Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SRX Getting Started - Configure Traffic Logs (or Security Policy Logs) for SRX High-End Devices

0

0

Article ID: KB16506 KB Last Updated: 30 Jun 2020Version: 12.0
Summary:

This article provides information about configuring traffic (security policy) logs for SRX High-End Devices: SRX1400, SRX3400, SRX3600, SRX4100, SRX4200, SRX4600, SRX5600, and SRX5800.

For information about configuring system logs or traffic logs for SRX Branch devices, refer to KB16634 - SRX Getting Started - Configure Logging.

For other topics, go to the SRX Getting Started main page.

Symptoms:

Configure logging so that security log messages are sent directly from traffic interface ports to a remote syslog server.

Solution:

This section contains the following:

 

Overview

For SRX High-End devices, security logs such as traffic and IDP logs are streamed through the traffic interface ports to a remote syslog server. You can configure that security logs are handled through the eventd process and sent with system logs. 

SRX High-End devices do not send session logs to the Routing Engine (RE). Because system logging is performed on the RE, session or traffic logs cannot be written to the RE file system. Therefore, all traffic logging must be sent to a remote syslog server. Because fxp0 belongs to the RE, the remote syslog server must be reachable by an interface on an IOC. Traffic logging cannot be sent out through fxp0.

 

CLI Configuration

To send traffic (security policy) logs to a remote syslog server, you must configure the following:

  1. Send security log messages to a remote syslog server.
  2. Enable logging on security policies. 

1.  Send Security Log Messages to a Remote Syslog Server

The following example specifies that security log messages in structured-data format are sent from 10.30.30.1 to a remote syslog server at 192.30.80.76
  1. Specify that the IP address of the source system is 10.30.30.1 (for example, the SRX Series device's loopback or other interface IP address).
    user@host# set security log source-address 10.30.30.1
  2. Specify that the messages are streamed to a remote log server with an IP address of 192.30.80.76.
    user@host# set security log stream trafficlogs host 192.30.80.76

2.  Enable Logging on Security Policies

The following is an example of enabling logging for a security policy named default-permit. You can specify that traffic logs are generated when a session closes (session-close) and when a session starts (session-init). We recommend specifying that only traffic logs are generated when a session closes because the information is more useful, as traffic volume, NAT information, and the reason code for termination are included. However, to enable logging for a security policy that has a deny action, you must specify that traffic logs are generated when a session starts. 

To enable logging for a security policy:
  1. For the default-permit security policy, specify that traffic logs are generated when a session closes.
    user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-close
     
  2. (Optional) Specify that traffic logs are generated when a session starts.
    user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-init
 

Technical Documentation

Monitoring Security Events by Policy

 

Verification

To verify that traffic logs are being sent to the syslog server, check the remote syslog server.


 
Modification History:
2020-06-30: Added SRX4100, SRX200, SRX4600 to the summary.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search