Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SRX Getting Started - Configure System Logging

0

0

Article ID: KB16502 KB Last Updated: 29 Jan 2014Version: 7.0
Summary:

This article provides information about configuring system logs for SRX Series devices. Configuration examples and information about verification and troubleshooting are also provided.

For information about configuring traffic logs, refer to KB16634 - SRX Getting Started - Configure Logging.

For other topics, go to the SRX Getting Started main page.


Symptoms:

Configure system logging messages, so that they are sent to a local file on the SRX device and a remote syslog server.

Cause:

Solution:
This section contains the following topics:


Overview

SRX Series devices can send system log messages from the control plane (Routing Engine) to one or more destinations. Destinations can include local files on the SRX Series device (because the SRX Series device is a syslog server), remote syslog servers, user terminals, and the system console. For Junos OS Release 9.6 and later, you can specify two remote syslog servers to which system logs are sent.

When specifying that log messages are sent to a local file on the SRX Series device, you can also optionally specify that those log messages are in structured-data format. Log messages in structured-data format include priority information, which is information about log messages' facility and severity levels. By default, priority information is not included when log messages are sent. Specifying structured-data format can make it easier for applications to extract information from log messages. Structured-data format complies with the Internet draft, The Syslog Protocol, which can currently be found at the following link:

http://tools.ietf.org/html/draft-ietf-syslog-protocol-23.

When specifying the destination, you can specify the type (facility) of messages to log and the minimum severity level of the message.

For lists of available logging facilities and severity levels, refer to the following link:

System Log Messages Reference



CLI Configuration

Note: The following examples do not apply to traffic logs for SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

For information about traffic logs for these devices, refer to KB16506 - SRX Getting Started - Configure Traffic Logs (or Security Policy Logs) for SRX High-End Devices.

For information about configuring traffic logs for SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650 devices, refer to KB16509 - SRX Getting Started - Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices

The following examples are applicable to system logs for all SRX devices.

Default Syslog Settings

By default, only critical messages are logged to a local file known as messages on the SRX Series device. The following configuration shows the default log settings:

system {
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
}

Sending Logs to a Local File on the SRX Series Device

The SRX Series device is a syslog server, and by default, only critical system log messages are sent to a file on the device, which is known as messages. In the following configuration example, the severity level of log messages is increased from the default of critical to error.

System log messages with a severity level of error are sent to the messages file. To view a list of available facility and severity levels, use the ? command.

For example:

user@host#set system syslog file messages ?

or

user@host#set system syslog file messages any ?

To configure the logs with the facility being set to any and the severity level being set to error to be sent to messages file:

user@host# set system syslog file messages any error

For SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650 devices, configuring a severity of any or info specifies that the system and traffic logs are sent.

To send traffic log messages to a separate file, refer to KB16509 - SRX Getting Started - Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices.

Note: Review the contents of the messages file to see the type of system log messages that are being sent. Depending on the system log messages being sent, modify the severity level to accommodate your logging requirements.

To review the contents of the messages file, use the show log file messages command in the operational mode.


Sending Logs to a Remote Syslog Server

In the following configuration example, log messages are sent to a remote syslog server (192.30.80.76):
user@host# set system syslog host 192.30.80.76 any any
For SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650 devices, configuring a severity of any or info specifies that the system and traffic logs are sent.

To send traffic log messages to a separate file, refer to KB16509 - SRX Getting Started - Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices.

For an example of sending system logs to STRM, refer to KB16224 - [STRM] [SRX] How to forward Syslogs from SRX to STRM.


Sending Traffic (Security Policy) Logs to a Remote Syslog Server

For information about configuring traffic logging for SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650 devices, refer to KB16509 - SRX Getting Started - Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices.

For information about configuring traffic logging for SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, refer to KB16506 - SRX Getting Started - Configure Traffic Logs (or Security Policy Logs) for SRX High-End Devices.


Sending Structured-Data Logs to a Local File on an SRX Series Device
(NSM only) 

For SRX Series devices being managed by NSM, system log messages in structured-data format must be sent to a local file on the device called default-log-messages. To send logs in structured-data format to default-log-messages:

  1. Configure system logs with facility set to any and severity set to warning to be sent to a local file named default-log-messages.
    user@host# set system syslog file default-log-messages any warning
  2. Configure the default-log-messages file so that the format of the log messages is in structured-data format. 
    user@host# set system syslog file default-log-messages structured-data

For more information about sending logs to NSM, refer to KB16448 - Sending logs to NSM from SRX devices.

Technical Documentation

Monitoring and Troubleshooting Guide for Security Devices

Verification

You can get information about all system log events by using the help syslog operational mode command.

user@host> help syslog
Syslog tag Help
ACCT_ACCOUNTING_FERROR Error occurred during file processing
ACCT_ACCOUNTING_FOPEN_ERROR Open operation failed on file
ACCT_ACCOUNTING_SMALL_FILE_SIZE Maximum file size is smaller than record size
ACCT_BAD_RECORD_FORMAT Record format does not match accounting profile
ACCT_CU_RTSLIB_ERROR Error occurred obtaining current class usage statistics
ACCT_FORK_ERR Could not create child process
ACCT_FORK_LIMIT_EXCEEDED Could not create child process because of limit
ACCT_GETHOSTNAME_ERROR gethostname function failed
ACCT_MALLOC_FAILURE Memory allocation failed

Configure system log settings to reflect the severity level of the messages you want logged. You can determine the severity level of each message by using the help syslog command, with the message name. In the following example, information about FLOW_SESSION_CREATE is shown.

user@host> help syslog FLOW_SESSION_CREATE
Name: FLOW_SESSION_CREATE
Message: session created

<source-address>/<source-port>-><destination-address>/<destination-port>,<protocol-id>:
<policy-name>
Help: Session create
Description: A security session was created.
Type: Event: This message reports an event, not an error
Severity: info

Use the show log log-file operational mode command to review the contents of a local system log file.

Troubleshooting

Use the show system syslog command in configuration mode to review your system log configuration.

user@host# show system syslog

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search