Knowledge Search


×
 

[SRX] How to enable and view traffic logs in the J-Web/GUI on SRX devices

  [KB19490] Show Article Properties


Summary:
This article provides information on how to enable and view traffic logs in the GUI/J-Web on SRX devices.
Symptoms:
It was reported by many customers that traffic logging occurs in the syslog servers; but not in the J-Web/GUI. Even if policy logging is configured in the J-Web, it was not getting logged. This is applicable to all the Junos versions.




Policy Logs for tr-untr
:

Cause:
 
Solution:
To enable traffic logging in J-Web, perform the following procedure:

  1. Set the security logging mode as event, rather than the default stream mode.

    Note: The default mode for traffic logging on High End SRX devices is the stream mode and the default mode for traffic logging on Branch SRX devices is the event mode).
    root@srx#set security log mode event
    root@srx#commit
  2. Logon to the GUI/J-web, go to Monitor > Events and alarms > Security events, and click Create log configuration:




    This will add the following configuration under the system syslog hierarchy:
    file policy_session {
        user info;
        match RT_FLOW;
        archive size 5120000 world-readable;
        structured-data;
    }
  3. Now, if you enable logging, the traffic logs will be visible in J-Web:


  4. A Problem Report has been filed for this issue.

Note:
  • Ensure that the [security log stream] setting is not set on the active configuration; otherwise the system will get confused and the following be displayed on J-web:

    'The security log is configured in stream mode. In this mode, the session logs are sent directly to the log collectors and cannot be locally stored. Please set the log mode to ‘event’ in order to use this page.'

  • J-web will recognize the following settings as the syslog file that contains the traffic log:
    file policy_session {
            any any;                   // This can be any of [any/any, any/info, user/any, user/info]
            match RT_FLOW;             // Need exact the same match string for system in searching logs for policy
            archive world-readable;    // Requried
            structured-data;           // Preferred for fast searching when using filters 
        }
Related Links: