[juniper_srx] extract IP from RPD_IFD_NOTIFICATION events

packages/juniper_srx/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.28.0"
+  changes:
+    - description: Extract interface address from RPD_IFD_NOTIFICATION events into host.ip and related.ip, and avoid overwriting an already-populated message field.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/18927
 - version: "1.27.0"
   changes:
     - description: Improve integration documentation.

packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-system.log

@@ -20,3 +20,4 @@
 <166>1 2023-05-08T10:54:24.756+10:00 AB1234-A-AB-AB01C-ABC - - - - AB1234-A-AB-AB01C-ABC nh_fabric_fill_jnhinfo: Storing nh_id as 0x2dd and jnh as 0x58e302
 <167>1 2023-05-08T10:54:24.704+10:00 AB1234-A-AB-AB01C-ABC - - - - AB1234-A-AB-AB01C-ABC Copying remote chassis chassis 1, IP: 81.2.69.192
 <166>1 2023-05-08T10:54:24.756+10:00 AB1234-A-AB-AB01C-ABC - - - - AB1234-A-AB-AB01C-ABC nh_fabric_fill_jnhinfo: ABCDE: Test default message 123456
+<30>1 2026-05-07T12:35:17.448+02:00 AB1234-A-AB-AB01C-ABC rpd 20893 RPD_IFD_NOTIFICATION [junos@1111.1.1.1.1.111 state="UpDown" interface-name="st0.60" interface-index="508" message="<Up Broadcast Multicast> agg_parent 0 address #0 175.16.199.0"] IF_TRACE: EVENT <UpDown> st0.60 index 508 <Up Broadcast Multicast> agg_parent 0 address #0 175.16.199.0

packages/juniper_srx/data_stream/log/_dev/test/pipeline/test-system.log-expected.json

@@ -1170,6 +1170,66 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2026-05-07T10:35:17.448Z",
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "category": [
+                    "network"
+                ],
+                "kind": "event",
+                "original": "<30>1 2026-05-07T12:35:17.448+02:00 AB1234-A-AB-AB01C-ABC rpd 20893 RPD_IFD_NOTIFICATION [junos@1111.1.1.1.1.111 state=\"UpDown\" interface-name=\"st0.60\" interface-index=\"508\" message=\"<Up Broadcast Multicast> agg_parent 0 address #0 175.16.199.0\"] IF_TRACE: EVENT <UpDown> st0.60 index 508 <Up Broadcast Multicast> agg_parent 0 address #0 175.16.199.0",
+                "severity": 30
+            },
+            "host": {
+                "ip": [
+                    "175.16.199.0"
+                ],
+                "name": "AB1234-A-AB-AB01C-ABC"
+            },
+            "juniper": {
+                "srx": {
+                    "interface_index": "508",
+                    "log_type": "system",
+                    "message": "<Up Broadcast Multicast> agg_parent 0 address #0 175.16.199.0",
+                    "process": "rpd",
+                    "state": "UpDown",
+                    "system": {
+                        "if_trace": "EVENT <UpDown> st0.60 index 508 <Up Broadcast Multicast> agg_parent 0 address #0 175.16.199.0"
+                    },
+                    "tag": "RPD_IFD_NOTIFICATION"
+                }
+            },
+            "log": {
+                "level": "informational"
+            },
+            "message": "IF_TRACE: EVENT <UpDown> st0.60 index 508 <Up Broadcast Multicast> agg_parent 0 address #0 175.16.199.0",
+            "observer": {
+                "ingress": {
+                    "interface": {
+                        "name": "st0.60"
+                    }
+                },
+                "name": "AB1234-A-AB-AB01C-ABC",
+                "product": "SRX",
+                "type": "firewall",
+                "vendor": "Juniper"
+            },
+            "process": {
+                "name": "rpd",
+                "pid": 20893
+            },
+            "related": {
+                "ip": [
+                    "175.16.199.0"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
         }
     ]
 }

packages/juniper_srx/data_stream/log/elasticsearch/ingest_pipeline/system.yml

@@ -308,6 +308,28 @@ processors:
             field: error.message
             value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
 
+# RPD_IFD_NOTIFICATION
+# Extract interface address (e.g. "address #0 175.16.199.0") into host.ip and related.ip
+- grok:
+    tag: grok_rpd_ifd_notification_address
+    if: "ctx.juniper?.srx?.tag == 'RPD_IFD_NOTIFICATION' && ctx.juniper?.srx?.message != null"
+    field: juniper.srx.message
+    patterns:
+    - 'address #%{NONNEGINT} %{IP:_temp_.rpd_ifd.address}'
+    ignore_failure: true
+- append:
+    tag: append_rpd_ifd_address_to_host_ip
+    if: "ctx._temp_?.rpd_ifd?.address != null"
+    field: host.ip
+    value: '{{{_temp_.rpd_ifd.address}}}'
+    allow_duplicates: false
+- append:
+    tag: append_rpd_ifd_address_to_related_ip
+    if: "ctx._temp_?.rpd_ifd?.address != null"
+    field: related.ip
+    value: '{{{_temp_.rpd_ifd.address}}}'
+    allow_duplicates: false
+
 # After System Structured, Structured-Brief, and Unstructured messages: there are optional key-value pairs seperated by ", ". These should now be in `message` field
 # split k-v fields inside message field.
 - kv:
@@ -901,7 +923,7 @@ processors:
     field: juniper.srx.message
     target_field: message
     ignore_missing: true
-    if: "ctx.juniper?.srx?.message != null"
+    if: "ctx.juniper?.srx?.message != null && ctx.message == null"
 
 - remove:
     tag: remove_juniper_srx_process_f8fae6df

packages/juniper_srx/data_stream/log/fields/fields.yml

@@ -423,6 +423,8 @@
           type: integer
         - name: direction
           type: keyword
+        - name: if_trace
+          type: keyword
         - name: ike_version
           type: integer
         - name: local
@@ -522,6 +524,8 @@
       type: keyword
     - name: function_name
       type: keyword
+    - name: interface_index
+      type: keyword
     - name: operational_status
       type: keyword
     - name: snmp_interface_index

packages/juniper_srx/docs/README.md

@@ -592,6 +592,7 @@ The `log` data stream provides events from Juniper SRX devices. These logs inclu
 | juniper.srx.index | index | keyword |
 | juniper.srx.index1 |  | keyword |
 | juniper.srx.index2 |  | keyword |
+| juniper.srx.interface_index |  | keyword |
 | juniper.srx.ip_mon_reth_scan.trigger |  | keyword |
 | juniper.srx.kern_arp_addr_change.ip |  | ip |
 | juniper.srx.kern_arp_addr_change.mac1 |  | keyword |
@@ -660,6 +661,7 @@ The `log` data stream provides events from Juniper SRX devices. These logs inclu
 | juniper.srx.sub_category | sub category | keyword |
 | juniper.srx.system.aux_spi |  | integer |
 | juniper.srx.system.direction |  | keyword |
+| juniper.srx.system.if_trace |  | keyword |
 | juniper.srx.system.ike_version |  | integer |
 | juniper.srx.system.local |  | keyword |
 | juniper.srx.system.local_gateway |  | ip |

packages/juniper_srx/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: juniper_srx
 title: Juniper SRX
-version: "1.27.0"
+version: "1.28.0"
 description: Collect logs from Juniper SRX devices with Elastic Agent.
 categories: ["network", "security", "firewall_security"]
 type: integration