Showing results for 
Show  only  | Search instead for 
Did you mean: 

Custom parsing rules for Juniper MAG (partial) 7.4.X

Dear Community,

We are running some Juniper MAG (MAG-SM360, 7.4RXX) for SSL VPN, sending SYSLOG events to the SIEM using WELF format (not the standard one).

We selected WELF as it's easier to write regex.

Although this product is listed as fully supported, I discovered the default ASP rules are not parsing these events correctly, or just discarding some useful information (like the assigned internal address, or hostname for example). I tried to "fix" them but realized it would take to much time.

Instead, I have created custom rules from scratch for the most common events:

  • Juniper - NWC30993: Closed connection.
  • Juniper - NWC30477: VPN Tunneling: User connected with SSL transport mode.
  • Juniper - NWC23465: VPN Tunneling: Session ended.
  • Juniper - NWC23464: VPN Tunneling: Session started.
  • Juniper - ERR24670: VPN Tunneling.
  • Juniper - EAM30446: Session extended.
  • Juniper - EAM24460: Session resumed.
  • Juniper - AUT31014: Closed connection to TUN-VPN.
  • Juniper - AUT31002: Connected to TUN-VPN.
  • Juniper - AUT30544: User chose to proceed on the sign-in notification page HC KO
  • Juniper - AUT24804: Host Checker policy failed.
  • Juniper - AUT24803: Host Checker policy passed.
  • Juniper - AUT24414: Agent login succeeded.
  • Juniper - AUT24327: Primary authentication failed.
  • Juniper - AUT24326: Primary authentication successful.
  • Juniper - AUT23574: logged out because user started new session.
  • Juniper - AUT23524: Roles changed during policy reevaluation.
  • Juniper - AUT23457: Login failed using auth server.
  • Juniper - AUT23277: Password realm restrictions failed.
  • Juniper - AUT23181: Session has been terminated.
  • Juniper - AUT23077: Roles changed.
  • Juniper - AUT22927: System process detected a Host Checker time out.
  • Juniper - AUT22925: Host Checker policy failed.
  • Juniper - AUT22886: Session timed out.
  • Juniper - AUT22675: Login failed. Subsequent attempts will be blocked.
  • Juniper - AUT22673: Logout.
  • Juniper - AUT22670: Login succeeded.
  • Juniper - AUT21097: Radius Server unreachable. Login failed.
  • Juniper - AUT21073: Failed login. Next Token code is invalid.
  • Juniper - AUT21071: Login. New PIN required.
  • Juniper - AUT21052: Login rejected. IP address is blocked.
  • Juniper - AUT20919: Remote address changed
  • Juniper - AUT20918: Remote address changed. Access denied.
  • Juniper - AUT20915: Session timed out
  • Juniper - AUT20914: Max session timeout
  • Juniper - AGU30458: Ending dsagentd session.
  • Juniper - AGU30457: Starting dsagentd session.

I also created 3 new custom fields:

  1. MobileSSL_IP: used to store the assigned internal IP once user is connected to the VPN. (IPv4, #2)
  2. MobileSSL_Group: used to store the groups assigned to the user when authenticated. (string, #1)
  3. MobileSSL_US: used to store the application string used by the client. (String, #3)

All these rules are catching the following variables (even if these variables are expected to be empty - this allows easier rule management):

  • time: time of the event, mapped to first/last time
  • vpn_server: the VPN server IP, mapped to destination IPv4
  • user: mapped to UserIDSRc
  • roles: mapped to MobileSSL_Group
  • src: the user public IP: mapped to source IPV4
  • dst: the assigned internal IP, mapped to MobileSSL_IP
  • sent: bytes sent (once the session is terminated)
  • received: bytes received (once session is termination)
  • agent, mapped to MobileSSL_UA
  • duration: mapped to Elapse_Time.

Best regards,


You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community