Knowledge Search


×
 

Sending logs to NSM from SRX devices

  [KB16448] Show Article Properties


Summary:

This article clarifies what logs are sent to NSM from SRX devices.

Symptoms:

Symptoms:

  • Logs from the SRX are not showing in NSM.
Cause:

Solution:

Self logs

  • If SRX device was added as reachable, logs from the Routing Engine (control plane) are sent to NSM by default, since NSM adds the appropriate config during the 'device add'.
  • If SRX device was not added as reachable, then add the following commands to the SRX device in order for logs from the RE (control plane) to be sent to NSM:  
  • set system syslog file default-log-messages any any
    set system syslog file default-log-messages structured-data

  • Clustered SRX devices should have the above config added to the config group nodes.  Example:
    set groups node0 system syslog file default-log-messages any any
    set groups node0 system syslog file default-log-messages structured-data
    set groups node1 system syslog file default-log-messages any any
    set groups node1 system syslog file default-log-messages structured-data


Traffic Logs

For NSM to receive traffic logs, the SRX must be configured to send it's logs to the control plane.
The default for the high end firewalls is to send the logs directly from the dataplane.  

NSM will not receive the logs unless the logs are forwarded from the dataplane to the control plane and then through the netconf channel to NSM.

The firewall must be set with this config:
     set security log mode event
     set security log mode event event-rate 1000

If set to mode event, the SRX will process security logs in the control plane.
This is limited to 1000 events per second.

If set to mode stream, the SRX will process security logs directly in the forwarding plane.
This would be used to direct the traffic logs to an external syslog server and would be needed if the events per second are greater than 1000.



Additional information concerning traffic logs in NSM from SRX devices:
The logging varies by Junos version and SRX model:

Junos OS 9.6 and earlier

  • Branch SRX device traffic logs are sent to NSM by passing the messages from the data plane to the control plane and then to NSM.
  • High-end SRX device traffic logs (data plane) are not sent to NSM.    Work-around:  Use Syslog server

Junos OS 10.0r0 and Junos OS 10.0r1

  •  Traffic logs (data plane) for all SRX devices are not sent to NSM.  Solution:  Upgrade to Junos 10.0r2 and beyond.   Work-around:  Use Junos 9.6 or Syslog server. 

Junos OS 10.0r2 and later

  • Branch SRX device traffic logs are sent to NSM by passing the messages from the data plane to the control plane and then to NSM.
  • High-end SRX device traffic logs are sent to NSM by passing the messages from the data plane to the control plane and then to NSM.  
    This is limited to 1000 events per second.

 

High Traffic Logging Can Cause High CPU if Event Mode Is Used

  • With high traffic volume, logging can be extensive enough where it can cause high CPU conditions. High end devices are more susceptible to this, due to the complexity of the architecture, but it can impact Branch devices as well. To minimize the effects of High CPU due to traffic logging, it is highly encourage to configure traffic logging using stream mode.  Refer to KB16506, which discusses high cpu condition in further detail as it affects high end devices.
  • Refer to KB16573 for details on configuring stream mode
Related Links: