Events and Logs Overview
Use the Events and Logs page to get an overall, high‐level view of your network environment. You can view abnormal events, attacks, viruses, or worms when log data is correlated and analyzed.
This page provides administrators with an advanced filtering mechanism and provides visibility into actual events collected by the Log Collector. Using the time-frame slider, you can instantly focus on areas of unusual activity by dragging the time slider to the area of interest to you. The slider and the Custom button under Time Range remain at the top of each tab. Users select the time range, and then they can decide how to view the data, using the summary view or detail view tabs.
By default, you can view data for all the devices. To view data for a specific device, click on the link beside Devices and select a device.
To access the Event Viewer page select Monitor > Events & Logs > All Events.
Events & Logs—Summary View
Click Summary View for a brief summary of all the events in your network. At the center of the page is critical information, including total number of events, viruses found, total number of interfaces that are down, number of attacks, CPU spikes, and system reboots. This data is refreshed automatically based on the selected time range. At the bottom of the page is a swim-lane view of different events that are happening at a specific time. The events include firewall, Web filtering, VPN, content filtering, antispam, antivirus, IPS, Sky ATP, Screen, and Apptrack. Each event is color‐coded, with darker shades representing a higher level of activity. Each tabs provide deep information like type, and number of events occurring at that specific time.
See Table 1 the descriptions of the widgets in this view.
Table 1: Events and Logs Summary View Widgets
Total number of all the events that includes firewall, webfiltering, IPS, IPSec, content filtering, antispam, and antivirus events.
Total number of virus instances running in the system.
Total number of attacks on the firewall.
Total number of interfaces that are down.
Total number of times a CPU utilization spike has occurred.
Total number of system reboots.
Total number of sessions established through firewall.
Events & Logs—Detail View
Click Detail View for comprehensive details of events in a tabular format that includes sortable columns. You can sort the events using the Group by option. For example, you can sort the events based on severity. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.
Select Export to CSV option from the grid settings pane to export and download the log data in CSV file.
See Table 2 for field descriptions.
Table 2: Events and Logs Detail Columns
Log Generated Time
The time when the log was generated on the SRX Series device.
Log Received Time
The time when the log was received on the log collector.
The event name of the log
The source country name.
The source IP address from where the event occurred.
Destination country name from where the event occurred.
The destination IP address of the event.
The source port of the event.
The destination port of the event.
The description of the log.
Attack name of the log: Trojan, worm, virus, and so on.
The severity level of the threat.
The policy name in the log.
UTM category or Virus Name
The UTM category of the log.
Accessed URL name that triggered the event.
The event category of the log.
The username of the log.
Action taken for the event: warning, allow, and block.
The IP address of the log source.
The application name from which the events or logs are generated
The host name in the log.
The name of the application service. For example, FTP, HTTP, SSH, and so on.
The nested application in the log.
The source zone of the log.
The destination zone of the log.
The protocol ID in the log.
The role name associated with the log.
The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed.
NAT Source Port
The translated source port.
NAT Destination Port
The translated destination port.
NAT Source Rule Name
The NAT source rule name.
NAT Destination Rule Name
The NAT destination rule name.
NAT Source IP
The translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses.
NAT Destination IP
The translated (also called natted) destination IP address.
Traffic Session ID
The traffic session ID of the log.
The path name of the log.
Logical system Name
The name of the logical system.
The name of the rule.
The name of the All events profile that triggered the event.
Hostname of the client.
Information of the malware.
Logical Subsystem Name
The name of the logical system in JSA logs.
You can perform advanced search of all events using the search text box present above the grid. It includes the logical operators as part of the filter string. Enter the search string in the text box and based on your input, a list of items from the filter context menu is displayed. You can select a value from the list and then select a valid operator based on which you want to perform the advanced search operation. Press Spacebar to provide AND operator and OR operator. After you have entered the search string, press Enter to display the search result in the grid.
In the search text box, when you hover over the icon, it displays an example filter condition. When you start entering the search string, the icon indicates whether the filter string is valid or not. While entering a search criteria, when you press backspace at any point of time, only one character is deleted.
