Knowledge Search


×
 

SRX Getting Started - Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices

  [KB16509] Show Article Properties


Summary:

This article describes how to enable logging of traffic information for a security policy to generate traffic logs for SRX Branch Devices -- SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650.

For information about configuring logs for SRX High-End Devices, see KB16634 - SRX Getting Started - Configure Logging.

For other topics, go to the SRX Getting Started main page.

Symptoms:
  • Configure syslog to receive only traffic logs.
  • Enable logging on a security policy to generate traffic logs.
Cause:

Solution:

This section contains the following:


Overview

You can use traffic logs to track usage patterns or troubleshoot issues for a specific policy. You can configure a policy so that traffic information is logged when a session begins (session-init) and/or closes (session-close). To generate traffic logs for multiple policies, you must configure each policy to log traffic information. You also must configure syslog messages with a severity level of info or any. In the default configuration, these messages and all other logging messages are sent to a local log file named messages.

Note: For the SRX High-End devices, traffic logs must be configured to stream to an external syslog server. For more information, see KB16506 - SRX Getting Started - Configure Traffic Logs (or Security Policy Logs) for SRX High-End Devices.

A traffic log records the following items for each session:
  • Date and time of the message
  • Message type (session-init or session-close)
  • Source address and port number
  • Destination address and port number
  • IP information
  • Session index (sid)
  • Policy index (pid)
  • Bytes sent and received
  • Session duration
A traffic log recording session-close information also lists a reason for the end of the session. A traffic log recording session-init information does not include bytes sent and received or session duration, but you can use the log to verify when a session is initially created.

Because traffic log messages are included with other log messages by default, you can create a separate log file that contains only traffic log messages so that you do not need to filter for traffic log messages.


CLI Configuration

To send traffic (security policy) logs to a file on the SRX device or a remote syslog server, do the following:

  1. Prepare log location 
  2. Enable Logging for Security Policies

1.  Prepare log location  

For the default, event mode, the logs can be stored in a local file or an external host (remote Syslog server).  It is recommended to use a separate file for logging only traffic/security policy log data. To capture traffic/security policy log messages, you must also specify the severity level to info or any.
(See 1.1 and 1.2 below for more detail.)

For stream mode, an external host (remote Syslog server) is required.
(See 1.3 below.)


1.1 Traffic log messages stored in a local Syslog file (event mode - default)

To send security policy logs to a file named traffic-log on the SRX Series device:

user@host# set system syslog file traffic-log any any
user@host# set system syslog file traffic-log match "RT_FLOW_SESSION"

In the example above, traffic log messages are sent to a separate log file named traffic-log. The severity level is set to any so that the traffic log messages are captured. Only log messages that match RT_FLOW_SESSION, which identifies traffic log messages, are sent to the traffic-log file.

Important:
This is simple and good for a quick implementation in a lab or in production with a low amount of traffic logs.  However, for networks with high amounts of traffic, this configuration could impact system resources -- CPU usage, memory usage, storage space, file system, cf/nand-flash life, etc.  Therefore, refer to 1.2 or 1.3 below for a better implementation.

Note: 
If there is another local syslog file configured for "user info" or "any any", the traffic log (RT_FLOW_SESSION) will still be stored in the local syslog file. The traffic log can be excluded as described in KB22588 - [Junos] How to make a log file that records almost everything that happens in the device.

1.2 Traffic log messages sent to a remote syslog server (event mode - default)

To send security policy logs to a remote Syslog server, for example, 192.30.80.65:

user@host#  set system syslog host 192.30.80.65 any any
user@host# set system syslog host 192.30.80.65 match "RT_FLOW_SESSION"
In the example above, traffic log messages are sent to a remote Syslog server, 192.30.80.65. The severity level is set to any so that traffic log messages are captured. Only log messages that match RT_FLOW_SESSION, which identifies traffic log messages, are sent to the remote syslog server.

1.3 Traffic log messages sent to remote syslog server (stream mode)

While the default for Branch SRX devices is event mode for quick implementation, stream mode can provide better performance of logging messages.
Refer to the following links for more detail:

Setting the System to Stream Security Logs Through Revenue Ports
KB16917 - In the security log mode stream, the output interface for traffic events must be a revenue port

Important:
This is recommended for environments with a high amount of traffic log messages.

Only a revenue port can send traffic log messages in stream mode.


2.  Enable Logging for Security Policies

The following is an example of enabling logging for a security policy named default-permit. You can specify that traffic logs are generated when a session closes (session-close) and when a session starts (session-init). It is recommended to configure traffic logs to be generated when a session closes because the information is more useful, as traffic volume, NAT information, and the reason code for termination are included. To enable logging for a security policy that has a deny action, you must specify that traffic logs are generated when a session starts. 

To enable logging for a security policy:  (Either or both steps can be configured.)
  1. For the default-permit security policy, specify that traffic logs are generated when a session closes.

    user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-close

  2. (Optional) Specify that traffic logs are generated when a session starts. 
user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-init

Technical Documentation

Security Zones and Interfaces Feature Guide for Security Devices


Verification

You can review traffic logs using J-Web or the CLI.

J-Web

To review traffic log messages:
  1. Select Monitor>Events and Alarms>View Events.
  2. If you have not created a separate log file for traffic log messages, in the System Log File list, select messages. Otherwise, select the name of the file that you created.
  3. In the Event ID box, type RT_FLOW_SESSION.
  4. Click Search. The traffic log messages are listed in the Events Detail area.

CLI

If you have created a separate log file for traffic log messages, use the following command:

user@host> show log traffic-log

If you have not created a separate log file for traffic log messages, use the show log messages operational command with a filter matching RT_FLOW_SESSION to review traffic log messages:

user@host> show log messages | match RT_FLOW_SESSION
Dec 23 15:01:41 test RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP RST: 19
2.168.10.60/3933->172.24.60.143/80 junos-http 172.24.30.178/8280->172.24.60.143/
80 interface-nat None 6 http-out trust untrust 7188 8(2698) 5(525) 2

  
Related Links: