--- title: Juniper SRX Firewall description: Gain insights into Juniper SRX Firewall logs breadcrumbs: Docs > Integrations > Juniper SRX Firewall --- # Juniper SRX Firewall Supported OS Integration version1.3.0 Juniper SRX Firewall - OverviewJuniper SRX Firewall - Session LogsJuniper SRX Firewall - Security LogsJuniper SRX Firewall - Security LogsJuniper SRX Firewall - Security LogsJuniper SRX Firewall - Security LogsJuniper SRX Firewall - Authentication Logs ## Overview{% #overview %} [Juniper SRX Firewall](https://www.juniper.net/us/en/products/security/srx-series.html) secures your network edge, data center, and cloud applications by detecting and mitigating intrusions, malware, and other threats. This integration parses the following log types: - **Session Logs**: Track network traffic and session activities, including initiated and denied sessions, application-related traffic, and dropped packets. - **Security Logs**: Monitor security events such as malware detections, intrusion attempts, DoS attacks, and content filtering activities. - **Authentication Logs**: Capture authentication activities, including successful and failed login attempts. Get detailed visibility into these logs with out-of-the-box dashboards, and strengthen security with prebuilt Cloud SIEM detection rules for proactive threat monitoring and response. **Minimum Agent version:** 7.67.0 ## Setup{% #setup %} ### Installation{% #installation %} To install the Juniper SRX Firewall integration, run the following Agent installation command in your terminal. For more information, see the [Integration Management](https://docs.datadoghq.com/agent/guide/integration-management.md?tab=linux#install) documentation. **Note**: This step is not necessary for Agent version >= 7.64.0. ```shell sudo -u dd-agent -- datadog-agent integration install datadog-juniper_srx_firewall==1.0.0 ``` ### Configuration{% #configuration %} #### Configure log collection{% #configure-log-collection %} 1. Log collection is disabled by default in the Datadog Agent. Enable it in `datadog.yaml`: ```yaml logs_enabled: true ``` 1. Add the following configuration block to your `juniper_srx_firewall.d/conf.yaml` file to start collecting logs. See the [sample `conf.yaml`](https://github.com/DataDog/integrations-core/blob/master/juniper_srx_firewall/datadog_checks/juniper_srx_firewall/data/conf.yaml.example) for available configuration options. ```yaml logs: - type: udp port: source: juniper-srx-firewall service: juniper-srx-firewall ``` **Note**: - `PORT`: Specify the UDP port that Datadog will listen on (default: 514). - Do not change the `service` and `source` values, as they are integral to proper log pipeline processing. 1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands.md#start-stop-and-restart-the-agent). #### Configure syslog message forwarding from Juniper SRX Firewall{% #configure-syslog-message-forwarding-from-juniper-srx-firewall %} 1. Log in to the Juniper SRX Firewall CLI. 1. Enter configuration mode: ```shell configure ``` 1. To send logs to the Datadog Agent, execute the following commands: ```shell set system syslog host any any set system syslog host port set system syslog host structured-data brief ``` **Note**: - Replace `` with the Datadog Agent's IP address. - Replace `` with the same port configured in [Log Collection](https://docs.datadoghq.com/integrations/juniper_srx_firewall.md#configure-log-collection). 1. Verify if `Security Logging` is enabled: ```shell show security log mode ``` If enabled, the output will display either `mode stream;` or `mode event-stream;` 1. If `Security Logging` is enabled, configure log streaming: ```shell set security log stream format sd-syslog set security log stream category all set security log stream host set security log stream host port set security log transport protocol udp ``` 1. Apply and exit the configuration: ``` commit exit ``` ### Validation{% #validation %} [Run the Agent's status subcommand](https://docs.datadoghq.com/agent/guide/agent-commands.md#agent-status-and-information) and look for `juniper_srx_firewall` under the **Checks** section. ## Data Collected{% #data-collected %} ### Log{% #log %} | Format | Event Types | | ------------------------- | ------------------------------------------------ | | Structured-Data(RFC 5424) | Session Logs, Security Logs, Authentication Logs | ### Metrics{% #metrics %} The Juniper SRX Firewall integration does not include any metrics. ### Events{% #events %} The Juniper SRX Firewall integration does not include any events. ### Service Checks{% #service-checks %} The Juniper SRX Firewall integration does not include any service checks. ## Troubleshooting{% #troubleshooting %} ### Permission denied while port binding{% #permission-denied-while-port-binding %} If you see a **Permission denied** error while port binding in the Agent logs: 1. Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the `setcap` command: ```shell sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent ``` 1. Verify the setup is correct by running the `getcap` command: ```shell sudo getcap /opt/datadog-agent/bin/agent/agent ``` With the expected output: ```shell /opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep ``` **Note**: Re-run this `setcap` command every time you upgrade the Agent. 1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands.md#start-stop-and-restart-the-agent). ### Data is not being collected{% #data-is-not-being-collected %} Ensure firewall settings allow traffic through the configured port. ### Port already in use{% #port-already-in-use %} On systems running Syslog, the Agent may fail to bind to port 514 and display the following error: ``` Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use ``` This error occurs because Syslog uses port 514 by default. To resolve: - Disable Syslog, OR - Configure the Agent to listen on a different, available port. For further assistance, contact [Datadog support](https://docs.datadoghq.com/help/).