Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Events

 

Monitoring All Events

Purpose

The All Events page displays an overall, consolidated, high‐level view of your network environment. You can view all types of events that are being logged in your SRX platform. You can view abnormal events, attacks, viruses, spam attacks when log data is correlated and analyzed. This page provides you with an advanced filtering mechanism and visibility into actual events.

Note
  • For the events to be logged, registered, and displayed in the graph, the device should be in stream mode. You can configure stream mode in the Configure > Device Setup > Basic Settings > Logging page.

  • Starting in Junos OS Release 19.1R1, All Events option is available for logical system users.

Action

To monitor all events, select Monitor>Events>All Events in the J-Web user interface.

Meaning

Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.

You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 2h,… and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.

Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.

To refresh the graph on demand, click the refresh button.

You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.

Table 11 summarizes key output fields in the All Events page.

Table 11: Events Monitoring Page

Field

Value

Additional Information

Chart View—Displays the trend analysis, displayed in the Time Range graph, in numbers.

Total Events

Displays the total number of events that occurred in the specified time range.

-

Virus Instances

Displays the number of virus instances that occurred in the specified time range.

-

Attacks

Displays the number of IDP or IPS attacks that occurred in the specified time range.

-

Interface Down

Displays the total number of interfaces that are down.

-

Sessions

Displays the total number of firewall events or sessions that occurred during the time period specified in the Time Range graph.

-

Graphs

Firewall

Web Filtering

IPSec VPNs

Content Filtering

Antispam

Antivirus

IPS

The graphs display the trend analysis in swim lane chart for the time range that you specified in the Time Range graph.

The legend in each graph shows the colors and its related interpretation.

For example, in the Firewall graph, blue color represents all firewall events and black represents blocked firewall events. Similarly, in the IPS graph, orange, amber, and yellow represent critical, high, and medium IPS attacks respectively.

Mouse over at any point in the swim lane chart to view further details at that point.

Grid View—Displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on IP address, description, or attack name.

Filters:The dropdown filters that are displayed above the grids.

First dropdown filter

Options available in the first filter dropdown are: Firewall, Webfilter, ContentFilter, Antispam, Antivirus, Ipsecvpn, and IPS.

Select the event that you want to filter in the first dropdown filter.

Second dropdown filter

Options available in the second filter dropdown are: event-name, source-address, destination-address, application, user, service, policy, nested-application, source-interface, and source-zone.

Select the next criteria of the event on which you want to filter from the second dropdown filter.

Text box

Displays the filter parameter that you selected from the second filter dropdown.

Note:

In the filter statement the following limitation exists.

  • You can use only one operator at a time.

  • You can use only one instance of the criteria or paramenter in one filter statement.

For example, if you have used & operator and the parameter event-name once, I cannot use them again in the same filter statement

CORRECT USAGE: event name = rt_flow_session_close & application=TELNET

WRONG USAGE:event name=rt_flow_session_close & event-name = rt_flow_session_create

WRONG USAGE:event name = rt_flow_session_close & source-address=x.x.x.x & application=TELNET

Note: The filter statement is NOT case-sensitive.

Add the parameter for which you want to filter. For example, in the first dropdown if you selected Firewall as the event filter and in the second filter dropdown you selected event-name as the parameter, then the text box displays event-name = . If you add rt_flow_session_closeto see only Firewall events then the text box displays event name = rt_flow_session_close.

Go

Executes the filter statement that is displayed in the text box.

Click Go.

X

Clears the filters.

Click x.

Show Hide Column Filter icon represented by three vertical dots

Enables you to show or hide a column in the grid.

Table 12describes the grid elements that are displayed in the Detailed View.

Table 12: All Events - Grid Elements in Detailed View

Grid Element

Description

Threat Severity

The severity level of the threat.

Event Name

The event name of the log.

Description

The description of the log.

Attack Name

Attack name of the log: Trojan, worm, virus, and so on.

UTM Category or Virus Name

The UTM category of the log.

Event Category

The event category of the log.

Source IP

The source IP address from where the event occurred.

Source Port

The source port of the event.

Destination IP

The destination IP address of the event.

Destination Port

The destination port of the event.

Application

The application name from which the events or logs are generated.

User Name

The username from whom the log is generated.

Hostname

The host name in the log.

Service Name

The name of the application service. For example, FTP, HTTP, SSH, and so on.

Protocol ID

The protocol ID in the log.

Policy Name

Policy name in the log.

SourceZone

User traffic received from the zone.

Destination Zone

The destination zone of the log.

Nested Application

The nested application in the log.

Roles

Role names associated with the event.

Reason

The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed.

NAT Source Port

The translated source port.

NAT Destination Port

The translated destination port.

NAT Source Rule Name

The NAT source rule name.

NAT Destination Rule Name

The NAT destination rule name.

NAT Source IP

The translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses.

NAT Destination IP

The translated (also called natted) destination IP address.

Traffic Session ID

The traffic session ID of the log.

URL

Accessed URL name that triggered the event.

Object Name

The object name of the log.

Path Name

The path name of the log.

Logical System Name

The name of the logical system.

Rule Name

The rule name of the log.

Action

Action taken for the event: warning, allow, and block.

Time

The time when the log was received.

Monitoring Firewall Events

Purpose

Use the Firewall Events page to view information about security events based on firewall policies. Analyzing firewall logs yields useful security management information, such as attempts to breach your network and observing the inherent characteristics of your traffic in real time. Using the time-frame slider, you can quickly focus on the area of activity that you are most interested in. Once the time range is selected, all of the data presented in your view is refreshed automatically. You can also use the Custom button to set a custom time range.

Starting in Junos OS Release 19.1R1, Firewall Events option is available for logical system and tenant users.

Action

To monitor firewall events select Monitor>Events>Firewall in the J-Web user interface.

There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.

Click Summary View for a brief summary of all the firewall events in your network.

The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows light blue lanes that represent all firewall events and dark blue lanes represent blocked firewall events.

Meaning

Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.

You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 2h,…, and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.

Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.

To refresh the graph on demand, click the refresh button.

You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.

There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.

The Summary View is selected by default, and it gives a brief summary of all the firewall events in your network.

The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows light blue lanes that represent all events and dark blue lanes represent blocked events.

Below the swim lanes are widgets displaying critical information such as top five sources, top five destinations, and top five users.

See Table 13 for descriptions of the widgets.

Table 13: Widgets in Summary View

Widget Name

Displays

Top Sources

Top five source IP addresses of the network traffic; sorted by event count.

Top Destinations

Top five destination IP addresses of the network traffic; sorted by event count.

Top Users

Top five users of the network traffic; sorted by event count.

Click the Detailed View for comprehensive details of events in a grid format that includes sortable columns. It displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on IP address, description, or attack name. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.

Table 14: Filter Options in Detailed View

The dropdown filter that is displayed above the grids.

Options available in the filter dropdown are: Event-Name, Source-Address, Destination-Address, Application, Rule-name, Threat-Severity, and Attack-Name.

Select the criteria or parameter on which you want to construct the filter statement.

Text box

Displays the filter parameter that you selected from the filter dropdown.

Note:

In the filter statement the following limitation exists.

  • You can use only one operator at a time.

  • You can use only one instance of the criteria or paramenter in one filter statement.

For example, if you have used & operator and the parameter event-name once, you cannot use them again in the same filter statement

CORRECT USAGE: event name = rt_flow_session_close & application=TELNET

WRONG USAGE:event name = rt_flow_session_close & event-name = rt_flow_session_create

WRONG USAGE:event name = rt_flow_session_close & source-address = x.x.x.x & application = TELNET

Note: The filter statement is NOT case-sensitive.

Add the parameter for which you want to filter. For example, in the dropdown filter if you selected event-name as the parameter, the text box displays event-name =. If you add rt_flow_session_close to see only Firewall events then the text box displays event name = rt_flow_session_close.

Go

Executes the filter statement that is displayed in the text box.

Click Go.

X

Clears the filters.

Click x.

Show Hide Column Filter icon represented by three vertical dots

Enables you to show or hide a column in the grid.

The Table 15 describes the grid information displayed in the Detailed View.

Table 15: Firewall Events - Grid Elements in Detailed View

Grid Element

Description

Event Name

The event name of the log.

Description

The description of the log.

Source IP

The source IP address from where the event occurred.

Source Port

The source port of the event.

Destination IP

The destination IP address of the event.

Destination Port

The destination port of the event.

Application

The application name from which the events or logs are generated.

User Name

The username from whom the log is generated.

Hostname

The host name in the log.

Service Name

The name of the application service. For example, FTP, HTTP, SSH, and so on.

Protocol ID

The protocol ID in the log.

Policy Name

Policy name in the log.

SourceZone

User traffic received from the zone.

Destination Zone

The destination zone of the log.

Nested Application

The nested application in the log.

Roles

Role names associated with the event.

NAT Source Port

The translated source port.

NAT Destination Port

The translated destination port.

NAT Source Rule Name

The NAT source rule name.

NAT Destination Rule Name

The NAT destination rule name.

NAT Source IP

The translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses.

NAT Destination IP

The translated (also called natted) destination IP address.

Traffic Session ID

The traffic session ID of the log.

Rule Name

The rule name of the log.

Action

Action taken for the event: warning, allow, and block.

Time

The time when the log was received.

Monitoring Web Filtering Events

Purpose

Use this page to view information about security events based on Web filtering policies. Web filtering allows you to permit or block access to specific websites by URL or by URL category using cloud-based lookups, a local database, or an external Websense server. Analyzing Web filtering logs yields useful security management information such as users detected accessing restricted URLs and actions taken by the system. Using the time-frame slider, you can quickly focus on the area of activity that you are most interested in. Once the time range is selected, all of the data presented in your view is refreshed automatically. You can also use the Custom button to set a custom time range.

Starting in Junos OS Release 19.1R1, Web Filtering option is available for logical system users.

Action

To monitor Web filtering events select Monitor>Events>Web Filtering in the J-Web user interface.

Meaning

Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.

You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 2h,…, and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.

Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.

To refresh the graph on demand, click the refresh button.

You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.

There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.

The Summary View is selected by default, and it gives a brief summary of all the Web filtering events in your network.

The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows light blue lanes that represent all Web filtering events and dark blue lanes represent blocked Web filtering events.

Below the swim lanes are widgets displaying critical information such as top URLs blocked, top matched profiles, top five sources, and top five destinations.

See Table 16 for descriptions of the widgets.

Table 16: Widgets in Summary View

Widget Name

Displays

Top URLs Blocked

Top URLs that are blocked.

Top Matched Profiles

Top matched profiles.

Top Sources

Top five source IP addresses of the network traffic; sorted by event count.

Top Destinations

Top five destination IP addresses of the network traffic; sorted by event count.

Click the Detailed View for comprehensive details of events in a grid format that includes sortable columns. It displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on IP address, description, or event name. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.

Table 17: Filter Options in Detailed View

The dropdown filter that is displayed above the grids.

Options available in the filter dropdown are: event-name, source-address, destination-address, application, user, service, policy, source-interface, source-zone.

Select the criteria or parameter on which you want to construct the filter statement.

Text box

Displays the filter parameter that you selected from the filter dropdown.

Note:

In the filter statement the following limitation exists.

  • You can use only one operator at a time.

  • You can use only one instance of the criteria or paramenter in one filter statement.

For example, if you have used & operator and the parameter Event-Name once, I cannot use them again in the same filter statement

CORRECT USAGE: Event-Name = rt_flow_session_close & application=TELNET

WRONG USAGE:Event-Name = rt_flow_session_close & Event-Name = rt_flow_session_create

WRONG USAGE:Event-Name = rt_flow_session_close & source-address = x.x.x.x & application = TELNET

Note: The filter statement is NOT case-sensitive.

Add the parameter for which you want to filter. For example, in the dropdown filter if you selected event-name as the parameter, the text box displays Event-Name =. If you add WEBFILTER_URL_BLOCKED to see only Web filtering events then the text box displays Event-Name = WEBFILTER_URL_BLOCKED.

Go

Executes the filter statement that is displayed in the text box.

Click Go.

X

Clears the filters.

Click x.

The Table 18 describes the grid information displayed in the Detailed View.

Table 18: Web Filtering Events - Grid Elements in Detailed View

Grid Element

Description

Event Name

The event name of the log.

Description

The description of the log.

UTM Category or Virus Name

The UTM category or name of the virus.

Source IP

The source IP address from where the event occurred.

Source Port

The source port of the event.

Destination IP

The destination IP address of the event.

Destination Port

The destination port of the event.

Hostname

The host name in the log.

SourceZone

User traffic received from the zone.

Roles

Role names associated with the event.

Reason

The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed.

URL

Accessed URL name that triggered the event.

Object Name

The object name of the log.

Path Name

The path name of the log.

Action

Action taken for the event: warning, allow, and block.

Proflie Name

Profile name in the log.

Time

The time when the log was received.

Monitoring IPSec VPN Events

Purpose

Use this page to view information about security events based on IPSec VPN policies. This page provides a view of all IPsec VPN events.

Action

To monitor events select Monitor>Events>IPSec VPNs in the J-Web user interface.

Meaning

Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.

You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 4h,…, and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.

Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.

To refresh the graph on demand, click the refresh button.

You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.

There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.

The Summary View is selected by default, and it gives a brief summary of all the IPSec VPN events in your network.

The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows light blue lanes that represent all IPSec VPN events and dark blue lanes represent blocked IPSec VPN events.

Click the Detailed View for comprehensive details of events in a grid format that includes sortable columns. It displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on IP address, description, or attack name. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.

Table 19: Filter Options in Detailed View

The dropdown filter that is displayed above the grids.

Options available in the filter dropdown is: Event-Name.

Select Event-Name.

Text box

Displays the filter parameter that you selected from the filter dropdown.

Note:

In the filter statement the following limitation exists.

  • You can use only one operator at a time.

  • You can use only one instance of the criteria or paramenter in one filter statement.

For example, if you have used & operator and the parameter Event-Name once, I cannot use them again in the same filter statement

CORRECT USAGE: Event-Name = rt_flow_session_close & application=TELNET

WRONG USAGE:Event-Name = rt_flow_session_close & Event-Name = rt_flow_session_create

WRONG USAGE:Event-Name = rt_flow_session_close & source-address = x.x.x.x & application = TELNET

Note: The filter statement is NOT case-sensitive.

Add the parameter for which you want to filter. For example, in the dropdown filter if you selected event-name as the parameter, the text box displays Event-Name =. If you add RT_IPSEC_BAD_SPI_RT_IPSEC_RELAY, RT_IPSEC_PV_RELAY to see only IPSec VPN events then the text box displays Event-Name = RT_IPSEC_BAD_SPI_RT_IPSEC_RELAY, RT_IPSEC_PV_RELAY.

Go

Executes the filter statement that is displayed in the text box.

Click Go.

X

Clears the filters.

Click x.

The Table 20 describes the grid information displayed in the Detailed View.

Table 20: IPSec VPN Events - Grid Elements in Detailed View

Grid Element

Description

Event Name

The event name of the log.

Description

The description of the log.

Destination Port

The destination port of the event.

Hostname

The host name in the log.

Rule Name

The rule name of the log.

Time

The time when the log was received.

Monitoring Content Filtering Events

Purpose

Use this page to view information about security events based on content filtering policies. The event viewer provides a view of all content filtering events and how the events are handled by content filter. This page can be used to view traffic on the network in real time or as a debugging tool to view how content filtering is operating.

Content filtering provides basic data loss prevention functionality. Content filtering screens traffic based on MIME type, file extension, protocol commands, and embedded object type. It either permits or blocks specific commands or extensions on a protocol-by-protocol basis.

Starting in Junos OS Release 19.1R1, Content Filtering option is available for logical system users.

Action

To monitor events select Monitor>Events>Content Filtering in the J-Web user interface.

Meaning

Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.

You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 2h,…, and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.

Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.

To refresh the graph on demand, click the refresh button.

You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.

There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.

The Summary View is selected by default, and it gives a brief summary of all the Content Filtering events in your network.

The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows light blue lanes that represent all Content Filtering events.

