Knowledge Center Search


 

[STRM] JunOS and SRX events appear as UNKNOWN

  [KB15216] Show KB Properties

  [KB15216] Hide KB Properties

Categories:
Knowledge Base ID: KB15216
Last Updated: 02 Aug 2011
Version: 2.0

Summary:
STRM only supports Structured syslog format from JunOS and SRX devices.

Problem or Goal:
If syslog is configured in Non-Structured format it will appear as unknown.

Solution:
Configure the syslog to be sent in Structured format

[edit system syslog file filename]
facility severity;
structured-data {
brief;
}


If problem persists, please refers to KB15214 STRM events appear as unknown or incorrectly parsed.


Troubleshooting tip:
To see the log format, from STRM Event Viewer, open the specific event and copy & paste the whole content of Payload to notepad.

Example of JunOS Structured syslog format:
Feb 10 17:06:40 juniper.junos.test.com 2009-02-10T13:26:15.183 SRX210 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.36 source-address="192.168.1.10" source-port="16683" destination-address="10.0.1.27" destination-port="80" protocol-id="6" policy-name="HTTP-Authentication"]
Feb 10 17:06:41 juniper.junos.test.com 2009-02-10T13:26:15.982 SRX210 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.36 source-address="192.168.1.11" source-port="19969" destination-address="10.0.1.27" destination-port="80" protocol-id="6" policy-name="HTTP-Authentication"]

Example of JunOS Non-Structured syslog format:
<70>Mar 23 17:51:45 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.254.152.70/138->10.254.152.255/138,17: default-permit
<70>Mar 23 17:47:52 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: 192.168.200.51/137->192.168.200.255/137,17: default-permit, 12(936) 0(0) 75
<70>Mar 23 17:46:44 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: 10.254.152.70/138->10.254.152.255/138,17: default-permit, 1(240) 0(0) 60
<70>Mar 23 17:46:45 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.254.152.70/138->10.254.152.255/138,17: default-permit

Purpose:
Interoperability
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.