From ea9d429a587cfa5d523ae66d25032a905413123c Mon Sep 17 00:00:00 2001
From: Tim Dykes <ttdykes@tesseract.office.ictn.com.au>
Date: Tue, 29 Oct 2013 12:13:59 +1100
Subject: [PATCH 1/4] added Juniper JunOS recipe to the cookbook.

---
 index.md                    |  4 ++++
 recipes/junos/index.md      | 18 ++++++++++++++++++
 recipes/junos/logstash.conf | 35 +++++++++++++++++++++++++++++++++++
 recipes/junos/srx.conf      |  3 +++
 4 files changed, 60 insertions(+)
 create mode 100644 recipes/junos/index.md
 create mode 100644 recipes/junos/logstash.conf
 create mode 100644 recipes/junos/srx.conf

diff --git a/index.md b/index.md
index c9cde9b..8c4ed2b 100644
--- a/index.md
+++ b/index.md
@@ -86,6 +86,10 @@ Have a NodeJS app? Get your logs into logstash efficiently with this cookbook.
 
 Sample configuration for parsing syslog messages from a Cisco ASA firewall
 
+## [ JunOS ](recipes/junos/)
+
+Sample configuration for parsing syslog messages from a JunOS device
+
 ## [The LogStash Book](http://www.logstashbook.com)
 
 An introductory LogStash book.
diff --git a/recipes/junos/index.md b/recipes/junos/index.md
new file mode 100644
index 0000000..8513ae9
--- /dev/null
+++ b/recipes/junos/index.md
@@ -0,0 +1,18 @@
+---
+layout: article
+title: Juniper
+tags: juniper junos utm
+---
+
+* Goal: Demonstrate how to use Grok patterns to index juniper specific syslog messages from JunOS device.
+* Audience: Anyone who has a JunOS device
+
+
+
+# UTM Webfilter
+
+The following logstash configuration shows how you would accept syslog messages regarding UTM Webfilter events from the firewall and parse the messages into something useful.
+{% include_code logstash.conf %}
+
+Below is what the JunOS firewall has configured for syslog. Im matching on "webfilter_url" just to keep the syslog stream cleaner while developing the logstash code.
+{% include_code srx.conf %}
diff --git a/recipes/junos/logstash.conf b/recipes/junos/logstash.conf
new file mode 100644
index 0000000..d093ac2
--- /dev/null
+++ b/recipes/junos/logstash.conf
@@ -0,0 +1,35 @@
+input {
+
+tcp {
+    port => 5000
+    type => utm_webfilter
+  }
+  udp {
+    port => 5000
+    type => utm_webfilter
+  }
+
+
+}
+
+filter {
+if [type] == "utm_webfilter" {
+  grok {
+    match => [ "message", "%{SYSLOGTIMESTAMP:syslog_timestamp}\s+RT_UTM:\s%{WORD:result}:\sWebFilter:\sACTION=\"%{DATA:action}\"\s%{IP:source_address}\(%{NUMBER:source_port}\)->%{IP:dest_address}\(%{NUMBER:dest_port}\)\sCATEGORY=\"%{DATA:category}\"\sREASON=\"%{DATA:reason}\"\sPROFILE=\"%{DATA:profile}\"\sURL=%{HOSTNAME:url}\sOBJ=%{DATA:obj}\sUSERNAME=%{DATA:username}\sROLES=%{DATA:roles}$" ]
+    add_field => [ "received_at", "%{@timestamp}" ]
+  }
+    date {
+      match => { "syslog_timestamp" => [ "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ] }
+    }
+}
+}
+
+
+
+output {
+if [type] == "utm_webfilter" {
+  elasticsearch {
+    cluster => "elasticsearch"
+  }
+}
+}
\ No newline at end of file
diff --git a/recipes/junos/srx.conf b/recipes/junos/srx.conf
new file mode 100644
index 0000000..38a484d
--- /dev/null
+++ b/recipes/junos/srx.conf
@@ -0,0 +1,3 @@
+set system syslog host 192.168.0.50 any any
+set system syslog host 192.168.0.50 match webfilter_url
+set system syslog host 192.168.0.50 port 5000
\ No newline at end of file

From 293d6ad12841b828725d8802a1c1f588745dd89b Mon Sep 17 00:00:00 2001
From: Tim Dykes <ttdykes@tesseract.office.ictn.com.au>
Date: Tue, 29 Oct 2013 12:17:15 +1100
Subject: [PATCH 2/4] changed juniper to JunOS

---
 recipes/junos/index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes/junos/index.md b/recipes/junos/index.md
index 8513ae9..74a52dc 100644
--- a/recipes/junos/index.md
+++ b/recipes/junos/index.md
@@ -1,10 +1,10 @@
 ---
 layout: article
-title: Juniper
+title: Juniper JunOS
 tags: juniper junos utm
 ---
 
-* Goal: Demonstrate how to use Grok patterns to index juniper specific syslog messages from JunOS device.
+* Goal: Demonstrate how to use Grok patterns to index JunOS specific syslog messages from JunOS device.
 * Audience: Anyone who has a JunOS device
 
 

From 6bbc7457e01a3c4951b2307440675dd849baee55 Mon Sep 17 00:00:00 2001
From: Tim Dykes <ttdykes@tesseract.office.ictn.com.au>
Date: Tue, 29 Oct 2013 12:30:51 +1100
Subject: [PATCH 3/4] Added syslog message example

---
 recipes/junos/index.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/recipes/junos/index.md b/recipes/junos/index.md
index 74a52dc..9f92414 100644
--- a/recipes/junos/index.md
+++ b/recipes/junos/index.md
@@ -11,7 +11,15 @@ tags: juniper junos utm
 
 # UTM Webfilter
 
-The following logstash configuration shows how you would accept syslog messages regarding UTM Webfilter events from the firewall and parse the messages into something useful.
+JunOS webfilter messages look like this;
+
+<pre><code>
+Oct  5 06:01:35   RT_UTM: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 10.0.0.100(56660)->103.31.7.184(80) CATEGORY="N/A" REASON="BY_OTHER" PROFILE="blockadult" URL=i.imgur.com OBJ=/xxy5xcl.png USERNAME=demo ROLES=NoAdultMaterial
+
+Oct  5 11:19:54   RT_UTM: WEBFILTER_URL_BLOCKED: WebFilter: ACTION="URL Blocked" 10.0.0.100(56958)->64.210.140.16(80) CATEGORY="Adult_Sexually_Explicit" REASON="BY_PRE_DEFINED" PROFILE="blockadult" URL=www.porn.com OBJ=/ USERNAME=demo ROLES=NoAdultMaterial
+</code></pre>
+
+The following logstash configuration shows how you would accept this syslog messages from the firewall and parse the messages into something useful.
 {% include_code logstash.conf %}
 
 Below is what the JunOS firewall has configured for syslog. Im matching on "webfilter_url" just to keep the syslog stream cleaner while developing the logstash code.

From 5c2ec0f5573fe15f5a12c42d40b2ac41bc3f2f70 Mon Sep 17 00:00:00 2001
From: Tim Dykes <ttdykes@tesseract.office.ictn.com.au>
Date: Tue, 29 Oct 2013 12:33:22 +1100
Subject: [PATCH 4/4] Fixed md formatting

---
 recipes/junos/index.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/recipes/junos/index.md b/recipes/junos/index.md
index 9f92414..df68cc3 100644
--- a/recipes/junos/index.md
+++ b/recipes/junos/index.md
@@ -17,10 +17,13 @@ JunOS webfilter messages look like this;
 Oct  5 06:01:35   RT_UTM: WEBFILTER_URL_PERMITTED: WebFilter: ACTION="URL Permitted" 10.0.0.100(56660)->103.31.7.184(80) CATEGORY="N/A" REASON="BY_OTHER" PROFILE="blockadult" URL=i.imgur.com OBJ=/xxy5xcl.png USERNAME=demo ROLES=NoAdultMaterial
 
 Oct  5 11:19:54   RT_UTM: WEBFILTER_URL_BLOCKED: WebFilter: ACTION="URL Blocked" 10.0.0.100(56958)->64.210.140.16(80) CATEGORY="Adult_Sexually_Explicit" REASON="BY_PRE_DEFINED" PROFILE="blockadult" URL=www.porn.com OBJ=/ USERNAME=demo ROLES=NoAdultMaterial
+
 </code></pre>
 
 The following logstash configuration shows how you would accept this syslog messages from the firewall and parse the messages into something useful.
+
 {% include_code logstash.conf %}
 
 Below is what the JunOS firewall has configured for syslog. Im matching on "webfilter_url" just to keep the syslog stream cleaner while developing the logstash code.
+
 {% include_code srx.conf %}