Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
[+] Expand All
[-] Collapse All

No index entries found.

Understanding How the Integrated ClearPass Feature Detects Threats and Attacks and Notifies the CPPM

The integrated ClearPass authentication and enforcement feature allows you to integrate your SRX Series device with the ClearPass Policy Manager (CPPM) to obtain authenticated user identity information. It also allows the SRX Series device to send attack and threat logs to the CPPM. This topic focuses on sending attack and threat logs to the CPPM.

When the SRX Series device features detect threat and attack events, the event is recorded in the SRX Series device event log. The SRX Series device uses syslog to forward the logs to the CPPM. The CPPM can evaluate the logs and take action based on matching conditions. As administrator of ClearPass, you can use the information from the SRX Series device and define appropriate actions on the CPPM to harden your security.

Junos OS on the SRX Series device generates over 100 different types of log entries issued by more than 10 of its modules. Among the SRX Series device features that generate threat and attack logs are SCREENS, IDP, and UTM. To avoid overburdening the SRX Series device and the log server, the integrated ClearPass feature allows you to configure the SRX Series device to send to the CPPM only attack and threat log entries that were written to the event log in response to activity detected by the SCREENS, IDP, and UTM security features.

You can set the following conditions to control the log transmission:

  • A log stream filter to ensure that only threat and attack logs are sent.
  • A rate limiter to control the transmission volume. The SRX Series device log transmission will not exceed the rate-limiting conditions that you set.

For the CPPM to analyze the log information that the SRX Series sends to it, the content must be formatted in a standard, structured manner. The SRX Series log transmission follows the syslog protocol, which has a message format that allows vendor-specific extensions to be provided in a structured way.

Here is an example of an attack log generated by IDP:

<14>1 2014-07-24T13:16:58.362+08:00 bjsolar RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636. epoch-time="1421996988" message-type="SIG" source-address="" source-port="32796" destination-address="" destination-port="21" protocol-name="TCP" service-name="SERVICE_IDP" application-name="NONE" rule-name="1" rulebase-name="IPS" policy-name="idpengine" export-id="4641"repeat-count="0" action="NONE" threat-severity="MEDIUM" attack-name="FTP:USER:ROOT" nat-source-address="" nat-source-port="0" nat-destination-address="" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="untrust" source-interface-name="ge-0/0/1.0" destination-zone-name="trust" destination-interface-name="ge-0/0/7.0" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"]

Table 4 uses the content of this example IDP attack log to identify the parts of an attack log entry. See SRX Series Threat and Attack Logs Sent to Aruba ClearPass for further details on types of attack and threat logs.

Table 4: Attack Log Fields Using Example Log

Log Entry Component





pri = LOG_USER + severity. Version is always 1

pri version


Time and Time Zone

When the log was recorded and in what time zone. zone

  • y = year
  • m=month
  • d = day
  • T+hours


Device/Host Name

Name of the device from which the event log was sent. This value is configured by the user.

string, hostname


Service Name

SRX Series feature that issued the event log.

string service


Application Name

Application that generated the log entry.

string application-name



Process ID.

The process ID is not meaningful in this context, so pid is replaced by “-”.

The value “-” is a placeholder for process ID.



Errmsg Tag

Log ID name, error message tag.

string, log-name and tag


Errmsg Tag Square Bracket

Log content enclosed in square brackets.

[ ]



Product ID provided by the chassis daemon (chassisd).



Epoch Time

The time when the log was generated after the epoch.



Related Documentation

Modified: 2016-05-01