Events
Monitoring All Events
Purpose
The All Events page displays an overall, consolidated, high‐level view of your network environment. You can view all types of events that are being logged in your SRX platform. You can view abnormal events, attacks, viruses, spam attacks when log data is correlated and analyzed. This page provides you with an advanced filtering mechanism and visibility into actual events.
For the events to be logged, registered, and displayed in the graph, the device should be in stream mode. You can configure stream mode in the Configure > Device Setup > Basic Settings > Logging page.
Starting in Junos OS Release 19.1R1, All Events option is available for logical system users.
Action
To monitor all events, select Monitor>Events>All Events in the J-Web user interface.
Meaning
Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.
You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 2h,… and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.
Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.
To refresh the graph on demand, click the refresh button.
You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.
Table 11 summarizes key output fields in the All Events page.
Table 11: Events Monitoring Page
Field | Value | Additional Information |
|---|---|---|
Chart View—Displays the trend analysis, displayed in the Time Range graph, in numbers. | ||
Total Events | Displays the total number of events that occurred in the specified time range. | - |
Virus Instances | Displays the number of virus instances that occurred in the specified time range. | - |
Attacks | Displays the number of IDP or IPS attacks that occurred in the specified time range. | - |
Interface Down | Displays the total number of interfaces that are down. | - |
Sessions | Displays the total number of firewall events or sessions that occurred during the time period specified in the Time Range graph. | - |
| Graphs Firewall Web Filtering IPSec VPNs Content Filtering Antispam Antivirus IPS | The graphs display the trend analysis in swim lane chart for the time range that you specified in the Time Range graph. The legend in each graph shows the colors and its related interpretation. For example, in the Firewall graph, blue color represents all firewall events and black represents blocked firewall events. Similarly, in the IPS graph, orange, amber, and yellow represent critical, high, and medium IPS attacks respectively. | Mouse over at any point in the swim lane chart to view further details at that point. |
Grid View—Displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on IP address, description, or attack name. | ||
Filters:The dropdown filters that are displayed above the grids. First dropdown filter | Options available in the first filter dropdown are: Firewall, Webfilter, ContentFilter, Antispam, Antivirus, Ipsecvpn, and IPS. | Select the event that you want to filter in the first dropdown filter. |
Second dropdown filter | Options available in the second filter dropdown are: event-name, source-address, destination-address, application, user, service, policy, nested-application, source-interface, and source-zone. | Select the next criteria of the event on which you want to filter from the second dropdown filter. |
Text box | Displays the filter parameter that you selected from the second filter dropdown. Note: In the filter statement the following limitation exists.
For example, if you have used & operator and the parameter event-name once, I cannot use them again in the same filter statement CORRECT USAGE: WRONG USAGE: WRONG USAGE: Note: The filter statement is NOT case-sensitive. | Add the parameter for which you want to filter. For example,
in the first dropdown if you selected Firewall as the event filter
and in the second filter dropdown you selected event-name as the parameter,
then the text box displays |
Go | Executes the filter statement that is displayed in the text box. | Click Go. |
X | Clears the filters. | Click x. |
Show Hide Column Filter icon represented by three vertical dots | Enables you to show or hide a column in the grid. | |
Table 12describes the grid elements that are displayed in the Detailed View.
Table 12: All Events - Grid Elements in Detailed View
Grid Element | Description |
|---|---|
Threat Severity | The severity level of the threat. |
Event Name | The event name of the log. |
Description | The description of the log. |
Attack Name | Attack name of the log: Trojan, worm, virus, and so on. |
UTM Category or Virus Name | The UTM category of the log. |
Event Category | The event category of the log. |
Source IP | The source IP address from where the event occurred. |
Source Port | The source port of the event. |
Destination IP | The destination IP address of the event. |
Destination Port | The destination port of the event. |
Application | The application name from which the events or logs are generated. |
User Name | The username from whom the log is generated. |
Hostname | The host name in the log. |
Service Name | The name of the application service. For example, FTP, HTTP, SSH, and so on. |
Protocol ID | The protocol ID in the log. |
Policy Name | Policy name in the log. |
SourceZone | User traffic received from the zone. |
Destination Zone | The destination zone of the log. |
Nested Application | The nested application in the log. |
Roles | Role names associated with the event. |
Reason | The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed. |
NAT Source Port | The translated source port. |
NAT Destination Port | The translated destination port. |
NAT Source Rule Name | The NAT source rule name. |
NAT Destination Rule Name | The NAT destination rule name. |
NAT Source IP | The translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses. |
NAT Destination IP | The translated (also called natted) destination IP address. |
Traffic Session ID | The traffic session ID of the log. |
URL | Accessed URL name that triggered the event. |
Object Name | The object name of the log. |
Path Name | The path name of the log. |
Logical System Name | The name of the logical system. |
Rule Name | The rule name of the log. |
Action | Action taken for the event: warning, allow, and block. |
Time | The time when the log was received. |
Monitoring Firewall Events
Purpose
Use the Firewall Events page to view information about security events based on firewall policies. Analyzing firewall logs yields useful security management information, such as attempts to breach your network and observing the inherent characteristics of your traffic in real time. Using the time-frame slider, you can quickly focus on the area of activity that you are most interested in. Once the time range is selected, all of the data presented in your view is refreshed automatically. You can also use the Custom button to set a custom time range.
Starting in Junos OS Release 19.1R1, Firewall Events option is available for logical system and tenant users.
Action
To monitor firewall events select Monitor>Events>Firewall in the J-Web user interface.
There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.
Click Summary View for a brief summary of all the firewall events in your network.
The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows light blue lanes that represent all firewall events and dark blue lanes represent blocked firewall events.
Meaning
Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.
You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 2h,…, and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.
Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.
To refresh the graph on demand, click the refresh button.
You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.
There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.
The Summary View is selected by default, and it gives a brief summary of all the firewall events in your network.
The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows light blue lanes that represent all events and dark blue lanes represent blocked events.
Below the swim lanes are widgets displaying critical information such as top five sources, top five destinations, and top five users.
See Table 13 for descriptions of the widgets.
Table 13: Widgets in Summary View
Widget Name | Displays |
|---|---|
Top Sources | Top five source IP addresses of the network traffic; sorted by event count. |
Top Destinations | Top five destination IP addresses of the network traffic; sorted by event count. |
Top Users | Top five users of the network traffic; sorted by event count. |
Click the Detailed View for comprehensive details of events in a grid format that includes sortable columns. It displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on IP address, description, or attack name. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.
Table 14: Filter Options in Detailed View
The dropdown filter that is displayed above the grids. | Options available in the filter dropdown are: Event-Name, Source-Address, Destination-Address, Application, Rule-name, Threat-Severity, and Attack-Name. | Select the criteria or parameter on which you want to construct the filter statement. |
Text box | Displays the filter parameter that you selected from the filter dropdown. Note: In the filter statement the following limitation exists.
For example, if you have used & operator and the parameter event-name once, you cannot use them again in the same filter statement CORRECT USAGE: WRONG USAGE: WRONG USAGE: Note: The filter statement is NOT case-sensitive. | Add the parameter for which you want to filter. For example,
in the dropdown filter if you selected event-name as the parameter,
the text box displays |
Go | Executes the filter statement that is displayed in the text box. | Click Go. |
X | Clears the filters. | Click x. |
Show Hide Column Filter icon represented by three vertical dots | Enables you to show or hide a column in the grid. |
The Table 15 describes the grid information displayed in the Detailed View.
