Knowledge Search


How to Verify if SRX is Forwarding Data Plane Log Packets to STRM

  [KB19632] Show Article Properties

SRX High End device is configured to send data plane logs to STRM, and for troubleshooting purposes, would like to determine if the SRX is forwarding the logs to the STRM server
  • SRX-3400
  • SRX-3600
  • SRX-5600
  • SRX-5800
  • SRX High End is configured to send security logs, in stream mode, to STRM server.  Need to verify if the SRX device is forwarding the data plane logging packets out on the wire
To determine if the data plane log packets are being forwarded by the SRX device, you can set up firewall filters to log these packets at the dataplane level.  This is best shown through an example. 

For this example, let's assume we have a SRX-3400, in a cluster.  The data plane logs are being sent out via reth1.0 interface.  Set up a firewall filter to log and accept, and specify that filter at the interface level:
firewall {
filter strm-filter {
term datalog {
from {
destination-address {;
destination-port 514;
then {
term allow {
then accept;
Once you have the firewall filter defined, apply them on the reth1.0 interface:
    reth1 {                             
redundant-ether-options {
redundancy-group 1;
unit 0 {
family inet {
filter {
output strm-filter;
Once this is configured, commit this configuration.  You can verify the SRX is sending data plane logs to STRM by looking at the firewall log details:

root@FTC-FW> show firewall log detail
Time of Log: 2010-12-22 07:50:19 PST, Filter: pfe, Filter action: accept, Name of interface: local
Name of protocol: UDP, Packet Length: 551, Source address:, Destination address:

Related Links: