Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Includes video] How to forward traffic logs from an SRX device to JSA/STRM

0

0

Article ID: KB16224 KB Last Updated: 16 Mar 2020Version: 20.0
Summary:

This article provides video and text instructions for configuring traffic logs on an SRX device to be forwarded to an external Syslog server, such as JSA/STRM via structured format. 

For other topics or more advanced logging, go to the SRX Getting Started main page.

Symptoms:

How to send traffic logs (structured syslogs) from SRX to a JSA syslog server.

Solution:

Go to the KBTV video or text instructions below:

Video format:

 


Text format:

The following example shows how to configure the SRX to forward traffic logs (data plane logs) to a JSA/STRM device (10.10.10.1).

The configuration for forwarding traffic logs to JSA/STRM requires the following:

  • mode = stream
  • format = structured
  • port = revenue port (which is any port but FXP0)

Important:  Logging in 'stream' mode requires traffic to be sent from a non-FXP0 interface (revenue port). Routing table adjustments may be necessary to prevent sending traffic logging to STRM out a FXP0 interface. For more information, refer to Setting the System to Stream Security Logs Through Revenue Ports.

 

Configuration on SRX

Step 1. Set the security log mode:

root@srx# set security log mode stream
 

Step 2. Set the security log format to sd-sylog, which is for structured syslog format:

root@srx# set security log format sd-syslog
 

Step 3. Set the security log source-address, which is the SRX IP address expected by JSA/STRM. Here we are using the IP address of an egress interface ge-0/0/0 on the SRX:

root@srx# set security log source-address 10.10.10.2
 

Step 4. Give the security log stream a name and category. In this case, the name is 'securitylog', and the 'all' category is specified.

root@srx# set security log stream securitylog category all
 

Step 5. Set the host IP address of the JSA or Syslog server device that will receive the traffic logs.

root@srx# set security log stream securitylog host 10.10.10.1


Step 6. Also, set the host port of the JSA/STRM that will collect the traffic logs.  This is the port that JSA/STRM is configured to listen on.  The default syslog port is 514.

root@srx# set security log stream securitylog host port 514


   

Note:  As indicated in the important note above, while using 'stream' mode logging, make sure the routing path from SRX to the JSA/STRM is not via FXP0.

    >show route 10.10.10.1

    inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    10.10.10.1/32 *[Static/5] 00:21:02
                  > to 1.1.1.1 via ge-0/0/0.0


When complete and a 'commit' is executed, and the configuration looks like this:

security {
    log {
        mode stream;
	format sd-syslog;
	source-address 10.10.10.2;
	stream securitylog {
            category all;
	    host {
		 10.0.10.1;
		 port 514;
	    }
	}
     }
} 
set security log mode stream
set security log format sd-syslog
set security log source-address 10.10.10.2
set security log stream securitylog format sd-syslog
set security log stream securitylog category all
set security log stream securitylog host 10.10.10.1
set security log stream securitylog host port 514


 

Viewing SRX logs on JSA :

To view the logs, use a browser and log into the JSA WebUI. Select the 'Log Activity' tab. Then select 'Real Time (streaming)' under the 'Viewing real time flows' pull-down.
 

Modification History:
2020-03-16: Changed STRM to include JSA/STRM and corrected an incorrect CLI.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search