Events and Logs Overview
Use the Events and Logs page to get an overall, high‐level view of your network environment. You can view abnormal events, attacks, viruses, or worms when log data is correlated and analyzed.
This page provides administrators with an advanced filtering mechanism and provides visibility into actual events collected by the Log Collector. Using the time-frame slider, you can instantly focus on areas of unusual activity by dragging the time slider to the area of interest to you. The slider and the Custom button under Time Range remain at the top of each tab. Users select the time range, and then they can decide how to view the data, using the summary view or detail view tabs.
By default, you can view data for all the devices. To view data for a specific device, click on the link beside Devices and select a device.
Starting in Junos Space Security Director Release 21.2R1, Tenant Systems (TSYS) devices are also supported.
To access the Event Viewer page select Monitor > Events & Logs > All Events.
Events & Logs—Summary View
Click Summary View for a brief summary of all the events in your network. At the center of the page is critical information, including total number of events, viruses found, total number of interfaces that are down, number of attacks, CPU spikes, and system reboots. This data is refreshed automatically based on the selected time range. At the bottom of the page is a swim-lane view of different events that are happening at a specific time. The events include firewall, Web filtering, VPN, content filtering, antispam, antivirus, IPS, ATP Cloud, Screen, and Apptrack. Each event is color‐coded, with darker shades representing a higher level of activity. Each tabs provide deep information like type, and number of events occurring at that specific time.
See Table 1 the descriptions of the widgets in this view.
Table 1: Events and Logs Summary View Widgets
Widget | Description |
|---|---|
Total Events | Total number of all the events that includes firewall, webfiltering, IPS, IPSec, content filtering, antispam, and antivirus events. |
Virus Instances | Total number of virus instances running in the system. |
Attacks | Total number of attacks on the firewall. |
Interface Down | Total number of interfaces that are down. |
CPU Spikes | Total number of times a CPU utilization spike has occurred. |
Reboots | Total number of system reboots. |
Sessions | Total number of sessions established through firewall. |
Events & Logs—Detail View
Click Detail View for comprehensive details of events in a tabular format that includes sortable columns. You can sort the events using the Group by option. For example, you can sort the events based on severity. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.
Select the Export to CSV option from the grid settings pane to export and download the log data in CSV file.
The Legacy Node option is displayed in the event viewer after the legacy log collector node is added on the Logging Nodes page. We’ve added the legacy log collector support for read-only purpose to view existing log collector data. New logs should point to Security Director Insights VM as the log collector. Select the Legacy Node checkbox to view the existing log collector data. When you clear the Legacy Node checkbox, Security Director Insights log collector data is displayed.
See Table 2 for field descriptions.
Table 2: Events and Logs Detail Columns
Field | Description |
|---|---|
Log Generated Time | The time when the log was generated on the SRX Series device. |
Log Received Time | The time when the log was received on the log collector. |
Event Name | The event name of the log |
Source Country | The source country name. |
Source IP | The source IP address from where the event occurred. |
Destination Country | Destination country name from where the event occurred. |
Destination IP | The destination IP address of the event. |
Source Port | The source port of the event. |
Destination Port | The destination port of the event. |
Description | The description of the log. |
Attack name | Attack name of the log: Trojan, worm, virus, and so on. |
Threat Severity | The severity level of the threat. |
Policy Name | The policy name in the log. |
UTM category or Virus Name | The UTM category of the log. |
URL | Accessed URL name that triggered the event. |
Event category | The event category of the log. |
User Name | The username of the log. |
Action | Action taken for the event: warning, allow, and block. |
Log Source | The IP address of the log source. |
Application | The application name from which the events or logs are generated |
Hostname | The host name in the log. |
Service Name | The name of the application service. For example, FTP, HTTP, SSH, and so on. |
Nested Application | The nested application in the log. |
Source Zone | The source zone of the log. |
Destination Zone | The destination zone of the log. |
Protocol ID | The protocol ID in the log. |
Roles | The role name associated with the log. |
Reason | The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed. |
NAT Source Port | The translated source port. |
NAT Destination Port | The translated destination port. |
NAT Source Rule Name | The NAT source rule name. |
NAT Destination Rule Name | The NAT destination rule name. |
NAT Source IP | The translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses. |
NAT Destination IP | The translated (also called natted) destination IP address. |
Traffic Session ID | The traffic session ID of the log. |
Path Name | The path name of the log. |
Logical system Name | The name of the logical system. |
Rule Name | The name of the rule. |
Profile Name | The name of the All events profile that triggered the event. |
Client Hostname | Hostname of the client. |
Malware Info | Information of the malware. |
Logical Subsystem Name | The name of the logical system in JSA logs. |
Advanced Search
You can perform advanced search of all events using the search text box present above the grid. It includes the logical operators as part of the filter string. Enter the search string in the text box and based on your input, a list of items from the filter context menu is displayed. You can select a value from the list and then select a valid operator based on which you want to perform the advanced search operation. Press Spacebar to provide AND operator and OR operator. After you have entered the search string, press Enter to display the search result in the grid.
In the search text box, when you hover over the icon, it displays an example filter condition. When you start entering the search string, the icon indicates whether the filter string is valid or not. While entering a search criteria, when you press backspace at any point of time, only one character is deleted.
Starting in Junos Space Security Director Release 19.2R1, in addition to the manual search using keywords, you can drag and drop the values from non-empty cells in the grid into the event viewer search bar. The value is added as the search criterion and the search results are displayed. You can drag and drop only searchable cells. When you hover over the rows in event viewer, searchable cells are displayed with blue background. If a cell is not searchable, there is no change in the background color. If you drag a searchable cell without any value or if the value = ’–’, you cannot drop the contents of such cells. If the search bar already has a search criterion, all the subsequent drag and drop search criteria are prepended by ‘AND’. After dropping the value in the search bar, the search condition is refreshed in the grid. This applies to both simple and complex search filters.
You can perform complex filtering using AND and OR logical operators, and brackets to group the search tokens.
For example: (Name = one and id = 11) or (Name = two and id = 12)
The precedence level of the AND logical operator is higher than OR. In the following filter query, Condition2 AND Condition3 is evaluated before the OR operator.
For example: Condition1 OR Condition2 AND Condition3
To override this, use parentheses explicitly. In the below filter query, expression inside the parentheses is evaluated first.
For example: ( Condition1 OR Condition2 ) AND Condition3
Table 3: Filter Rules
Filter Rule | Example |
|---|---|
Enter a comma for an OR filter. | Name=test,site is the same as Name=test OR Name=site |
Enter parentheses to combine AND and OR functionality. | Source Country = France AND (Event Name = RT_Flowsession_Close OR Event Category = Firewall) |
Enter double quotes for terms with spaces. | "San Jose" |
Following are some of the examples for event log filters:
Specific events originating from or landing within United States
Source Country = United States OR Destination Country = United States AND Event Name = IDP_ATTACK_LOG_EVENT, IDP_ATTACK_LOG_EVENT_LS, IDP_APPDDOS_APP_ATTACK_EVENT_LS, IDP_APPDDOS_APP_STATE_EVENT, IDP_APPDDOS_APP_STATE_EVENT_LS, AV_VIRUS_DETECTED_MT, AV_VIRUS_DETECTED, ANTISPAM_SPAM_DETECTED_MT, ANTISPAM_SPAM_DETECTED_MT_LS, FWAUTH_FTP_USER_AUTH_FAIL, FWAUTH_FTP_USER_AUTH_FAIL_LS, FWAUTH_HTTP_USER_AUTH_FAIL, FWAUTH_HTTP_USER_AUTH_FAIL_LS, FWAUTH_TELNET_USER_AUTH_FAIL, FWAUTH_TELNET_USER_AUTH_FAIL_LS, FWAUTH_WEBAUTH_FAIL,FWAUTH_WEBAUTH_FAIL_LS
Traffic between zone pairs for policy – IDP2
Source Zone = trust AND Destination Zone = untrust,internal AND Policy Name = IDP2
Events with specific sources IPs or events hitting htp, tftp, http, and unknown applications coming from host DC-SRX1400-1 or VSRX-75.
Application = tftp,ftp,http,unknown OR Source IP = 192.168.34.10,192.168.1.26 AND Hostname = dc-srx1400-1,vsrx-75
Role-Based Access Control for Event Viewer
Role-Based Access Control (RBAC) has the following impact on the Event Viewer:
You must have Security Analyst or Security Architect or have permissions equivalent to that role to access the event viewer.
You cannot view event logs created in other domains. However, a super user or any user with an appropriate role who can access a global domain can view logs in a subdomain, if a subdomain is created with visibility to the parent domain.
You can only view logs from the devices that you can access and that belong to your domain.
You can only view, not edit, a policy if you do not have edit permissions.
The user role under Administration > Users & Roles must have Event Viewer > View Device Logs option is enabled to view or read logs.