Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Events and Logs Overview


Use the Events and Logs page to get an overall, high‐level view of your network environment. You can view abnormal events, attacks, viruses, or worms when log data is correlated and analyzed.

This page provides administrators with an advanced filtering mechanism and provides visibility into actual events collected by the Log Collector. Using the time-frame slider, you can instantly focus on areas of unusual activity by dragging the time slider to the area of interest to you. The slider and the Custom button under Time Range remain at the top of each tab. Users select the time range, and then they can decide how to view the data, using the summary view or detail view tabs.

By default, you can view data for all the devices. To view data for a specific device, click on the link beside Devices and select a device.

To access the Event Viewer page select Monitor > Events & Logs > All Events.

Events & Logs—Summary View

Click Summary View for a brief summary of all the events in your network. At the center of the page is critical information, including total number of events, viruses found, total number of interfaces that are down, number of attacks, CPU spikes, and system reboots. This data is refreshed automatically based on the selected time range. At the bottom of the page is a swim-lane view of different events that are happening at a specific time. The events include firewall, Web filtering, VPN, content filtering, antispam, antivirus, IPS, Sky ATP, Screen, and Apptrack. Each event is color‐coded, with darker shades representing a higher level of activity. Each tabs provide deep information like type, and number of events occurring at that specific time.

See Table 1 the descriptions of the widgets in this view.

Table 1: Events and Logs Summary View Widgets



Total Events

Total number of all the events that includes firewall, webfiltering, IPS, IPSec, content filtering, antispam, and antivirus events.

Virus Instances

Total number of virtual instances running in the system.


Total number of attacks on the firewall.

Interface Down

Total number of interfaces that are down.

CPU Spikes

Total number of times a CPU utilization spike has occurred.


Total number of system reboots.


Total number of sessions established through firewall.

Events & Logs—Detail View

Click Detail View for comprehensive details of events in a tabular format that includes sortable columns. You can sort the events using the Group by option. For example, you can sort the events based on severity. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.

Select Export to CSV option from the grid settings pane to export and download the log data in CSV file.

See Table 2 for field descriptions.

Table 2: Events and Logs Detail Columns



Log Generated Time

The time when the log was generated on the SRX Series device.

Log Received Time

The time when the log was received on the log collector.

Event Name

The event name of the log

Source Country

The source country name.

Source IP

The source IP address from where the event occurred.

Destination Country

Destination country name from where the event occurred.

Destination IP

The destination IP address of the event.

Source Port

The source port of the event.

Destination Port

The destination port of the event.


The description of the log.

Attack name

Attack name of the log: Trojan, worm, virus, and so on.

Threat Severity

The severity level of the threat.

Policy Name

The policy name in the log.

UTM category or Virus Name

The UTM category of the log.


Accessed URL name that triggered the event.

Event category

The event category of the log.

User Name

The username of the log.


Action taken for the event: warning, allow, and block.

Log Source

The IP address of the log source.


The application name from which the events or logs are generated


The host name in the log.

Service Name

The name of the application service. For example, FTP, HTTP, SSH, and so on.

Nested Application

The nested application in the log.

Source Zone

The source zone of the log.

Destination Zone

The destination zone of the log.

Protocol ID

The protocol ID in the log.


The role name associated with the log.


The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed.

NAT Source Port

The translated source port.

NAT Destination Port

The translated destination port.

NAT Source Rule Name

The NAT source rule name.

NAT Destination Rule Name

The NAT destination rule name.

NAT Source IP

The translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses.

NAT Destination IP

The translated (also called natted) destination IP address.

Traffic Session ID

The traffic session ID of the log.

Path Name

The path name of the log.

Logical system Name

The name of the logical system.

Rule Name

The name of the rule.

Profile Name

The name of the All events profile that triggered the event.

Client Hostname

Hostname of the client.

Malware Info

Information of the malware.

Logical Subsystem Name

The name of the logical system in JSA logs.

Advanced Search

Starting in Junos Space Security Director Release 16.1R1, you can perform advanced search of all events using the text field present above the tabular column. It includes the logical operators as part of the filter string. Enter the search string in the text field and based on your input, a list of items from the filter context menu is displayed. You can select a value from the list and then select a valid operator based on which you want to perform the advanced search operation. Press Enter to provide AND operator and comma for OR operator. After you have entered the search string, press Enter to display the search result in the tabular column below.

To delete the search string in the text field, click X icon.

In Junos Space, precedence level of the logical operator AND is higher than OR. In the following filter query, AND operator Condition2 AND Condition3 gets evaluated before OR operator.

For example: Condition1 OR Condition2 AND Condition3

To override this, use parentheses explicitly. In the below filter query ,expression inside the parentheses gets evaluated first.

For example: ( Condition1 OR Condition2 ) AND Condition3

Following are some of the examples for event log filters:

  • Specific events originating from or landing within United States


  • User wants to filter all RT flow sessions originating from IPs in specific countries and landing on IPs in specific countries

    Event Name = RT_FLOW_SESSION_CREATE,RT_FLOW_SESSION_CLOSE AND Source IP =,,, AND Destination IP =,,, AND Source Country = Brazil,United States,China,Russia,Algeria AND Destination Country = Germany,India,United States

  • Traffic between zone pairs for policy – IDP2

    Source Zone = trust AND Destination Zone = untrust,internal AND Policy Name = IDP2

  • UTM logs coming from specific source country, destination country, source IPs with or without specific destination IPs

    Event Category = antispam,antivirus,contentfilter,webfilter AND Source Country = Australia AND Destination Country = Turkey,United States,Australia AND Source IP =, OR Destination IP =,

  • Events with specific sources IPs or events hitting htp, tftp, http, and unknown applications coming from host DC-SRX1400-1 or VSRX-75.

    Application = tftp,ftp,http,unknonw OR Source IP =, AND Hostname = dc-srx1400-1,vsrx-75

Role-Based Access Control for Event Viewer

Role-Based Access Control (RBAC) has the following impact on the Event Viewer:

  • You must have Security Analyst or Security Architect or have permissions equivalent to that role to access the event viewer.

  • You cannot view event logs created in other domains. However, a super user or any user with an appropriate role who can access a global domain can view logs in a subdomain, if a subdomain is created with visibility to the parent domain.

  • You can only view logs from the devices that you can access and that belong to your domain.

  • You can only view, not edit, a policy if you do not have edit permissions.

  • The user role under Administration > Users & Roles must have Event Viewer > View Device Logs option is enabled to view or read logs.

Release History Table
Starting in Junos Space Security Director Release 16.1R1, you can perform advanced search of all events using the text field present above the tabular column.