Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Sending logs to NSM from SRX devices

0

0

Article ID: KB16448 KB Last Updated: 21 Oct 2013Version: 6.0
Summary:

This article clarifies what logs are sent to NSM from SRX devices.

Symptoms:

Symptoms:

  • Logs from the SRX are not showing in NSM.
Cause:

Solution:

Self logs

  • If SRX device was added as reachable, logs from the Routing Engine (control plane) are sent to NSM by default, since NSM adds the appropriate config during the 'device add'.
  • If SRX device was not added as reachable, then add the following commands to the SRX device in order for logs from the RE (control plane) to be sent to NSM:  
  • set system syslog file default-log-messages any any
    set system syslog file default-log-messages structured-data

  • Clustered SRX devices should have the above config added to the config group nodes.  Example:
    set groups node0 system syslog file default-log-messages any any
    set groups node0 system syslog file default-log-messages structured-data
    set groups node1 system syslog file default-log-messages any any
    set groups node1 system syslog file default-log-messages structured-data


Traffic Logs

For NSM to receive traffic logs, the SRX must be configured to send it's logs to the control plane.
The default for the high end firewalls is to send the logs directly from the dataplane.  

NSM will not receive the logs unless the logs are forwarded from the dataplane to the control plane and then through the netconf channel to NSM.

The firewall must be set with this config:
     set security log mode event
     set security log mode event event-rate 1000

If set to mode event, the SRX will process security logs in the control plane.
This is limited to 1000 events per second.

If set to mode stream, the SRX will process security logs directly in the forwarding plane.
This would be used to direct the traffic logs to an external syslog server and would be needed if the events per second are greater than 1000.



Additional information concerning traffic logs in NSM from SRX devices:
The logging varies by Junos version and SRX model:

Junos OS 9.6 and earlier

  • Branch SRX device traffic logs are sent to NSM by passing the messages from the data plane to the control plane and then to NSM.
  • High-end SRX device traffic logs (data plane) are not sent to NSM.    Work-around:  Use Syslog server

Junos OS 10.0r0 and Junos OS 10.0r1

  •  Traffic logs (data plane) for all SRX devices are not sent to NSM.  Solution:  Upgrade to Junos 10.0r2 and beyond.   Work-around:  Use Junos 9.6 or Syslog server. 

Junos OS 10.0r2 and later

  • Branch SRX device traffic logs are sent to NSM by passing the messages from the data plane to the control plane and then to NSM.
  • High-end SRX device traffic logs are sent to NSM by passing the messages from the data plane to the control plane and then to NSM.  
    This is limited to 1000 events per second.

 

High Traffic Logging Can Cause High CPU if Event Mode Is Used

  • With high traffic volume, logging can be extensive enough where it can cause high CPU conditions. High end devices are more susceptible to this, due to the complexity of the architecture, but it can impact Branch devices as well. To minimize the effects of High CPU due to traffic logging, it is highly encourage to configure traffic logging using stream mode.  Refer to KB16506, which discusses high cpu condition in further detail as it affects high end devices.
  • Refer to KB16573 for details on configuring stream mode

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search