SRX Services Gateway
Highlighted
SRX Services Gateway

Juniper SRX IDP and UTM AV (Sophos) Syslog Failed Update Message for Pro-active Alerting

a week ago

We have 14+ Juniper SRX300 Firewalls setup to send traffic and IDP/UTM alerts to a syslog collection servers so can do alerting and proactive detection of issues. The SRX300 Firewalls are setup to check every 24hrs for IDP security package updates and UTM Sophos Anti-Virus updates.

 

As we have all the traffic and IDP event being sent to a syslog server we have the ability to create alerts based upon text string when issues occur. I want to setup an alert on the syslog server to alert when a Juniper SRX fails to update its IDP and Sophos AV security updates successfully.

 

Does anyone know if there's a particular string, keywords or example event that would be generated by an SRX300 running 15.1X49-D45 when the IDP security package fails to update and install successfully and when a UTM Sophos AV update package fails to update or install correctly?

 

This will allow creation of an alert when the IDP and UTM AV updates fail. I assume there will need to be a different string/event for the fialed IDP verse the UTM AV update failure.

2 REPLIES
SRX Services Gateway

Re: Juniper SRX IDP and UTM AV (Sophos) Syslog Failed Update Message for Pro-active Alerting

a week ago

Hello there,

Juniper Networks Syslog Explorer is Your friend:

https://apps.juniper.net/syslog-explorer/#view=explore

Your exact JUNOS version is not listed here but I believe the next closest one is relevant (15.1X49-D70).

The syslog messages applicable to Your use case are:

IDP_SCHEDULEDUPDATE_START_FAILED 

https://apps.juniper.net/syslog-explorer/#msg=IDP_SCHEDULEDUPDATE_START_FAILED&sw=Junos%20OS&rel=15....

AV_PATTERN_GET_FAILED

https://apps.juniper.net/syslog-explorer/#msg=AV_PATTERN_GET_FAILED&sw=Junos%20OS&rel=15.1X49-D70

HTH

Thx

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: Juniper SRX IDP and UTM AV (Sophos) Syslog Failed Update Message for Pro-active Alerting

[ Edited ]
Monday

Hi danewm,

 

IDP has a specific log that displays the result of the IDP DB installation (either succesful or failed). Both IDP and AV logs below are applicable to your Junos OS: 

 

          IDP_SECURITY_INSTALL_RESULT

 

Find more details here:

 

https://apps.juniper.net/syslog-explorer/#msg=IDP_SECURITY_INSTALL_RESULT&sw=Junos%20OS&rel=15.1X49-...

 

Some Examples:

 

Dec 11 08:21:42 10.1.1.65 1 2018-12-11T08:21:42.027Z a01-b-p-00 idpd 43310 IDP_SECURITY_INSTALL_RESULT [junos@2636.1.1.1.2.39 status="Done;Attack DB update : successful - [UpdateNumber=3123,ExportDate=Thu 

 

%DAEMON-5-IDP_SECURITY_INSTALL_RESULT: security package install result(Done;Attack DB update : not performed due to the same version between downloaded one and installed one.

 

For the AV results you might want to use "AV_PATTERN_UPDATED" because it means that the update was succesfull. 

 

2014-05-28T13:04:19.548+02:00 srx210 utmd 1380 AV_PATTERN_UPDATED [junos@2636.1.1.1.2.36 version="05/28/2014 12:36 GMT, virus records: 522178" file-size="18635751"]

 

Also you could use the ones that denote errors like:

 

AV_PATTERN_GET_FAILED

AV_PATTERN_KEY_EXPIRED

AV_PATTERN_KL_CHECK_FAILED

AV_PATTERN_TOO_BIG

AV_PATTERN_WRITE_FS_FAILED

 

More info: https://apps.juniper.net/syslog-explorer/# 

 

I hope the above information helps Smiley Wink

 

Pura Vida from Costa Rica - Kudos are appreciated!
Mark as Resolved if it applies.