SRX Services Gateway
SRX Services Gateway

Juniper SRX IDP and UTM AV (Sophos) Syslog Failed Update Message for Pro-active Alerting

‎01-10-2019 11:50 PM

We have 14+ Juniper SRX300 Firewalls setup to send traffic and IDP/UTM alerts to a syslog collection servers so can do alerting and proactive detection of issues. The SRX300 Firewalls are setup to check every 24hrs for IDP security package updates and UTM Sophos Anti-Virus updates.


As we have all the traffic and IDP event being sent to a syslog server we have the ability to create alerts based upon text string when issues occur. I want to setup an alert on the syslog server to alert when a Juniper SRX fails to update its IDP and Sophos AV security updates successfully.


Does anyone know if there's a particular string, keywords or example event that would be generated by an SRX300 running 15.1X49-D45 when the IDP security package fails to update and install successfully and when a UTM Sophos AV update package fails to update or install correctly?


This will allow creation of an alert when the IDP and UTM AV updates fail. I assume there will need to be a different string/event for the fialed IDP verse the UTM AV update failure.

SRX Services Gateway

Re: Juniper SRX IDP and UTM AV (Sophos) Syslog Failed Update Message for Pro-active Alerting

‎01-11-2019 07:50 AM

Hello there,

Juniper Networks Syslog Explorer is Your friend:

Your exact JUNOS version is not listed here but I believe the next closest one is relevant (15.1X49-D70).

The syslog messages applicable to Your use case are:








Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements


Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: Juniper SRX IDP and UTM AV (Sophos) Syslog Failed Update Message for Pro-active Alerting

[ Edited ]
‎01-14-2019 08:49 PM

Hi danewm,


IDP has a specific log that displays the result of the IDP DB installation (either succesful or failed). Both IDP and AV logs below are applicable to your Junos OS: 




Find more details here:


Some Examples:


Dec 11 08:21:42 1 2018-12-11T08:21:42.027Z a01-b-p-00 idpd 43310 IDP_SECURITY_INSTALL_RESULT [junos@2636. status="Done;Attack DB update : successful - [UpdateNumber=3123,ExportDate=Thu 


%DAEMON-5-IDP_SECURITY_INSTALL_RESULT: security package install result(Done;Attack DB update : not performed due to the same version between downloaded one and installed one.


For the AV results you might want to use "AV_PATTERN_UPDATED" because it means that the update was succesfull. 


2014-05-28T13:04:19.548+02:00 srx210 utmd 1380 AV_PATTERN_UPDATED [junos@2636. version="05/28/2014 12:36 GMT, virus records: 522178" file-size="18635751"]


Also you could use the ones that denote errors like:








More info: 


I hope the above information helps 😉


Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!