Table 15: Firewall Events - Grid Elements in Detailed View
Grid Element | Description |
|---|---|
Event Name | The event name of the log. |
Description | The description of the log. |
Source IP | The source IP address from where the event occurred. |
Source Port | The source port of the event. |
Destination IP | The destination IP address of the event. |
Destination Port | The destination port of the event. |
Application | The application name from which the events or logs are generated. |
User Name | The username from whom the log is generated. |
Hostname | The host name in the log. |
Service Name | The name of the application service. For example, FTP, HTTP, SSH, and so on. |
Protocol ID | The protocol ID in the log. |
Policy Name | Policy name in the log. |
SourceZone | User traffic received from the zone. |
Destination Zone | The destination zone of the log. |
Nested Application | The nested application in the log. |
Roles | Role names associated with the event. |
NAT Source Port | The translated source port. |
NAT Destination Port | The translated destination port. |
NAT Source Rule Name | The NAT source rule name. |
NAT Destination Rule Name | The NAT destination rule name. |
NAT Source IP | The translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses. |
NAT Destination IP | The translated (also called natted) destination IP address. |
Traffic Session ID | The traffic session ID of the log. |
Rule Name | The rule name of the log. |
Action | Action taken for the event: warning, allow, and block. |
Time | The time when the log was received. |
Monitoring Web Filtering Events
Purpose
Use this page to view information about security events based on Web filtering policies. Web filtering allows you to permit or block access to specific websites by URL or by URL category using cloud-based lookups, a local database, or an external Websense server. Analyzing Web filtering logs yields useful security management information such as users detected accessing restricted URLs and actions taken by the system. Using the time-frame slider, you can quickly focus on the area of activity that you are most interested in. Once the time range is selected, all of the data presented in your view is refreshed automatically. You can also use the Custom button to set a custom time range.
Starting in Junos OS Release 19.1R1, Web Filtering option is available for logical system users.
Action
To monitor Web filtering events select Monitor>Events>Web Filtering in the J-Web user interface.
Meaning
Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.
You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 2h,…, and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.
Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.
To refresh the graph on demand, click the refresh button.
You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.
There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.
The Summary View is selected by default, and it gives a brief summary of all the Web filtering events in your network.
The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows light blue lanes that represent all Web filtering events and dark blue lanes represent blocked Web filtering events.
Below the swim lanes are widgets displaying critical information such as top URLs blocked, top matched profiles, top five sources, and top five destinations.
See Table 16 for descriptions of the widgets.
Table 16: Widgets in Summary View
Widget Name | Displays |
|---|---|
Top URLs Blocked | Top URLs that are blocked. |
Top Matched Profiles | Top matched profiles. |
Top Sources | Top five source IP addresses of the network traffic; sorted by event count. |
Top Destinations | Top five destination IP addresses of the network traffic; sorted by event count. |
Click the Detailed View for comprehensive details of events in a grid format that includes sortable columns. It displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on IP address, description, or event name. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.
Table 17: Filter Options in Detailed View
The dropdown filter that is displayed above the grids. | Options available in the filter dropdown are: event-name, source-address, destination-address, application, user, service, policy, source-interface, source-zone. | Select the criteria or parameter on which you want to construct the filter statement. |
Text box | Displays the filter parameter that you selected from the filter dropdown. Note: In the filter statement the following limitation exists.
For example, if you have used & operator and the parameter Event-Name once, I cannot use them again in the same filter statement CORRECT USAGE: WRONG USAGE: WRONG USAGE: Note: The filter statement is NOT case-sensitive. | Add the parameter for which you want to filter. For example,
in the dropdown filter if you selected event-name as the parameter,
the text box displays |
Go | Executes the filter statement that is displayed in the text box. | Click Go. |
X | Clears the filters. | Click x. |
The Table 18 describes the grid information displayed in the Detailed View.
Table 18: Web Filtering Events - Grid Elements in Detailed View
Grid Element | Description |
|---|---|
Event Name | The event name of the log. |
Description | The description of the log. |
UTM Category or Virus Name | The UTM category or name of the virus. |
Source IP | The source IP address from where the event occurred. |
Source Port | The source port of the event. |
Destination IP | The destination IP address of the event. |
Destination Port | The destination port of the event. |
Hostname | The host name in the log. |
SourceZone | User traffic received from the zone. |
Roles | Role names associated with the event. |
Reason | The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed. |
URL | Accessed URL name that triggered the event. |
Object Name | The object name of the log. |
Path Name | The path name of the log. |
Action | Action taken for the event: warning, allow, and block. |
Proflie Name | Profile name in the log. |
Time | The time when the log was received. |
Monitoring IPSec VPN Events
Purpose
Use this page to view information about security events based on IPSec VPN policies. This page provides a view of all IPsec VPN events.
Action
To monitor events select Monitor>Events>IPSec VPNs in the J-Web user interface.
Meaning
Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.
You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 4h,…, and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.
Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.
To refresh the graph on demand, click the refresh button.
You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.
There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.
The Summary View is selected by default, and it gives a brief summary of all the IPSec VPN events in your network.
The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows light blue lanes that represent all IPSec VPN events and dark blue lanes represent blocked IPSec VPN events.
Click the Detailed View for comprehensive details of events in a grid format that includes sortable columns. It displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on IP address, description, or attack name. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.
Table 19: Filter Options in Detailed View
The dropdown filter that is displayed above the grids. | Options available in the filter dropdown is: Event-Name. | Select Event-Name. |
Text box | Displays the filter parameter that you selected from the filter dropdown. Note: In the filter statement the following limitation exists.
For example, if you have used & operator and the parameter Event-Name once, I cannot use them again in the same filter statement CORRECT USAGE: WRONG USAGE: WRONG USAGE: Note: The filter statement is NOT case-sensitive. | Add the parameter for which you want to filter. For example,
in the dropdown filter if you selected event-name as the parameter,
the text box displays |
Go | Executes the filter statement that is displayed in the text box. | Click Go. |
X | Clears the filters. | Click x. |
The Table 20 describes the grid information displayed in the Detailed View.
Table 20: IPSec VPN Events - Grid Elements in Detailed View
Grid Element | Description |
|---|---|
Event Name | The event name of the log. |
Description | The description of the log. |
Destination Port | The destination port of the event. |
Hostname | The host name in the log. |
Rule Name | The rule name of the log. |
Time | The time when the log was received. |
Monitoring Content Filtering Events
Purpose
Use this page to view information about security events based on content filtering policies. The event viewer provides a view of all content filtering events and how the events are handled by content filter. This page can be used to view traffic on the network in real time or as a debugging tool to view how content filtering is operating.
Content filtering provides basic data loss prevention functionality. Content filtering screens traffic based on MIME type, file extension, protocol commands, and embedded object type. It either permits or blocks specific commands or extensions on a protocol-by-protocol basis.
Starting in Junos OS Release 19.1R1, Content Filtering option is available for logical system users.
Action
To monitor events select Monitor>Events>Content Filtering in the J-Web user interface.
Meaning
Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.
You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 2h,…, and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.
Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.
To refresh the graph on demand, click the refresh button.
You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.
There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.
The Summary View is selected by default, and it gives a brief summary of all the Content Filtering events in your network.
The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows light blue lanes that represent all Content Filtering events.
Below the swim lanes are widgets displaying critical information such as top five sources, top reasons, and top blocked protocol commands.
See Table 21 for descriptions of the widgets.
Table 21: Widgets in Summary View
Widget Name | Displays |
|---|---|
Top Sources | Top five source IP addresses of the network traffic; sorted by event count. |
Top Reasons | Adds respective content for display column. |
Top Blocked Protocol Commands | Adds respective content for display column. |
Click the Detailed View for comprehensive details of events in a grid format that includes sortable columns. It displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on Event-Name, Source-Address, Reason, or Profile. The table includes information such as event name, description, source IP, reason, profile, and how and when the event was detected.
Table 22: Filter Options in Detailed View
The dropdown filter that is displayed above the grids. | Options available in the filter dropdown are: event-name, source-address, destination-address, Source-Name, User, Role, Reason, Profile, Protocol, and Category for dropdown filter. | Select the criteria or parameter on which you want to construct the filter statement. |
Text box | Displays the filter parameter that you selected from the filter dropdown. Note: In the filter statement the following limitation exists.
