Hello,
Thanks for sharing the sample log. I created a decoder and rule based on what you shared, and it should work without issues, as I also tested it. Please see attached for reference.
The decoder should be placed in /var/ossec/etc/decoders/local_decoder.xml
<decoder name="juniper-rtflow">
<prematch type="pcre2">RT_FLOW_SESSION_(CREATE|DENY)</prematch>
</decoder>
<decoder name="juniper-rtflow-create">
<parent>juniper-rtflow</parent>
<regex type="pcre2">RT_FLOW_SESSION_(CREATE).*?source-address="([^"]+)".*?source-port="([^"]+)".*?destination-address="([^"]+)".*?destination-port="([^"]+)".*?nat-source-address="([^"]+)".*?nat-destination-address="([^"]+)".*?protocol-id="([^"]+)".*?policy-name="([^"]+)".*?source-zone-name="([^"]+)".*?destination-zone-name="([^"]+)".*?session-id="([^"]+)".*?packet-incoming-interface="([^"]+)"</regex>
<order>event_type,srcip,srcport,dstip,dstport,nat_srcip,nat_dstip,protocol,policy_name,srczone,dstzone,session_id,interface</order>
</decoder>
<decoder name="juniper-rtflow-deny">
<parent>juniper-rtflow</parent>
<regex type="pcre2">RT_FLOW_SESSION_(DENY).*?source-address="([^"]+)".*?source-port="([^"]+)".*?destination-address="([^"]+)".*?destination-port="([^"]+)".*?protocol-id="([^"]+)".*?policy-name="([^"]+)".*?source-zone-name="([^"]+)".*?destination-zone-name="([^"]+)".*?application="([^"]+)".*?packet-incoming-interface="([^"]+)".*?reason="([^"]+)".*?session-id="([^"]+)"</regex>
<order>event_type,srcip,srcport,dstip,dstport,protocol,policy_name,srczone,dstzone,application,interface,reason,session_id</order>
</decoder>
And rules in /var/ossec/etc/rules/local_rules.xml
<group name="juniper,rtflow,firewall,">
<rule id="120500" level="5">
<decoded_as>juniper-rtflow</decoded_as>
<field name="event_type">^CREATE$</field>
<description>Juniper RT_FLOW session created from $(srcip):$(srcport) to $(dstip):$(dstport) policy $(policy_name)</description>
</rule>
<rule id="120501" level="10">
<decoded_as>juniper-rtflow</decoded_as>
<field name="event_type">^DENY$</field>
<description>
Juniper RT_FLOW session denied from $(srcip):$(srcport) to $(dstip):$(dstport) policy $(policy_name)
</description>
</rule>
</group>
Should you require further assistance on this, please capture the sample log from archives.json file with the command below:
cat /var/ossec/logs/archives/archives.json | grep "RT_FLOW_SESSION_CREATE" and cat /var/ossec/logs/archives/archives.json | grep "
RT_FLOW - RT_FLOW_SESSION_DENY"