Package juniper/srx Release Notes

Package juniper/srx Release Notes Version 1.4.0

  • Added support for authentication events with UI_LOGIN_EVENT, DYNAMIC_VPN_AUTH_OK, REMOTE_ACCESS_VPN_AUTH_OK, DYNAMIC_VPN_AUTH_FAIL, and REMOTE_ACCESS_VPN_AUTH_FAIL message IDs

  • Enhanced source IP extraction with support for src-ip-str field

  • Added user.name field mapping from source.user.name when available

  • Fixed indentation in SSH authentication message parsing

Package juniper/srx Release Notes Version 1.3.0

  • Updated parser to use ECS 8.17.0

  • Improved field extraction with format() function

  • Enhanced array handling with array:append() for event categories and types

  • Added support for mgd login events with user roles and service type

  • Fixed field handling for null values

  • The old parser srx-syslog is now officially removed from the Juniper SRX package

Package juniper/srx Release Notes Version 1.2.0
Parser renaming and Deprecation notice

The old parser srx-syslog is deprecated, and replaced by the new parser juniper-srx . While the old parser will remain available during a tranisition period, all future changes will only go into the new juniper-srx parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old srx-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

Duplicated vendor fields dropped in new parser

The old srx-syslog parser would duplicate certain fields, which the new juniper-srx parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp ), and as a field mapped to CPS (e.g. source.ip ). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

  • Vendor.application-risk

  • Vendor.bytes-from-client

  • Vendor.bytes-from-server

  • Vendor.destination-address

  • Vendor.destination-interface-name

  • Vendor.destination-port

  • Vendor.destination-zone-name

  • Vendor.dst-addr

  • Vendor.dst-port

  • Vendor.file-name

  • Vendor.filename

  • Vendor.http-host

  • Vendor.inbound-bytes

  • Vendor.inbound-packets

  • Vendor.local-address

  • Vendor.nat-destination-address

  • Vendor.nat-destination-port

  • Vendor.nat-local-address

  • Vendor.nat-remote-address

  • Vendor.nat-source-address

  • Vendor.nat-source-port

  • Vendor.obj

  • Vendor.outbound-bytes

  • Vendor.outbound-packets

  • Vendor.packet-protocol

  • Vendor.packets-from-client

  • Vendor.packets-from-server

  • Vendor.packets-num

  • Vendor.policy-name

  • Vendor.protocol

  • Vendor.protocol-id

  • Vendor.protocol-name

  • Vendor.reason

  • Vendor.remote-address

  • Vendor.rule-name

  • Vendor.rulebase-name

  • Vendor.sample-sha256

  • Vendor.source-address

  • Vendor.source-port

  • Vendor.source-zone-name

  • Vendor.src-addr

  • Vendor.src-port

  • Vendor.syslog.hostname

  • Vendor.syslog.msgid

  • Vendor.syslog.procid

  • Vendor.urlcategory-risk

  • Vendor.username

Package juniper/srx Release Notes Version 1.1.0

  • Improves the field extraction and performance

  • Sets the event.category , event.type and the event.outcome fields based on the source data

  • Adds observer.* fields, for example: observer.type , observer.product and more

Package juniper/srx Release Notes Version 1.0.0

  • Adds new event.module , event.dataset and Cps.version fields

  • Removes the Product , related.user , related.host and related.ip fields

  • Sets following tags: Cps.version , Vendor , ecs.version , event.dataset , event.kind , event.module , event.outcome , observer.type