Below the swim lanes are widgets displaying critical information such as top five sources, top reasons, and top blocked protocol commands.

See Table 21 for descriptions of the widgets.

Table 21: Widgets in Summary View

Widget Name

Displays

Top Sources

Top five source IP addresses of the network traffic; sorted by event count.

Top Reasons

Adds respective content for display column.

Top Blocked Protocol Commands

Adds respective content for display column.

Click the Detailed View for comprehensive details of events in a grid format that includes sortable columns. It displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on Event-Name, Source-Address, Reason, or Profile. The table includes information such as event name, description, source IP, reason, profile, and how and when the event was detected.

Table 22: Filter Options in Detailed View

The dropdown filter that is displayed above the grids.

Options available in the filter dropdown are: event-name, source-address, destination-address, Source-Name, User, Role, Reason, Profile, Protocol, and Category for dropdown filter.

Select the criteria or parameter on which you want to construct the filter statement.

Text box

Displays the filter parameter that you selected from the filter dropdown.

Note:

In the filter statement the following limitation exists.

  • You can use only one operator at a time.

  • You can use only one instance of the criteria or paramenter in one filter statement.

For example, if you have used & operator and the parameter Event-Name once, I cannot use them again in the same filter statement

CORRECT USAGE: Event-Name = rt_flow_session_close & application=TELNET

WRONG USAGE:Event-Name = rt_flow_session_close & Event-Name = rt_flow_session_create

WRONG USAGE:Event-Name = rt_flow_session_close & source-address = x.x.x.x & application = TELNET

Note: The filter statement is NOT case-sensitive.

Add the parameter for which you want to filter. For example, in the dropdown filter if you selected event-name as the parameter, the text box displays Event-Name =. If you add CONTENT-FILTERING-BLOCKED-MT to see only Content Filtering events then the text box displays Event Name = CONTENT-FILTERING-BLOCKED-MT.

Go

Executes the filter statement that is displayed in the text box.

Click Go.

X

Clears the filters.

Click x.

Show Hide Column Filter icon represented by three vertical dots

Enables you to show or hide a column in the grid.

The Table 23 describes the grid information displayed in the Detailed View.

Table 23: Content Filtering Events - Grid Elements in Detailed View

Grid Element

Description

Event Name

The event name of the log.

Description

The description of the log.

UTM Category or Virus Name

The UTM category or name of the virus.

Event category

The event category of the log.

Source IP

The source IP address from where the event occurred.

Hostname

The host name in the log.

SourceZone

User traffic received from the zone.

Roles

Role names associated with the event.

Reason

The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed.

URL

Accessed URL name that triggered the event.

Action

Action taken for the event: warning, allow, and block.

Proflie Name

Profile name in the log.

Time

The time when the log was received.

Monitoring Antispam Events

Purpose

Use this page to view information about security events based on antispam policies. The event viewer provides a view of all antispam events and the action taken by the antispam scanner.

The antispam scanner inspects and block spam by scanning inbound and outbound SMTP e-mail traffic. The filtering can be server-based using an external spam block list server or local-based using local lists (blacklists and whitelists) for matching.

Starting in Junos OS Release 19.1R1, Antispam option is available for logical system users.

Action

To monitor events select Monitor>Events>Antispam in the J-Web user interface.

Meaning

Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.

You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 2h,…, and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.

Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.

To refresh the graph on demand, click the refresh button.

You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.

There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.

The Summary View is selected by default, and it gives a brief summary of all the antispam events in your network.

The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows light blue lanes that represent all antispam events.

Below the swim lanes is a widget displaying top five sources.

See Table 24 for descriptions of the widgets.

Table 24: Widgets in Summary View

Widget Name

Displays

Top Sources

Top five source IP addresses of the network traffic; sorted by event count.

Click the Detailed View for comprehensive details of events in a grid format that includes sortable columns. It displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on IP address, or description. The table includes information such as the rule that caused the event and how and when the event was detected.

Table 25: Filter Options in Detailed View

The dropdown filter that is displayed above the grids.

Options available in the filter dropdown are: Event-Name, Source-Address, Destination-Address, Source-Name, User, Role, Reason, Profile, Protocol, and Category.

Select the criteria or parameter on which you want to construct the filter statement.

Text box

Displays the filter parameter that you selected from the filter dropdown.

Note:

In the filter statement the following limitation exists.

  • You can use only one operator at a time.

  • You can use only one instance of the criteria or paramenter in one filter statement.

For example, if you have used & operator and the parameter event-name once, I cannot use them again in the same filter statement

CORRECT USAGE: event name = rt_flow_session_close & application=TELNET

WRONG USAGE:event name = rt_flow_session_close & event-name = rt_flow_session_create

WRONG USAGE:event name = rt_flow_session_close & source-address = x.x.x.x & application = TELNET

Note: The filter statement is NOT case-sensitive.

Add the parameter for which you want to filter. For example, in the dropdown filter if you selected event-name as the parameter, the text box displays event-name =. If you add ANTISPAM_SPAM_DETECTED_MTA to see only antispam events then the text box displays event name = ANTISPAM_SPAM_DETECTED_MTA.

Go

Executes the filter statement that is displayed in the text box.

Click Go.

X

Clears the filters.

Click x.

Show Hide Column Filter icon represented by three vertical dots

Enables you to show or hide a column in the grid.

The Table 26 describes the grid information displayed in the Detailed View.

Table 26: Antispam Events - Grid Elements in Detailed View

Grid Element

Description

Event Name

The event name of the log.

Description

The description of the log.

UTM Category or Virus Name

Source IP

The source IP address from where the event occurred.

Hostname

The host name in the log.

SourceZone

User traffic received from the zone.

Roles

Role names associated with the event.

Reason

The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed.

URL

Accessed URL name that triggered the event.

Action

Action taken for the event: warning, allow, and block.

Proflie Name

Profile name in the log.

Time

The time when the log was received.

Monitoring Antivirus Events

Purpose

Use this page to view information about security events based on antivirus policies. The event viewer provides a view of all antivirus events and the action taken by the virus scanner.

The antivirus scanner inspects files transmitted over several protocols to determine if the files exchanged are malicious (for example, viruses, Trojans, rootkits, and worms).

Starting in Junos OS Release 19.1R1, Antivirus option is available for logical system users.

Action

To monitor events select Monitor>Events>Antivirus in the J-Web user interface.

Meaning

Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.

You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 2h,…, and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.

Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.

To refresh the graph on demand, click the refresh button.

You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.

There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.

The Summary View is selected by default, and it gives a brief summary of all the antivirus events in your network.

The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows light blue lanes that represent all antivirus events.

Below the swim lanes are widgets displaying critical information such as top five sources and top five destinations.

See Table 27 for descriptions of the widgets.

Table 27: Widgets in Summary View

Widget Name

Displays

Top Sources

Top five source IP addresses of the network traffic; sorted by event count.

Top Destinations

Top five destination IP addresses of the network traffic; sorted by event count.

Click the Detailed View for comprehensive details of events in a grid format that includes sortable columns. It displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on Event-Name, Source-Address, or Destination-Address. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.

Table 28: Filter Options in Detailed View

The dropdown filter that is displayed above the grids.

Options available in the filter dropdown are: Event-Name, Source-Address, Destination-Address, Source-Name, User, Role, Reason, Profile, Protocol, and Category.

Select the criteria or parameter on which you want to construct the filter statement.

Text box

Displays the filter parameter that you selected from the filter dropdown.

Note:

In the filter statement the following limitation exists.

  • You can use only one operator at a time.

  • You can use only one instance of the criteria or paramenter in one filter statement.

For example, if you have used & operator and the parameter Event-Name once, I cannot use them again in the same filter statement

CORRECT USAGE: Event-Name = rt_flow_session_close & application=TELNET

WRONG USAGE:event name = rt_flow_session_close & event-name = rt_flow_session_create

WRONG USAGE:event name = rt_flow_session_close & source-address = x.x.x.x & application = TELNET

Note: The filter statement is NOT case-sensitive.

Add the parameter for which you want to filter. For example, in the dropdown filter if you selected event-name as the parameter, the text box displays Event-Name =. If you add AV_VIRUS_DETECTED_MT to see only antivirus events then the text box displays Event-Name = AV_VIRUS_DETECTED_MT.

