Knowledge Search


×
 

[Includes video] How to forward traffic logs from an SRX device to STRM

  [KB16224] Show Article Properties


Summary:

This article provides video and text instructions for configuring traffic logs on an SRX device to be forwarded to an external Syslog server, such as STRM via structured format. 

For other topics, or more advanced logging, go to the SRX Getting Started main page.


Symptoms:

How to send traffic logs (structured syslogs) from SRX to a STRM syslog server.


Cause:

Solution:

Go to the KBTV video or text instructions below:

Video format:



Text format:

The following example shows how to configure the SRX to forward traffic logs (data plane logs) to a STRM device (10.10.10.1).

The configuration for forwarding traffic logs to STRM requires the following:

  • mode = stream
  • format = structured
  • port = revenue port (which is any port but FXP0)

Important:  Logging in 'stream' mode requires traffic to be sent from a non-FXP0 interface (revenue port). Routing table adjustments may be necessary to prevent sending traffic logging to STRM out a FXP0 interface. For more information, refer to Setting the System to Stream Security Logs Through Revenue Ports.


Configuration on SRX

Step 1. Set the security log mode:

root@srx# set security log mode stream

Step 2. Set the security log format to sd-sylog, which is for structured syslog format:

root@srx# set security log format sd-syslog

Step 3. Set the security log source-address, which is the SRX IP address expected by the STRM device. Here we are using the IP address of an egress interface ge-0/0/0 on the SRX:

root@srx# set security log source-address 10.10.10.2

Step 4. Give the security log stream a name and category. In this case, the name is 'securitylog', and the 'all' category is specified.

root@srx# set security log stream securitylog category all

Step 5. Set the host IP address of the STRM or Syslog server device that will receive the traffic logs.

root@srx#
set security log stream securitylog host 10.10.10.1


Step 6. Also, set the host port of the STRM device that will collect the traffic logs.  This is the port the STRM device is configured to listen on.  The default syslog port is 514.

root@srx# set security log stream securitylog host port 514


   

Note: 
As indicated in the important note above, while using 'stream' mode logging, make sure the routing path from SRX to the STRM is not via FXP0.

    >show route 10.10.10.1

    inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    10.10.10.1/32 *[Static/5] 00:21:02
                  > to 1.1.1.1 via ge-0/0/0.0


When complete and a 'commit' is executed, and the configuration looks like this:

security {
    log {
        mode stream;
	format sd-syslog;
	source-address 10.10.10.2;
	stream securitylog {
            category all;
	    host {
		 10.0.10.1;
		 port 514;
	    }
	}
     }
} 
set security log mode stream
set security log format sd-syslog
set security log source-address 10.10.10.2
set security log stream securitylog format sd-syslog
set security log stream securitylog category all
set security log stream securitylog host 10.10.10.1
set security log stream securitylog host 172.22.154.214 port 514



Viewing SRX logs on STRM device

To view the logs, use a browser and log into the STRM WebUI. Select the 'Log Activity' tab. Then select 'Real Time (streaming)' under the 'Viewing real time flows' pull-down.

Related Links: