This section contains the following topics:
Overview
SRX Series devices can send system log messages from the control plane (Routing Engine) to one or more destinations. Destinations can include local files on the SRX Series device (because the SRX Series device is a syslog server), remote syslog servers, user terminals, and the system console. For Junos OS Release 9.6 and later, you can specify two remote syslog servers to which system logs are sent.
When specifying that log messages are sent to a local file on the SRX Series device, you can also optionally specify that those log messages are in structured-data format. Log messages in structured-data format include priority information, which is information about log messages' facility and severity levels. By default, priority information is not included when log messages are sent. Specifying structured-data format can make it easier for applications to extract information from log messages. Structured-data format complies with the Internet draft, The Syslog Protocol, which can currently be found at the following link:
http://tools.ietf.org/html/draft-ietf-syslog-protocol-23.
When specifying the destination, you can specify the type (facility) of messages to log and the minimum severity level of the message.
For lists of available logging facilities and severity levels, refer to the following link:
System Log Messages Reference
CLI Configuration
Note:
The following examples do not apply to traffic logs for SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
For information about traffic logs for these devices, refer to
KB16506 - SRX Getting Started - Configure Traffic Logs (or Security Policy Logs) for SRX High-End Devices.
For information about configuring traffic logs for SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650 devices, refer to
KB16509 - SRX Getting Started - Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices.
The following examples are applicable to system logs for all SRX devices.
Default Syslog Settings
By default, only critical messages are logged to a local file known as messages on the SRX Series device. The following configuration shows the default log settings:
system {
syslog {
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
}
Sending Logs to a Local File on the SRX Series Device
The SRX Series device is a syslog server, and by default, only critical system log messages are sent to a file on the device, which is known as messages. In the following configuration example, the severity level of log messages is increased from the default of critical to error.
System log messages with a severity level of error are sent to the messages file. To view a list of available facility and severity levels, use the ? command.
For example:
user@host#set system syslog file messages ?
or
user@host#set system syslog file messages any ?
To configure the logs with the facility being set to any and the severity level being set to error to be sent to messages file:
user@host# set system syslog file messages any error
For SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650 devices, configuring a severity of any or info specifies that the system and traffic logs are sent.
To send traffic log messages to a separate file, refer to KB16509 - SRX Getting Started - Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices.
Note: Review the contents of the messages file to see the type of system log messages that are being sent. Depending on the system log messages being sent, modify the severity level to accommodate your logging requirements.
To review the contents of the messages file, use the show log file messages command in the operational mode.
Sending Logs to a Remote Syslog Server
In the following configuration example, log messages are sent to a remote syslog server (
192.30.80.76):
user@host# set system syslog host 192.30.80.76 any any
For SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650 devices, configuring a severity of
any or
info specifies that the system and traffic logs are sent.
To send traffic log messages to a separate file, refer to
KB16509 - SRX Getting Started - Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices.
For an example of sending system logs to STRM, refer to
KB16224 - [STRM] [SRX] How to forward Syslogs from SRX to STRM.
Sending Traffic (Security Policy) Logs to a Remote Syslog Server
For information about configuring traffic logging for SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650 devices, refer to
KB16509 - SRX Getting Started - Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices.
For information about configuring traffic logging for SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, refer to
KB16506 - SRX Getting Started - Configure Traffic Logs (or Security Policy Logs) for SRX High-End Devices.
Sending Structured-Data Logs to a Local File on an SRX Series Device (NSM only)
For SRX Series devices being managed by NSM, system log messages in structured-data format must be sent to a local file on the device called default-log-messages. To send logs in structured-data format to default-log-messages:
- Configure system logs with facility set to
any and severity set to warning to be sent to a local file named default-log-messages.
user@host# set system syslog file default-log-messages any warning
- Configure the
default-log-messages file so that the format of the log messages is in structured-data format.
user@host# set system syslog file default-log-messages structured-data
For more information about sending logs to NSM, refer to KB16448 - Sending logs to NSM from SRX devices.
Technical Documentation
Monitoring and Troubleshooting Guide for Security Devices
Verification
You can get information about all system log events by using the help syslog operational mode command.
user@host> help syslog
Syslog tag Help
ACCT_ACCOUNTING_FERROR Error occurred during file processing
ACCT_ACCOUNTING_FOPEN_ERROR Open operation failed on file
ACCT_ACCOUNTING_SMALL_FILE_SIZE Maximum file size is smaller than record size
ACCT_BAD_RECORD_FORMAT Record format does not match accounting profile
ACCT_CU_RTSLIB_ERROR Error occurred obtaining current class usage statistics
ACCT_FORK_ERR Could not create child process
ACCT_FORK_LIMIT_EXCEEDED Could not create child process because of limit
ACCT_GETHOSTNAME_ERROR gethostname function failed
ACCT_MALLOC_FAILURE Memory allocation failed
Configure system log settings to reflect the severity level of the messages you want logged. You can determine the severity level of each message by using the help syslog command, with the message name. In the following example, information about FLOW_SESSION_CREATE is shown.
user@host> help syslog FLOW_SESSION_CREATE
Name: FLOW_SESSION_CREATE
Message: session created
<source-address>/<source-port>-><destination-address>/<destination-port>,<protocol-id>:
<policy-name>
Help: Session create
Description: A security session was created.
Type: Event: This message reports an event, not an error
Severity: info
Use the show log log-file
Troubleshooting
Use the show system syslog command in configuration mode to review your system log configuration.
user@host# show system syslog