For example, if you have used & operator and the parameter Event-Name once, I cannot use them again in the same filter statement CORRECT USAGE: WRONG USAGE: WRONG USAGE: Note: The filter statement is NOT case-sensitive. | Add the parameter for which you want to filter. For example,
in the dropdown filter if you selected event-name as the parameter,
the text box displays |
Go | Executes the filter statement that is displayed in the text box. | Click Go. |
X | Clears the filters. | Click x. |
Show Hide Column Filter icon represented by three vertical dots | Enables you to show or hide a column in the grid. |
The Table 23 describes the grid information displayed in the Detailed View.
Table 23: Content Filtering Events - Grid Elements in Detailed View
Grid Element | Description |
|---|---|
Event Name | The event name of the log. |
Description | The description of the log. |
UTM Category or Virus Name | The UTM category or name of the virus. |
Event category | The event category of the log. |
Source IP | The source IP address from where the event occurred. |
Hostname | The host name in the log. |
SourceZone | User traffic received from the zone. |
Roles | Role names associated with the event. |
Reason | The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed. |
URL | Accessed URL name that triggered the event. |
Action | Action taken for the event: warning, allow, and block. |
Proflie Name | Profile name in the log. |
Time | The time when the log was received. |
Monitoring Antispam Events
Purpose
Use this page to view information about security events based on antispam policies. The event viewer provides a view of all antispam events and the action taken by the antispam scanner.
The antispam scanner inspects and block spam by scanning inbound and outbound SMTP e-mail traffic. The filtering can be server-based using an external spam block list server or local-based using local lists (blacklists and whitelists) for matching.
Starting in Junos OS Release 19.1R1, Antispam option is available for logical system users.
Action
To monitor events select Monitor>Events>Antispam in the J-Web user interface.
Meaning
Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.
You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 2h,…, and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.
Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.
To refresh the graph on demand, click the refresh button.
You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.
There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.
The Summary View is selected by default, and it gives a brief summary of all the antispam events in your network.
The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows light blue lanes that represent all antispam events.
Below the swim lanes is a widget displaying top five sources.
See Table 24 for descriptions of the widgets.
Table 24: Widgets in Summary View
Widget Name | Displays |
|---|---|
Top Sources | Top five source IP addresses of the network traffic; sorted by event count. |
Click the Detailed View for comprehensive details of events in a grid format that includes sortable columns. It displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on IP address, or description. The table includes information such as the rule that caused the event and how and when the event was detected.
Table 25: Filter Options in Detailed View
The dropdown filter that is displayed above the grids. | Options available in the filter dropdown are: Event-Name, Source-Address, Destination-Address, Source-Name, User, Role, Reason, Profile, Protocol, and Category. | Select the criteria or parameter on which you want to construct the filter statement. |
Text box | Displays the filter parameter that you selected from the filter dropdown. Note: In the filter statement the following limitation exists.
For example, if you have used & operator and the parameter event-name once, I cannot use them again in the same filter statement CORRECT USAGE: WRONG USAGE: WRONG USAGE: Note: The filter statement is NOT case-sensitive. | Add the parameter for which you want to filter. For example,
in the dropdown filter if you selected event-name as the parameter,
the text box displays |
Go | Executes the filter statement that is displayed in the text box. | Click Go. |
X | Clears the filters. | Click x. |
Show Hide Column Filter icon represented by three vertical dots | Enables you to show or hide a column in the grid. |
The Table 26 describes the grid information displayed in the Detailed View.
Table 26: Antispam Events - Grid Elements in Detailed View
Grid Element | Description |
|---|---|
Event Name | The event name of the log. |
Description | The description of the log. |
UTM Category or Virus Name | |
Source IP | The source IP address from where the event occurred. |
Hostname | The host name in the log. |
SourceZone | User traffic received from the zone. |
Roles | Role names associated with the event. |
Reason | The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed. |
URL | Accessed URL name that triggered the event. |
Action | Action taken for the event: warning, allow, and block. |
Proflie Name | Profile name in the log. |
Time | The time when the log was received. |
Monitoring Antivirus Events
Purpose
Use this page to view information about security events based on antivirus policies. The event viewer provides a view of all antivirus events and the action taken by the virus scanner.
The antivirus scanner inspects files transmitted over several protocols to determine if the files exchanged are malicious (for example, viruses, Trojans, rootkits, and worms).
Starting in Junos OS Release 19.1R1, Antivirus option is available for logical system users.
Action
To monitor events select Monitor>Events>Antivirus in the J-Web user interface.
Meaning
Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.
You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 2h,…, and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.
Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.
To refresh the graph on demand, click the refresh button.
You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.
There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.
The Summary View is selected by default, and it gives a brief summary of all the antivirus events in your network.
The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows light blue lanes that represent all antivirus events.
Below the swim lanes are widgets displaying critical information such as top five sources and top five destinations.
See Table 27 for descriptions of the widgets.
Table 27: Widgets in Summary View
Widget Name | Displays |
|---|---|
Top Sources | Top five source IP addresses of the network traffic; sorted by event count. |
Top Destinations | Top five destination IP addresses of the network traffic; sorted by event count. |
Click the Detailed View for comprehensive details of events in a grid format that includes sortable columns. It displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on Event-Name, Source-Address, or Destination-Address. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.
Table 28: Filter Options in Detailed View
The dropdown filter that is displayed above the grids. | Options available in the filter dropdown are: Event-Name, Source-Address, Destination-Address, Source-Name, User, Role, Reason, Profile, Protocol, and Category. | Select the criteria or parameter on which you want to construct the filter statement. |
Text box | Displays the filter parameter that you selected from the filter dropdown. Note: In the filter statement the following limitation exists.
For example, if you have used & operator and the parameter Event-Name once, I cannot use them again in the same filter statement CORRECT USAGE: WRONG USAGE: WRONG USAGE: Note: The filter statement is NOT case-sensitive. | Add the parameter for which you want to filter. For example,
in the dropdown filter if you selected event-name as the parameter,
the text box displays |
Go | Executes the filter statement that is displayed in the text box. | Click Go. |
X | Clears the filters. | Click x. |
Show Hide Column Filter icon represented by three vertical dots | Enables you to show or hide a column in the grid. | - |
The Table 29 describes the grid information displayed in the Detailed View.
Table 29: antivirus Events - Grid Elements in Detailed View
Grid Element | Description |
|---|---|
Event Name | The event name of the log. |
Description | The description of the log. |
UTM Category or Virus Name | The UTM category of the log. |
Source IP | The source IP address from where the event occurred. |
Hostname | The host name in the log. |
SourceZone | User traffic received from the zone. |
Roles | Role names associated with the event. |
Reason | The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed. |
URL | Accessed URL name that triggered the event. |
Action | Action taken for the event: warning, allow, and block. |
Profile Name | The profile name of the log. |
Time | The time when the log was received. |
Monitoring IPS Events
Purpose
Use the IPS Events page to view information about security events based on IPS policies and criticality of the IDP events. Analyzing IPS logs yields useful security management information, such as abnormal events or attacks.
Starting in Junos OS Release 19.1R1, IPS Events option is available for logical system users.
Action
To monitor events select Monitor>Events>IPS in the J-Web user interface.
Meaning
Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.
You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 2h,…, and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.
Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.
To refresh the graph on demand, click the refresh button.
You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.
There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.
The Summary View is selected by default, and it gives a brief summary of all the IPS events in your network.
The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows dark red, red, and yellow lanes that represent critical, high, and medium IDP events based on the criticality of events.
Below the swim lanes are widgets displaying critical information such as top five sources, top five destinations, top IPS attacks, and top IPS severities.
See Table 30 for descriptions of the widgets.
Table 30: Widgets in Summary View
Widget Name | Displays |
|---|---|
Top Sources | Top five source IP addresses of the network traffic; sorted by event count. |
Top Destinations | Top five destination IP addresses of the network traffic; sorted by event count. |
Top IPS Attacks | Top five IPS attacks; sorted by event count. |
IPS Severities | Donught chart which shows the percentage of IPS events based on their severity levels. The colors are blue, black, green, and amber representing high, info, critical, and medium IPS events respectively. |
Click the Detailed View for comprehensive details of events in a grid format that includes sortable columns. It displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on IP address or attack name. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.
Table 31: Filter Options in Detailed View
The dropdown filter that is displayed above the grids. | Options available in the filter dropdown are: Event-Name, Source-Address, Destination-Address, Application, User, Service, Policy, Nested-Application, Source-Interface, and Source-Zone. | Select the criteria or parameter on which you want to construct the filter statement. |
Text box | Displays the filter parameter that you selected from the filter dropdown. Note: In the filter statement the following limitation exists.
For example, if you have used & operator and the parameter Event-Name once, I cannot use them again in the same filter statement CORRECT USAGE: WRONG USAGE: WRONG USAGE: Note: The filter statement is NOT case-sensitive. | Add the parameter for which you want to filter. For example,
in the dropdown filter if you selected event-name as the parameter,
the text box displays |
Go | Executes the filter statement that is displayed in the text box. | Click Go. |
X | Clears the filters. | Click x. |
The Table 32 describes the grid information displayed in the Detailed View.
Table 32: IPS Events - Grid Elements in Detailed View
Grid Element | Description |
|---|---|
Threat Severity | The severity level of the threat. |
Event Name | The event name of the log. |
Description | The description of the log. |
Attack Name | Attack name of the log: Trojan, worm, virus, and so on. |
Source IP | The source IP address from where the event occurred. |
Source Port | The source port of the event. |
Destination IP | The destination IP address of the event. |
Destination Port | The destination port of the event. |
Application | The application name from which the events or logs are generated. |
Hostname | The host name in the log. |
Service Name | The name of the application service. For example, FTP, HTTP, SSH, and so on. |
Protocol ID | The protocol ID in the log. |
Policy Name | Policy name in the log. |
SourceZone | User traffic received from the zone. |
Destination Zone | The destination zone of the log. |
Nested Application | The nested application in the log. |
NAT Source Port | The translated source port. |
NAT Destination Port | The translated destination port. |
Rule Name | The rule name of the log. |
Action | Action taken for the event: warning, allow, and block. |
Time | The time when the log was received. |
Monitoring System
Purpose
Use the monitoring functionality to view the events page.
Action
To monitor events select Monitor>Events>System in the J-Web user interface.
Meaning
Table 33 summarizes key output fields in the events page.
Table 33: System Monitoring Page
Field | Value | Additional Information |
|---|---|---|
| Events Filter | ||
System Log File | Specifies the name of the system log file that records errors and events. | - |
Process | Specifies the system processes that generate the events to display. | - |
Include archived files | Specifies to enable the option to include archived files. | Select to enable. |
Date From | Specifies the beginning date range to monitor. Set the date using the calendar pick tool. | - |
To | Specifies the end of the date range to monitor. Set the date using the calendar pick tool. | - |
Event ID | Specifies the specific ID of the error or event to monitor. | - |
Description | Enter a description for the errors or events. | - |
Search | Fetches the errors and events specified in the search criteria. | - |
Reset | Clears the cache of errors and events that were previously selected. | - |
Generate Report | Creates an HTML report based on the specified parameters. | - |
| Events Detail | ||
Process | Displays the system process that generated the error or event. | – |
Severity | Displays the severity level that indicates how seriously the triggering event affects routing platform functions. Only messages from the facility that are rated at that level or higher are logged. Possible severities and their corresponding color code are:
| – |
Event ID | Displays the unique ID of the error or event. The prefix on each code identifies the generating software process. The rest of the code indicates the specific event or error. | - |
Event Description | Displays a more detailed explanation of the message. | - |
Time | Time that the error or event occurred. | - |