Junos Rules and Decoder how they work

119 views
Skip to first unread message

Ronald Simmons

unread,
Jun 8, 2026, 3:10:10 PMJun 8
to Wazuh | Mailing List
I am ingesting Juniper Logs to the archive index on my Wazuh server, but the decoder never launches. I have the predecoder data but no decoder launches

Rule 0640-junos_rules.xml
Decoder 0490-junos_decoders.xml

I guess I don't understand the rule Id that kicks off the decoder I see four rule id's

    <rule id="67100" level="0">
    <rule id="67101" level="10">
    <rule id="67102" level="0">
    <rule id="67103" level="5">
 are these id's part of the juniper syslog or are they something else. I could use a better understanding of the process

Olamilekan Abdullateef Ajani

unread,
Jun 8, 2026, 3:40:32 PMJun 8
to Wazuh | Mailing List
Hello,

First, those rule IDs you shared are part of the Junos rules. What could be happening here is the type of logs being ingested does not match any of those rules, so the investigation needs to start from archives.json file to review how the logs are ingested and if corrections need to be made or to review the syslog configuration on the source, which is the Juniper device.

If you have not already, we need to enable Wazuh archive and check the logs there that are related to Junos.

You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
<ossec_config>
  <global>
    <logall>yes</logall>
    <logall_json>yes</logall_json>
  </global>
</ossec_config>
Then restart the Wazuh-manager. systemctl restart wazuh-manager

cat /var/ossec/logs/archives/archives.json | grep "part of your log"
Verify that you have the logs, and please share a sample or two, then disable archiving by setting the values to no.

Please let me know what you find.

Ronald Simmons

unread,
Jun 9, 2026, 12:28:56 AMJun 9
to Wazuh | Mailing List
Here is my Global it has a few more items at the moment but it is yes for both logall and logall_jason

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>

    <logall>yes</logall>
    <logall_json>yes</logall_json>
    <email_notification>no</email_notification>
    <smtp_server>smtp.example.wazuh.com</smtp_server>
    <email_from>wa...@example.wazuh.com</email_from>
    <email_to>reci...@example.wazuh.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>15m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
    <update_check>yes</update_check>
  </global>

Olamilekan Abdullateef Ajani

unread,
Jun 9, 2026, 9:08:43 AMJun 9
to Wazuh | Mailing List
Hello, 

That is a good start since you have that already setup, next is to filter for the Junos logs, as I have also stated earlier.

cat /var/ossec/logs/archives/archives.json | grep "part of your log"
Depending on the log type, you can also filter by the source IP too. Verify that you have the logs, and please share a sample or two, then disable archiving by setting the values to no.


Please let me know what you find.

Ronald Simmons

unread,
Jun 10, 2026, 9:51:21 AMJun 10
to Wazuh | Mailing List
Thank you for your help I have been replying to your questions but I don't see my reply's in this conversation so I'm not even sure that you will get this. but you told me to enable <logall>yes</logall> and   <logall_json>yes</logall_json>. That was set in my ossec.conf by default and it is where my syslog data is going if I set them to no won't it stop ingesting juniper syslog data?

Olamilekan Abdullateef Ajani

unread,
Jun 10, 2026, 12:39:26 PMJun 10
to Wazuh | Mailing List
Hello

I got your private messages. Private messages wont show up here, you have to reply all before you can see it in the thread.

To the main issue, setting them to no will not stop your logs from ingesting, it only means they won't write to archives any longer, which in turn saves you storage space, because with logall/logall_json set to yes, it means all logs, whether they match a rule or not, will be written to that file, and it consumes space and could cause disk performance issues in the future. So we always advice you set those to no.
If they are on no, you will be able to get an alert so far as the logs match any rule. The configuration is useful at the initial stage when you are still trying to map logs to rule and filter for noise.

That said, you are yet to share the sample log requested from archives.json file, this will help me understand how the logs are ingested and to properly map them to a rule. You can send them privately as you initially did.

Regards,

Ronald Simmons

unread,
Jun 15, 2026, 2:21:42 PMJun 15
to Wazuh | Mailing List
I'm sorry here is one some samples I sanitized the IP's to variations of 192.168

1 2026-06-12T18:32:17.543Z XTISC2181FW01 RT_FLOW - RT_FLOW_SESSION_CREATE [ju...@2636.1.1.1.2.164 source-address="192.168.0.1" source-port="49675" destination-address="192.168.0.2" destination-port="161" connection-tag="0" service-name="None" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="192.168.0.3" nat-destination-port="161" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17" policy-name="DENY_ALL" source-zone-name="CLIENTS-INTERNAL-ZONE" destination-zone-name="EXTERNAL-ISP-ZONE" session-id="163208947577" username="N/A" roles="N/A" packet-incoming-interface="xe-0/0/16.75" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A" tunnel-inspection="Off" tunnel-inspection-policy-set="root" source-tenant="N/A" destination-service="N/A" dst-identity-context-name="N/A" dst-identity-context-roles="N/A"] session created 192.168.0.6/49675->192.168.0.5/161 0x0 None 0.0.0.0/0->192.168.0.7/161 0x0 N/A N/A N/A N/A 17 DENY_ALL CLIENTS-INTERNAL-ZONE EXTERNAL-ISP-ZONE 163208947577 N/A(N/A) xe-0/0/16.75 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A Off root N/A N/A N/A N/A


1 2026-06-15T17:21:38.603Z XTISC2181FW01 RT_FLOW - RT_FLOW_SESSION_DENY [ju...@2636.1.1.1.2.164 source-address="192.168.0.1" source-port="54955" destination-address="192.168.0.2" destination-port="443" connection-tag="0" service-name="None" protocol-id="17" icmp-type="0" policy-name="DENY_ALL" source-zone-name="CLIENTS-INTERNAL-ZONE" destination-zone-name="EXTERNAL-ISP-ZONE" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="xe-0/0/16.200" encrypted="No" reason="Denied by policy" session-id="60129579699" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A" source-tenant="N/A" destination-service="N/A" user-type="N/A" dst-identity-context-name="N/A" dst-identity-context-roles="N/A"] session denied 192.168.0.3/54955->142.251.151.119/443 0x0 None 17(0) DENY_ALL CLIENTS-INTERNAL-ZONE EXTERNAL-ISP-ZONE UNKNOWN UNKNOWN N/A(N/A) xe-0/0/16.200 No Denied by policy 60129579699 N/A N/A -1 N/A N/A N/A N/A N/A N/A N/A N/A

Olamilekan Abdullateef Ajani

unread,
Jun 15, 2026, 3:11:54 PMJun 15
to Wazuh | Mailing List
Hello,

Thanks for sharing the sample log. I created a decoder and rule based on what you shared, and it should work without issues, as I also tested it. Please see attached for reference.

The decoder should be placed in  /var/ossec/etc/decoders/local_decoder.xml

<decoder name="juniper-rtflow">
  <prematch type="pcre2">RT_FLOW_SESSION_(CREATE|DENY)</prematch>
</decoder>


<decoder name="juniper-rtflow-create">
  <parent>juniper-rtflow</parent>
  <regex type="pcre2">RT_FLOW_SESSION_(CREATE).*?source-address="([^"]+)".*?source-port="([^"]+)".*?destination-address="([^"]+)".*?destination-port="([^"]+)".*?nat-source-address="([^"]+)".*?nat-destination-address="([^"]+)".*?protocol-id="([^"]+)".*?policy-name="([^"]+)".*?source-zone-name="([^"]+)".*?destination-zone-name="([^"]+)".*?session-id="([^"]+)".*?packet-incoming-interface="([^"]+)"</regex>
  <order>event_type,srcip,srcport,dstip,dstport,nat_srcip,nat_dstip,protocol,policy_name,srczone,dstzone,session_id,interface</order>
</decoder>


<decoder name="juniper-rtflow-deny">
  <parent>juniper-rtflow</parent>
  <regex type="pcre2">RT_FLOW_SESSION_(DENY).*?source-address="([^"]+)".*?source-port="([^"]+)".*?destination-address="([^"]+)".*?destination-port="([^"]+)".*?protocol-id="([^"]+)".*?policy-name="([^"]+)".*?source-zone-name="([^"]+)".*?destination-zone-name="([^"]+)".*?application="([^"]+)".*?packet-incoming-interface="([^"]+)".*?reason="([^"]+)".*?session-id="([^"]+)"</regex>
  <order>event_type,srcip,srcport,dstip,dstport,protocol,policy_name,srczone,dstzone,application,interface,reason,session_id</order>
</decoder>


And rules in /var/ossec/etc/rules/local_rules.xml

<group name="juniper,rtflow,firewall,">

  <rule id="120500" level="5">
    <decoded_as>juniper-rtflow</decoded_as>
    <field name="event_type">^CREATE$</field>

    <description>Juniper RT_FLOW session created from $(srcip):$(srcport) to $(dstip):$(dstport) policy $(policy_name)</description>
  </rule>

  <rule id="120501" level="10">
    <decoded_as>juniper-rtflow</decoded_as>
    <field name="event_type">^DENY$</field>
    <description>
      Juniper RT_FLOW session denied from $(srcip):$(srcport) to $(dstip):$(dstport) policy $(policy_name)
    </description>
   </rule>
  </group>

Should you require further assistance on this, please capture the sample log from archives.json file with the command below:

cat /var/ossec/logs/archives/archives.json | grep "RT_FLOW_SESSION_CREATE" and cat /var/ossec/logs/archives/archives.json | grep " RT_FLOW - RT_FLOW_SESSION_DENY"

junos.png

Olamilekan Abdullateef Ajani

unread,
Jun 18, 2026, 8:36:56 AMJun 18
to Wazuh | Mailing List
Hello, 

Just to update the thread based on the personal message you shared that my last response fixed the issue. Kindly endeavor to reply to all so it can be seen on the thread and other community users can benefit from it.

Thank you for the feedback and have a good one.

Regards,

response.png

Ronald Simmons

unread,
Jun 19, 2026, 9:36:28 AM (14 days ago) Jun 19
to Wazuh | Mailing List
Again thank you for your solution it works beautifully. but can I ask one last question. I used your decoder as an example to create on for APPTRACK_SESSION_VOL_UPDATE. Mine launces the decoder but doesn't launce the child decoder. Can you tell me where my error is? I was trying to use your solution as a teach a man to fish moment.


Decoder
<decoder name="juniper-apptrack">
  <prematch type="pcre2">APPTRACK_(SESSION_VOL_UPDATE)</prematch>
</decoder>


<decoder name="juniper-apptrack-sessiion-volume-update">
  <parent>juniper-apptrack</parent>
  <regex type="pcre2">APPTRACK_(SESSION_VOL_UPDATE).*?source-address="([^"]+)".*?source-port="([^"]+)".*?destination-address="([^"]+)".*?destination-port="([^"]+)".*?protocol-id="([^"]+)".*?policy-name="([^"]+)".*?source-zone-name="([^"]+)".*?destination-zone-name="([^"]+)".*?application="([^"]+)".*?nested-application="([^"]+)".*?packets-from-client="([^"]+)".*?bytes-from-client="([^"]+)".*?packets-from-server="([^"]+)".*?bytes-from-server="([^"]+)".*?service-name="([^"]+)".*?nat-source-address="([^"]+)".*?nat-source-port="([^"]+)".*?nat-destination-address="([^"]+)".*?nat-destination-port="([^"]+)".*?src-nat-rule-name="([^"]+)".*?dst-nat-rule-name="([^"]+)".*?elapsed-time="([^"]+)".*?username="([^"]+)".*?roles="([^"]+)".*?encrypted="([^"]+)".*?destination-interface-name="([^"]+)".*?category="([^"]+)".*?sub-category="([^"]+)".*?src-vrf-grp="([^"]+)".*?dst-vrf-grp="([^"]+)".*?dscp-value="([^"]+)".*?apbr-rule-type="([^"]+)".*?session-id="([^"]+)"</regex>
  <order>event_type,srcip,srcport,dstip,dstport,protocol,policy_name,srczone,dstzone,application,interface,reason,session_id</order>
</decoder>


Log Example
1 2026-06-18T12:24:42.702Z XTISC2181FW01 RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [ju...@2636.1.1.1.2.164 source-address="192.168.1.1" source-port="45522" destination-address="192.168.1.2" destination-port="443" service-name="junos-https" application="SSL" nested-application="SIGNAL-PRIVATE-MESSENGER" nat-source-address="192.168.1.3" nat-source-port="23422" nat-destination-address="192.168.1.3" nat-destination-port="443" src-nat-rule-name="INTERNET_WWN_NAT" dst-nat-rule-name="N/A" protocol-id="6" policy-name="PERMIT_WEB_OUT" source-zone-name="MANAGEMENT-CLIENTS-ZONE" destination-zone-name="EXTERNAL-ISP-ZONE" session-id="210453414836" packets-from-client="5751" bytes-from-client="477711" packets-from-server="3171" bytes-from-server="556165" elapsed-time="80258" username="N/A" roles="N/A" encrypted="No" destination-interface-name="xe-0/0/19.0" category="Messaging" sub-category="miscellaneous" src-vrf-grp="N/A" dst-vrf-grp="N/A" dscp-value="N/A" apbr-rule-type="N/A"] AppTrack volume update: 172.16.21.3/45522->15.197.251.99/443 junos-https SSL SIGNAL-PRIVATE-MESSENGER 192.168.1.5/23422->192.168.1.4/443 INTERNET_WWN_NAT N/A 6 PERMIT_WEB_OUT MANAGEMENT-CLIENTS-ZONE EXTERNAL-ISP-ZONE 210453414836 5751(477711) 3171(556165) 80258 N/A N/A No xe-0/0/19.0 Messaging miscellaneous N/A N/A N/A N/A 

Olamilekan Abdullateef Ajani

unread,
Jun 19, 2026, 12:47:40 PM (14 days ago) Jun 19
to Wazuh | Mailing List
Hello,

In the log, service-name, application, NAT fields, and protocol-id appear before policy-name. But in the decoder regex you created, it expects protocol-id immediately after destination-port, so the child decoder will never match.

Also, your <order> has fewer fields than your regex captures. Please note that the order field has to mirror exactly the fields you are trying to extract.

Please use the version I created below:

<decoder name="juniper-apptrack">
  <prematch type="pcre2">APPTRACK_SESSION_VOL_UPDATE</prematch>
</decoder>

<decoder name="juniper-apptrack-session-volume-update">
  <parent>juniper-apptrack</parent>
  <regex type="pcre2">APPTRACK_(SESSION_VOL_UPDATE).*?source-address="([^"]+)".*?source-port="([^"]+)".*?destination-address="([^"]+)".*?destination-port="([^"]+)".*?service-name="([^"]+)".*?application="([^"]+)".*?nested-application="([^"]+)".*?nat-source-address="([^"]+)".*?nat-source-port="([^"]+)".*?nat-destination-address="([^"]+)".*?nat-destination-port="([^"]+)".*?src-nat-rule-name="([^"]+)".*?dst-nat-rule-name="([^"]+)".*?protocol-id="([^"]+)".*?policy-name="([^"]+)".*?source-zone-name="([^"]+)".*?destination-zone-name="([^"]+)".*?session-id="([^"]+)".*?packets-from-client="([^"]+)".*?bytes-from-client="([^"]+)".*?packets-from-server="([^"]+)".*?bytes-from-server="([^"]+)".*?elapsed-time="([^"]+)".*?username="([^"]+)".*?roles="([^"]+)".*?encrypted="([^"]+)".*?destination-interface-name="([^"]+)".*?category="([^"]+)".*?sub-category="([^"]+)".*?src-vrf-grp="([^"]+)".*?dst-vrf-grp="([^"]+)".*?dscp-value="([^"]+)".*?apbr-rule-type="([^"]+)"</regex>
  <order>event_type,srcip,srcport,dstip,dstport,service_name,application,nested_application,nat_srcip,nat_srcport,nat_dstip,nat_dstport,src_nat_rule_name,dst_nat_rule_name,protocol,policy_name,srczone,dstzone,session_id,packets_from_client,bytes_from_client,packets_from_server,bytes_from_server,elapsed_time,username,roles,encrypted,interface,category,sub_category,src_vrf_grp,dst_vrf_grp,dscp_value,apbr_rule_type</order>
</decoder>


You can also learn more about decoders in the documentation below:

Ref:
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html

Ronald Simmons

unread,
Jun 29, 2026, 11:19:04 AM (4 days ago) Jun 29
to Wazuh | Mailing List
Thank you fine sir that works 
Reply all
Reply to author
Forward
0 new messages