Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to Verify if SRX is Forwarding Data Plane Log Packets to STRM

0

0

Article ID: KB19632 KB Last Updated: 04 Feb 2011Version: 2.0
Summary:
SRX High End device is configured to send data plane logs to STRM, and for troubleshooting purposes, would like to determine if the SRX is forwarding the logs to the STRM server
Symptoms:
  • SRX-3400
  • SRX-3600
  • SRX-5600
  • SRX-5800
  • SRX High End is configured to send security logs, in stream mode, to STRM server.  Need to verify if the SRX device is forwarding the data plane logging packets out on the wire
Solution:
To determine if the data plane log packets are being forwarded by the SRX device, you can set up firewall filters to log these packets at the dataplane level.  This is best shown through an example. 

For this example, let's assume we have a SRX-3400, in a cluster.  The data plane logs are being sent out via reth1.0 interface.  Set up a firewall filter to log and accept, and specify that filter at the interface level:
firewall {
filter strm-filter {
term datalog {
from {
destination-address {
172.22.145.21/32;
}
destination-port 514;
}
then {
log;
accept;
}
}
term allow {
then accept;
}
}
}
Once you have the firewall filter defined, apply them on the reth1.0 interface:
    
    reth1 {                             
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
filter {
output strm-filter;
}
address 172.22.145.61/24;
}
}
}
Once this is configured, commit this configuration.  You can verify the SRX is sending data plane logs to STRM by looking at the firewall log details:

{primary:node0}
root@FTC-FW> show firewall log detail
Time of Log: 2010-12-22 07:50:19 PST, Filter: pfe, Filter action: accept, Name of interface: local
Name of protocol: UDP, Packet Length: 551, Source address: 172.22.145.61:514, Destination address: 172.22.145.21:514



Case ID
Case Summary

17006CL

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search