Knowledge Center Search


 

How to Verify if SRX is Forwarding Data Plane Log Packets to STRM

  [KB19632] Show KB Properties

  [KB19632] Hide KB Properties

Categories:
Knowledge Base ID: KB19632
Last Updated: 04 Feb 2011
Version: 2.0

Summary:
SRX High End device is configured to send data plane logs to STRM, and for troubleshooting purposes, would like to determine if the SRX is forwarding the logs to the STRM server

Problem or Goal:
  • SRX-3400
  • SRX-3600
  • SRX-5600
  • SRX-5800
  • SRX High End is configured to send security logs, in stream mode, to STRM server.  Need to verify if the SRX device is forwarding the data plane logging packets out on the wire

Solution:
To determine if the data plane log packets are being forwarded by the SRX device, you can set up firewall filters to log these packets at the dataplane level.  This is best shown through an example. 

For this example, let's assume we have a SRX-3400, in a cluster.  The data plane logs are being sent out via reth1.0 interface.  Set up a firewall filter to log and accept, and specify that filter at the interface level:
firewall {
filter strm-filter {
term datalog {
from {
destination-address {
172.22.145.21/32;
}
destination-port 514;
}
then {
log;
accept;
}
}
term allow {
then accept;
}
}
}
Once you have the firewall filter defined, apply them on the reth1.0 interface:
    
    reth1 {                             
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
filter {
output strm-filter;
}
address 172.22.145.61/24;
}
}
}
Once this is configured, commit this configuration.  You can verify the SRX is sending data plane logs to STRM by looking at the firewall log details:

{primary:node0}
root@FTC-FW> show firewall log detail
Time of Log: 2010-12-22 07:50:19 PST, Filter: pfe, Filter action: accept, Name of interface: local
Name of protocol: UDP, Packet Length: 551, Source address: 172.22.145.61:514, Destination address: 172.22.145.21:514



Purpose:
Implementation

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.