RT_SCREEN_ICMP_FR AG 65 9.X Agile JuniperJunOS IPS RT_SCREEN_ICMP_ID 66 9.X Agile JuniperJunOS IPS RT_SCREEN_ICMP_LA RGE 67 9.X Agile JuniperJunOS IPS RT_SCREEN_ICMP_LA RGE 68 9.X Agile JuniperJunOS IPS RT_SCREEN_IP 69 9.X Agile JuniperJunOS IPS RT_SCREEN_IP_BAD_O PT 70 9.X Agile JuniperJunOS IPS RT_SCREEN_IP_FRAG 71 9.X Agile JuniperJunOS IPS RT_SCREEN_IP_LAND 72 9.X Agile JuniperJunOS IPS RT_SCREEN_IP_OPT_F ILTER_ROUTE 73 9.X Agile JuniperJunOS IPS RT_SCREEN_IP_OPT_L SR 74 9.X Agile JuniperJunOS IPS RT_SCREEN_IP_OPT_R ECORD Appears in Reports Sample Log Message <190>Jul 15 10:01:39 JuniperJunOS: asp[8265]: ASP_SFW_TCP_SCAN: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, TCP port scan (port not in LISTEN state) <190>Jul 15 10:06:39 JuniperJunOS: asp[8265]: ASP_SFW_UDP_SCAN: asp 3: proto 6 (TCP), ge-0/0/ :80 -> :2345, UDP port scan (port not in LISTEN state) <190>Jul 15 10:08:39 JuniperJunOS: asp[8265]: ASP_SFW_NO_IP_PACKET: asp 3: proto 6 (TCP), ge-0/ 0/ :80 -> :2345, Non-IP packets <190>Jul 15 10:13:39 JuniperJunOS: rt[8265]: RT_SCREEN_ICMP: attack source: , destination: , zone name: internal, interface <190>Jul 15 10:18:39 JuniperJunOS: rt[8265]: RT_SCREEN_ICMP_FLOOD: source: , <190>Jul 15 10:19:39 JuniperJunOS: rt[8265]: RT_SCREEN_ICMP_FRAG: source: , <190>Jul 15 10:20:39 JuniperJunOS: rt[8265]: RT_SCREEN_ICMP_ID: source: , <190>Jul 15 10:21:39 JuniperJunOS: rt[8265]: RT_SCREEN_ICMP_LARGE: source: , <190>Jul 15 10:22:39 JuniperJunOS: rt[8265]: RT_SCREEN_ICMP_PING_DEATH: source: , destination: , zone name: external, interface <190>Jul 15 10:12:39 JuniperJunOS: rt[8265]: RT_SCREEN_IP: attack source: , destination: , protocol-id: 6, zone name: internal, interface <190>Jul 15 10:23:39 JuniperJunOS: rt[8265]: RT_SCREEN_IP_BAD_OPT: source: , <190>Jul 15 10:24:39 JuniperJunOS: rt[8265]: RT_SCREEN_IP_FRAG: source: , <190>Jul 15 10:25:39 JuniperJunOS: rt[8265]: RT_SCREEN_IP_LAND: source: , <190>Jul 15 10:26:39 JuniperJunOS: rt[8265]: RT_SCREEN_IP_OPT_FILTER_ROUTE: source: , destination: , zone name: external, interface <190>Jul 15 10:27:39 JuniperJunOS: rt[8265]: RT_SCREEN_IP_OPT_LSR: source: , <190>Jul 15 10:28:39 JuniperJunOS: rt[8265]: RT_SCREEN_IP_OPT_RECORD: source: , destination: , zone name: external, interface 22 JunOS Log Configuration Guide

23 Serial No. Ver. Agile Reports/ Search Title/ Comments Event Category Event Type/TAG 75 9.X Agile JuniperJunOS IPS RT_SCREEN_IP_OPT_S CHT 76 9.X Agile JuniperJunOS IPS RT_SCREEN_IP_OPT_S SR 77 9.X Agile JuniperJunOS IPS RT_SCREEN_IP_OPT_S TREAM 78 9.X Agile JuniperJunOS IPS RT_SCREEN_IP_OPT_T IMESTAMP 79 9.X Agile JuniperJunOS IPS RT_SCREEN_IP_SPOO FING 80 9.X Agile JuniperJunOS IPS RT_SCREEN_IP_SWEE P 81 9.X Agile JuniperJunOS IPS RT_SCREEN_IP_UNKN OWN_PROT 82 9.X Agile JuniperJunOS IPS RT_SCREEN_MAL_URL 83 9.X Agile JuniperJunOS IPS RT_SCREEN_OVER_SE SSION_DST 84 9.X Agile JuniperJunOS IPS RT_SCREEN_OVER_SE SSION_SRC 85 9.X Agile JuniperJunOS IPS RT_SCREEN_PORT_SC AN 86 9.X Agile JuniperJunOS IPS RT_SCREEN_SYN_ACK _ACK 87 9.X Agile JuniperJunOS IPS RT_SCREEN_TCP 88 9.X Agile JuniperJunOS IPS RT_SCREEN_TCP_DST _IP 89 9.X Agile JuniperJunOS IPS RT_SCREEN_TCP_FIN_ NO_ACK 90 9.X Agile JuniperJunOS IPS RT_SCREEN_TCP_FRA G Appears in Reports Sample Log Message <190>Jul 15 10:29:39 JuniperJunOS: rt[8265]: RT_SCREEN_IP_OPT_SCHT: source: , <190>Jul 15 10:30:39 JuniperJunOS: rt[8265]: RT_SCREEN_IP_OPT_SSR: source: , <190>Jul 15 10:31:39 JuniperJunOS: rt[8265]: RT_SCREEN_IP_OPT_STREAM: source: , destination: , zone name: external, interface <190>Jul 15 10:32:39 JuniperJunOS: rt[8265]: RT_SCREEN_IP_OPT_TIMESTAMP: source: , destination: , zone name: external, interface <190>Jul 15 10:33:39 JuniperJunOS: rt[8265]: RT_SCREEN_IP_SPOOFING: source: , <190>Jul 15 10:34:39 JuniperJunOS: rt[8265]: RT_SCREEN_IP_SWEEP: source: , <190>Jul 15 10:17:39 JuniperJunOS: rt[8265]: RT_SCREEN_IP_UNKNOWN_PROT: source: , destination: , protocol-id: 6 zone name: external, interface <190>Jul 15 10:16:39 JuniperJunOS: rt[8265]: RT_SCREEN_MAL_URL: source: :443, destination: :2346, protocol-id: 6 zone name: external, interface <190>Jul 15 10:35:39 JuniperJunOS: rt[8265]: RT_SCREEN_OVER_SESSION_DST: source: , destination: , zone name: external, interface <190>Jul 15 10:36:39 JuniperJunOS: rt[8265]: RT_SCREEN_OVER_SESSION_SRC: source: , destination: , zone name: external, interface <190>Jul 15 10:37:39 JuniperJunOS: rt[8265]: RT_SCREEN_PORT_SCAN: source: , <190>Jul 15 10:41:39 JuniperJunOS: rt[8265]: RT_SCREEN_SYN_ACK_ACK: source: :2345, destination: :80, zone name: external, interface <190>Jul 15 10:14:39 JuniperJunOS: rt[8265]: RT_SCREEN_TCP: attack source: :80, destination: :3546, zone name: internal, interface <190>Jul 15 10:47:39 JuniperJunOS: asp[8265]: ASP_SFW_CREATE_ACCEPT_FLOW: 6 error-1: proto 8 (ICMP) application: PING, ge-0/0/ :1453 -> :23, event-type nat-information <190>Jul 15 10:42:39 JuniperJunOS: rt[8265]: RT_SCREEN_TCP_FIN_NO_ACK: source: :2345, destination: :80, zone name: external, interface <190>Jul 15 10:43:39 JuniperJunOS: rt[8265]: RT_SCREEN_TCP_FRAG: source: :2345, destination: :80, zone name: external, interface JunOS Log Configuration Guide 23

24 Serial No. Ver. Agile Reports/ Search Title/ Comments Event Category Event Type/TAG 91 9.X Agile JuniperJunOS IPS RT_SCREEN_TCP_NO_ FLAG 92 9.X Agile JuniperJunOS IPS RT_SCREEN_TCP_SRC _IP 93 9.X Agile JuniperJunOS IPS RT_SCREEN_TCP_SYN _FIN 94 9.X Agile JuniperJunOS IPS RT_SCREEN_TCP_SYN _FLOOD 95 9.X Agile JuniperJunOS IPS RT_SCREEN_TEAR_DR OP 96 9.X Agile JuniperJunOS IPS RT_SCREEN_UDP 97 9.X Agile JuniperJunOS IPS RT_SCREEN_UDP_FLO OD 98 9.X Agile JuniperJunOS IPS RT_SCREEN_WINNUKE 99 9.X Agile JuniperJunOS Authentication FWAUTH_FTP_LONG_P ASSWORD X Agile JuniperJunOS Authentication FWAUTH_FTP_LONG_U SERNAME X Agile JuniperJunOS Authentication FWAUTH_FTP_USER_A UTH_ACCEPTED X Agile JuniperJunOS Authentication FWAUTH_FTP_USER_A UTH_FAIL X Agile JuniperJunOS Authentication FWAUTH_HTTP_USER_ AUTH_ACCEPTED X Agile JuniperJunOS Authentication FWAUTH_HTTP_USER_ AUTH_FAIL Appears in Reports Sample Log Message <190>Jul 15 10:44:39 JuniperJunOS: rt[8265]: RT_SCREEN_TCP_NO_FLAG: source: :2345, destination: :80, zone name: external, interface <190>Jul 15 10:11:39 JuniperJunOS: rt[8265]: RT_SCREEN_TCP_SRC_IP: attack source: , zone name: external, interface name: ge-0/0/2.0 <190>Jul 15 10:45:39 JuniperJunOS: rt[8265]: RT_SCREEN_TCP_SYN_FIN: source: :2345, destination: :80, zone name: external, interface <190>Jul 15 10:46:39 JuniperJunOS: rt[8265]: RT_SCREEN_TCP_SYN_FLOOD: source: :2345, destination: :80, zone name: external, interface <190>Jul 15 10:38:39 JuniperJunOS: rt[8265]: RT_SCREEN_TEAR_DROP: source: , <190>Jul 15 10:15:39 JuniperJunOS: rt[8265]: RT_SCREEN_UDP: attack source: :443, destination: :2346, zone name: external, interface <190>Jul 15 10:39:39 JuniperJunOS: rt[8265]: RT_SCREEN_UDP_FLOOD: source: , <190>Jul 15 10:40:39 JuniperJunOS: rt[8265]: RT_SCREEN_WINNUKE: source: , <190>Jun 15 02:39:39 JuniperJunOS: mgd[8265]: FWAUTH_FTP_LONG_PASSWORD: Authentication for user 'tsmith' at ' ' was denied (long password). <190>Jun 15 02:40:39 JuniperJunOS: mgd[8265]: FWAUTH_FTP_LONG_USERNAME: Authentication for user 'tsmithtsmithtsmithtsmithtsmithtsmithtsmithtsmithtsmithts mithtsmithtsmith' at ' ' was denied (long username). <190>Jun 15 02:41:39 JuniperJunOS: mgd[8265]: FWAUTH_FTP_USER_AUTH_ACCEPTED: 'tsmith' at ' ' is accepted. <190>Jun 15 02:42:39 JuniperJunOS: mgd[8265]: FWAUTH_FTP_USER_AUTH_FAIL: 'tsmith' at ' ' is rejected. <190>Jun 15 02:43:39 JuniperJunOS: mgd[8265]: FWAUTH_HTTP_USER_AUTH_ACCEPTED: 'tsmith' at ' ' is accepted. <190>Jun 15 02:44:39 JuniperJunOS: mgd[8265]: FWAUTH_HTTP_USER_AUTH_FAIL: 'tsmith' at ' ' is rejected. 24 JunOS Log Configuration Guide

25 Serial No. Ver. Agile Reports/ Search Title/ Comments Event Category Event Type/TAG X Agile JuniperJunOS Authentication FWAUTH_TELNET_LON G_PASSWORD X Agile JuniperJunOS Authentication FWAUTH_TELNET_LON G_USERNAME X Agile JuniperJunOS Authentication FWAUTH_TELNET_USE R_AUTH_ACCEPTED X Agile JuniperJunOS Authentication FWAUTH_TELNET_USE R_AUTH_FAIL X Agile JuniperJunOS Authentication FWAUTH_WEBAUTH_F AIL X Agile JuniperJunOS Authentication FWAUTH_WEBAUTH_S UCCESS X Agile JuniperJunOS Authentication JADE_AUTH_FAILURE X Agile JuniperJunOS Authentication JADE_AUTH_SUCCESS X Agile JuniperJunOS Authentication LOGIN_FAILED X Agile JuniperJunOS Authentication LOGIN_FAILED_SET_C ONTEXT X Agile JuniperJunOS Authentication LOGIN_PAM_AUTHENTI CATION_ERROR X Agile JuniperJunOS Authentication LOGIN_LOCAL_PASSW ORD Appears in Reports Sample Log Message <190>Jun 15 02:47:39 JuniperJunOS: mgd[8265]: FWAUTH_TELNET_LONG_PASSWORD: Authentication for user 'tsmith' at ' ' was denied (long password). <190>Jun 15 02:48:39 JuniperJunOS: mgd[8265]: FWAUTH_TELNET_LONG_USERNAME: Authentication for user 'tsmithtsmithtsmithtsmithtsmithtsmithtsmithtsmithtsmithts mithtsmithtsmith' at ' ' was denied (long username). <190>Jun 15 02:45:39 JuniperJunOS: mgd[8265]: FWAUTH_TELNET_USER_AUTH_ACCEPTED: 'tsmith' at ' ' is accepted. <190>Jun 15 02:46:39 JuniperJunOS: mgd[8265]: FWAUTH_TELNET_USER_AUTH_FAIL: 'tsmith' at ' ' is rejected. <190>Jun 15 02:49:39 JuniperJunOS: mgd[8265]: FWAUTH_WEBAUTH_FAIL: WebAuth user 'tsmith' at ' ' is rejected/timed out. <190>Jun 15 02:50:39 JuniperJunOS: mgd[8265]: FWAUTH_WEBAUTH_SUCCESS: WebAuth user 'tsmith' at ' ' is accepted. <190>Jun 15 02:51:39 JuniperJunOS: jade[8265]: JADE_AUTH_FAILURE: Authentication failed for user 'tsmith' : error-message <190>Jun 15 02:52:39 JuniperJunOS: jade[8265]: JADE_AUTH_SUCCESS: Authentication succeded for user 'tsmith' <190>Jun 15 02:53:39 JuniperJunOS: login[8265]: LOGIN_FAILED: Login failed for user 'tsmith' from host ' ' <190>Jun 15 02:54:39 JuniperJunOS: login[8265]: LOGIN_FAILED_SET_CONTEXT: Failed to set context for user 'tsmith' <190>Jun 15 02:58:39 JuniperJunOS: login[8265]: LOGIN_PAM_AUTHENTICATION_ERROR: PAM authentication error for user 'tsmith' <190>Jun 15 02:57:39 JuniperJunOS: login[8265]: LOGIN_LOCAL_PASSWORD: Requested local password from user 'tsmith' JunOS Log Configuration Guide 25

26 Serial No. Ver. Agile Reports/ Search Title/ Comments Event Category Event Type/TAG X Agile JuniperJunOS Authentication LOGIN_FAILED_SET_LO GIN X Agile JuniperJunOS Authentication LOGIN_INFORMATION X Agile JuniperJunOS Authentication LOGIN_ROOT X Agile JuniperJunOS Authentication LOGIN_PAM_USER_UN KNOWN X Agile JuniperJunOS Authentication LOGIN_REFUSED X Agile JuniperJunOS Authentication WEB_AUTH_FAIL X Agile JuniperJunOS Authentication WEB_AUTH_SUCCESS X Agile JuniperJunOS Authentication WEB_WEBAUTH_AUTH _FAIL X Agile JuniperJunOS Authentication WEB_WEBAUTH_AUTH _OK Appears in Reports X Agile JuniperJunOS Authentication FSAD_NOT_ROOT X Agile JuniperJunOS Authentication JSRPD_NOT_ROOT X Agile JuniperJunOS Authentication SPD_NOT_ROOT Sample Log Message <190>Jun 15 02:55:39 JuniperJunOS: login[8265]: LOGIN_FAILED_SET_LOGIN: Failed to set login ID for user 'tsmith': error-message <190>Jun 15 02:56:39 JuniperJunOS: login[8265]: LOGIN_INFORMATION: 'tsmith' logged in from host ' ' on device 'tty-name' <190>Jun 15 03:01:39 JuniperJunOS: login[8265]: LOGIN_ROOT: 'tsmith' logged in as root from host ' ' on device 'tty-name' <190>Jun 15 02:59:39 JuniperJunOS: login[8265]: LOGIN_PAM_USER_UNKNOWN: Attempt to authenticate unknown user 'tsmith' <190>Jun 15 03:00:39 JuniperJunOS: login[8265]: LOGIN_REFUSED: Login of user 'tsmith' from host ' ' on device 'tty-name' was refused: reason <37>Jul 22 02:41:48 JuniperJunOS: checklogin[19369]: WEB_AUTH_FAIL: Unable to authenticate httpd client (username baduser) <37>Jul 22 06:30:36 JuniperJunOS: checklogin[19474]: WEB_AUTH_SUCCESS: Authenticated httpd client (username root) <190>Jun 15 03:02:39 JuniperJunOS: httpd[8265]: WEB_WEBAUTH_AUTH_FAIL: Web-authentication of user 'tsmith' with fwauthd failed <190>Jun 15 03:03:39 JuniperJunOS: httpd[8265]: WEB_WEBAUTH_AUTH_OK: Web-authentication of user 'tsmith' with fwauthd successful <190>Jun 15 03:04:39 JuniperJunOS: fsad[8265]: FSAD_NOT_ROOT: Must be run as root <190>Jun 15 03:06:39 JuniperJunOS: jsrpd[8265]: JSRPD_NOT_ROOT: Must be run as root <190>Jun 15 03:07:39 JuniperJunOS: spd[8265]: SPD_NOT_ROOT: Must be run as root 26 JunOS Log Configuration Guide