Go

Executes the filter statement that is displayed in the text box.

Click Go.

X

Clears the filters.

Click x.

Show Hide Column Filter icon represented by three vertical dots

Enables you to show or hide a column in the grid.

-

The Table 29 describes the grid information displayed in the Detailed View.

Table 29: antivirus Events - Grid Elements in Detailed View

Grid Element

Description

Event Name

The event name of the log.

Description

The description of the log.

UTM Category or Virus Name

The UTM category of the log.

Source IP

The source IP address from where the event occurred.

Hostname

The host name in the log.

SourceZone

User traffic received from the zone.

Roles

Role names associated with the event.

Reason

The reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed.

URL

Accessed URL name that triggered the event.

Action

Action taken for the event: warning, allow, and block.

Profile Name

The profile name of the log.

Time

The time when the log was received.

Monitoring IPS Events

Purpose

Use the IPS Events page to view information about security events based on IPS policies and criticality of the IDP events. Analyzing IPS logs yields useful security management information, such as abnormal events or attacks.

Starting in Junos OS Release 19.1R1, IPS Events option is available for logical system users.

Action

To monitor events select Monitor>Events>IPS in the J-Web user interface.

Meaning

Time Range graph displays the trend of all events or flow for all the events that has transpired in the device.

You can specify the duration of time for which you want to view the trend for all events. The available options are 30m, 1h, 2h,…, and so on, which are displayed at the top right hand side of the page. For example, if you choose 30m, the end time is the current system time and the start time is the preceding 30 minutes from the current system time.

Click Custom to specify a customized time range. The Custom Time Range Selection popup window is presented. You can set the from and to date and time, and click OK to set the time range.

To refresh the graph on demand, click the refresh button.

You can also drag the slider in the Time Range graph from the extreme left or right of the graph and set the time range to see the trend or flow of events that has transpired in that time range.

There are two ways to view your data. You can select either the Summary View tab or the Detailed View tab.

The Summary View is selected by default, and it gives a brief summary of all the IPS events in your network.

The data presented in the line graph (also known as swim lanes) is refreshed automatically based on the selected time range. The line graph shows dark red, red, and yellow lanes that represent critical, high, and medium IDP events based on the criticality of events.

Below the swim lanes are widgets displaying critical information such as top five sources, top five destinations, top IPS attacks, and top IPS severities.

See Table 30 for descriptions of the widgets.

Table 30: Widgets in Summary View

Widget Name

Displays

Top Sources

Top five source IP addresses of the network traffic; sorted by event count.

Top Destinations

Top five destination IP addresses of the network traffic; sorted by event count.

Top IPS Attacks

Top five IPS attacks; sorted by event count.

IPS Severities

Donught chart which shows the percentage of IPS events based on their severity levels. The colors are blue, black, green, and amber representing high, info, critical, and medium IPS events respectively.

Click the Detailed View for comprehensive details of events in a grid format that includes sortable columns. It displays information in grids that are lazy loaded with infinite scrolling. You can narrow down your search to a particular event based on IP address or attack name. The table includes information such as the rule that caused the event, severity for the event, event ID, traffic information, and how and when the event was detected.

Table 31: Filter Options in Detailed View

The dropdown filter that is displayed above the grids.

Options available in the filter dropdown are: Event-Name, Source-Address, Destination-Address, Application, User, Service, Policy, Nested-Application, Source-Interface, and Source-Zone.

Select the criteria or parameter on which you want to construct the filter statement.

Text box

Displays the filter parameter that you selected from the filter dropdown.

Note:

In the filter statement the following limitation exists.

  • You can use only one operator at a time.

  • You can use only one instance of the criteria or paramenter in one filter statement.

For example, if you have used & operator and the parameter Event-Name once, I cannot use them again in the same filter statement

CORRECT USAGE: Event-Name = rt_flow_session_close & application=TELNET

WRONG USAGE:Event-Name = rt_flow_session_close & Event-Name = rt_flow_session_create

WRONG USAGE:Event-Name = rt_flow_session_close & source-address = x.x.x.x & application = TELNET

Note: The filter statement is NOT case-sensitive.

Add the parameter for which you want to filter. For example, in the dropdown filter if you selected event-name as the parameter, the text box displays Event-Name =. If you add IDP_ATTACK_LOG_EVENT to see only IPS events then the text box displays Event-Name = IDP_ATTACK_LOG_EVENT.

Go

Executes the filter statement that is displayed in the text box.

Click Go.

X

Clears the filters.

Click x.

The Table 32 describes the grid information displayed in the Detailed View.

Table 32: IPS Events - Grid Elements in Detailed View

Grid Element

Description

Threat Severity

The severity level of the threat.

Event Name

The event name of the log.

Description

The description of the log.

Attack Name

Attack name of the log: Trojan, worm, virus, and so on.

Source IP

The source IP address from where the event occurred.

Source Port

The source port of the event.

Destination IP

The destination IP address of the event.

Destination Port

The destination port of the event.

Application

The application name from which the events or logs are generated.

Hostname

The host name in the log.

Service Name

The name of the application service. For example, FTP, HTTP, SSH, and so on.

Protocol ID

The protocol ID in the log.

Policy Name

Policy name in the log.

SourceZone

User traffic received from the zone.

Destination Zone

The destination zone of the log.

Nested Application

The nested application in the log.

NAT Source Port

The translated source port.

NAT Destination Port

The translated destination port.

Rule Name

The rule name of the log.

Action

Action taken for the event: warning, allow, and block.

Time

The time when the log was received.

Monitoring System

Purpose

Use the monitoring functionality to view the events page.

Action

To monitor events select Monitor>Events>System in the J-Web user interface.

Meaning

Table 33 summarizes key output fields in the events page.

Table 33: System Monitoring Page

Field

Value

Additional Information

Events Filter

System Log File

Specifies the name of the system log file that records errors and events.

-

Process

Specifies the system processes that generate the events to display.

-

Include archived files

Specifies to enable the option to include archived files.

Select to enable.

Date From

Specifies the beginning date range to monitor. Set the date using the calendar pick tool.

-

To

Specifies the end of the date range to monitor. Set the date using the calendar pick tool.

-

Event ID

Specifies the specific ID of the error or event to monitor.

-

Description

Enter a description for the errors or events.

-

Search

Fetches the errors and events specified in the search criteria.

-

Reset

Clears the cache of errors and events that were previously selected.

-

Generate Report

Creates an HTML report based on the specified parameters.

-

Events Detail

Process

Displays the system process that generated the error or event.

Severity

Displays the severity level that indicates how seriously the triggering event affects routing platform functions. Only messages from the facility that are rated at that level or higher are logged. Possible severities and their corresponding color code are:

  • Debug/Info/Notice(Green)–Indicates conditions that are not errors but are of interest or might warrant special handling.

  • Warning (Yellow) – Indicates conditions that warrant monitoring.

  • Error (Blue) – Indicates standard error conditions that generally have less serious consequences than errors in the emergency, alert, and critical levels.

  • Critical (Pink) – Indicates critical conditions, such as hard drive errors.

  • Alert (Orange) – Indicates conditions that require immediate correction, such as a corrupted system database.

  • Emergency (Red) – Indicates system panic or other conditions that cause the routing platform to stop functioning.

Event ID

Displays the unique ID of the error or event. The prefix on each code identifies the generating software process. The rest of the code indicates the specific event or error.

-

Event Description

Displays a more detailed explanation of the message.

-

Time

Time that the error or event occurred.

-

Release History Table
Release
Description
Starting in Junos OS Release 19.1R1, All Events option is available for logical system users.
Starting in Junos OS Release 19.1R1, Firewall Events option is available for logical system and tenant users.
Starting in Junos OS Release 19.1R1, Web Filtering option is available for logical system users.
Starting in Junos OS Release 19.1R1, Content Filtering option is available for logical system users.
Starting in Junos OS Release 19.1R1, Antispam option is available for logical system users.
Starting in Junos OS Release 19.1R1, Antivirus option is available for logical system users.
Starting in Junos OS Release 19.1R1, IPS Events option is available for logical system users.