Knowledge Search


×
 

SRX Getting Started - Configure Traffic Logs (or Security Policy Logs) for SRX High-End Devices

  [KB16506] Show Article Properties


Summary:

This article provides information about configuring traffic (security policy) logs for SRX High-End Devices: SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800.

For information about configuring system logs or traffic logs for SRX Branch devices, refer to KB16634 - SRX Getting Started - Configure Logging.

For other topics, go to the SRX Getting Started main page.


Symptoms:

Configure logging so that security log messages are sent directly from traffic interface ports to a remote syslog server.

Cause:

Solution:

This section contains the following:


Overview

For SRX High-End devices, security logs such as traffic and IDP logs are streamed through the traffic interface ports to a remote syslog server. You can configure that security logs are handled through the eventd process and sent with system logs. 

SRX High-End devices do not send session logs to the Routing Engine (RE). Because system logging is performed on the RE, session or traffic logs cannot be written to the RE file system. Therefore, all traffic logging must be sent to a remote syslog server. Because fxp0 belongs to the RE, the remote syslog server must be reachable by an interface on an IOC. Traffic logging cannot be sent out through fxp0.


CLI Configuration

To send traffic (security policy) logs to a remote syslog server, you must configure the following:

  1. Send security log messages to a remote syslog server.
  2. Enable logging on security policies. 

1.  Send Security Log Messages
to a Remote Syslog Server

The following example specifies that security log messages in structured-data format are sent from 10.30.30.1 to a remote syslog server at 192.30.80.76
  1. Specify that the IP address of the source system is 10.30.30.1 (for example, the SRX Series device's loopback or other interface IP address).
    user@host# set security log source-address 10.30.30.1
  2. Specify that the messages are streamed to a remote log server with an IP address of 192.30.80.76.
    user@host# set security log stream trafficlogs host 192.30.80.76

2.  Enable Logging on Security Policies


The following is an example of enabling logging for a security policy named default-permit. You can specify that traffic logs are generated when a session closes (session-close) and when a session starts (session-init). We recommend specifying that only traffic logs are generated when a session closes because the information is more useful, as traffic volume, NAT information, and the reason code for termination are included. However, to enable logging for a security policy that has a deny action, you must specify that traffic logs are generated when a session starts. 

To enable logging for a security policy:
  1. For the default-permit security policy, specify that traffic logs are generated when a session closes.
    user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-close

  2. (Optional) Specify that traffic logs are generated when a session starts.
    user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-init

Technical Documentation

System Log Monitoring and Troubleshooting Guide for Security Devices


Verification

To verify that traffic logs are being sent to the syslog server, check the remote syslog server.


Related Links: