03-02-2026 07:04 PM
Hi, this is my first post and I need help.
I am trying to connect the syslog of a Juniper ACX7024X to my Broker, but I cannot see any logs.
The router is sending logs, but I cannot see anything from Cortex. I set it to raw format, auto-select, but nothing.
I understand that everything is configured correctly on the router, although we tried different formats and even with UDP we couldn't get it to create a dataset.
PS: I had no problems with Forti.
Thanks.
03-03-2026 12:20 PM
Hello @I.Mitidieri ,
Greetings for the day.
This issue is often related to service instability on the Broker VM, configuration mismatches, or logs being routed to a generic dataset.
If the Syslog Collector is set to "RAW" or "Auto-Detect" and the log format is not natively recognized (such as CEF or LEEF), the logs will not create a specific Juniper dataset. Instead, they are placed in the generic unknown_unknown_raw dataset.
Use the following XQL query to confirm whether the logs are reaching the tenant:
Ensure the Broker VM is actively listening and receiving traffic from the Juniper router. You can run the following commands from the Broker VM CLI:
Replace <INTERFACE> with your management interface (e.g., ens160 or eth0) and <ROUTER_IP> with the Juniper router's IP:
A known issue with Juniper log ingestion involves the anubis container (the service responsible for syslog processing) crashing or becoming unstable.
If traffic reaches the VM but is not visible in XQL, restart the relevant services via the Broker VM Live Terminal:
Using "Auto-Detect" for the Vendor and Product fields may fail for network devices if the log headers do not perfectly match a predefined template.
To force the creation of a dedicated dataset, modify the Syslog Collector applet configuration:
Navigate to Settings > Configurations > Data Broker > Broker VMs.
Select your Broker VM and open the Syslog Collector applet settings.
Change Vendor from "Auto-Detect" to Juniper (case-sensitive).
Change Product to a descriptive name (e.g., ACX_Router).
Set Format to RAW.
If tcpdump shows traffic arriving but the Broker VM counters show 0 logs, the Linux kernel may be dropping packets due to a Reverse Path Filter (RPF) mismatch (asymmetric routing).
This occurs if logs arrive on one interface, but the routing table indicates that the return path would use a different interface.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