Starting in Junos Space Security Director Release 19.2R1, in addition to the manual search using keywords, you can drag and drop the values from non-empty cells in the grid into the event viewer search bar. The value is added as the search criterion and the search results are displayed. You can drag and drop only searchable cells. When you hover over the rows in event viewer, searchable cells are displayed with blue background. If a cell is not searchable, there is no change in the background color. If you drag a searchable cell without any value or if the value = ’–’, you cannot drop the contents of such cells. If the search bar already has a search criterion, all the subsequent drag and drop search criteria are prepended by ‘AND’. After dropping the value in the search bar, the search condition is refreshed in the grid. This applies to both simple and complex search filters.
You can perform complex filtering using AND and OR logical operators, and brackets to group the search tokens.
For example: (Name = one and id = 11) or (Name = two and id = 12)
The precedence level of the AND logical operator is higher than OR. In the following filter query, Condition2 AND Condition3 is evaluated before the OR operator.
For example: Condition1 OR Condition2 AND Condition3
To override this, use parentheses explicitly. In the below filter query, expression inside the parentheses is evaluated first.
For example: ( Condition1 OR Condition2 ) AND Condition3
Table 3: Filter Rules
Enter a comma for an OR filter.
Name=test,site is the same as Name=test OR Name=site
Enter parentheses to combine AND and OR functionality.
Source Country = France AND (Event Name = RT_Flowsession_Close OR Event Category = Firewall)
Enter double quotes for terms with spaces.
Following are some of the examples for event log filters:
Specific events originating from or landing within United States
Source Country = United States OR Destination Country = United States AND Event Name = IDP_ATTACK_LOG_EVENT, IDP_ATTACK_LOG_EVENT_LS, IDP_APPDDOS_APP_ATTACK_EVENT_LS, IDP_APPDDOS_APP_STATE_EVENT, IDP_APPDDOS_APP_STATE_EVENT_LS, AV_VIRUS_DETECTED_MT, AV_VIRUS_DETECTED, ANTISPAM_SPAM_DETECTED_MT, ANTISPAM_SPAM_DETECTED_MT_LS, FWAUTH_FTP_USER_AUTH_FAIL, FWAUTH_FTP_USER_AUTH_FAIL_LS, FWAUTH_HTTP_USER_AUTH_FAIL, FWAUTH_HTTP_USER_AUTH_FAIL_LS, FWAUTH_TELNET_USER_AUTH_FAIL, FWAUTH_TELNET_USER_AUTH_FAIL_LS, FWAUTH_WEBAUTH_FAIL,FWAUTH_WEBAUTH_FAIL_LS
User wants to filter all RT flow sessions originating from IPs in specific countries and landing on IPs in specific countries
Event Name = RT_FLOW_SESSION_CREATE,RT_FLOW_SESSION_CLOSE AND Source IP = 18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52 AND Destination IP = 255.255.255.255,10.207.99.75,10.207.99.72,184.108.40.206 AND Source Country = Brazil,United States,China,Russia,Algeria AND Destination Country = Germany,India,United States
Traffic between zone pairs for policy – IDP2
Source Zone = trust AND Destination Zone = untrust,internal AND Policy Name = IDP2
UTM logs coming from specific source country, destination country, source IPs with or without specific destination IPs
Event Category = antispam,antivirus,contentfilter,webfilter AND Source Country = Australia AND Destination Country = Turkey,United States,Australia AND Source IP = 220.127.116.11,18.104.22.168 OR Destination IP = 22.214.171.124,126.96.36.199
Events with specific sources IPs or events hitting htp, tftp, http, and unknown applications coming from host DC-SRX1400-1 or VSRX-75.
Application = tftp,ftp,http,unknown OR Source IP = 192.168.34.10,192.168.1.26 AND Hostname = dc-srx1400-1,vsrx-75
Role-Based Access Control for Event Viewer
Role-Based Access Control (RBAC) has the following impact on the Event Viewer:
You must have Security Analyst or Security Architect or have permissions equivalent to that role to access the event viewer.
You cannot view event logs created in other domains. However, a super user or any user with an appropriate role who can access a global domain can view logs in a subdomain, if a subdomain is created with visibility to the parent domain.
You can only view logs from the devices that you can access and that belong to your domain.
You can only view, not edit, a policy if you do not have edit permissions.
The user role under Administration > Users & Roles must have Event Viewer > View Device Logs option is enabled to view or read logs.