Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SRX Stream Mode does not send logs to NSM/STRM

0

0

Article ID: KB21602 KB Last Updated: 14 Apr 2014Version: 3.0
Summary:
This KB provides information on how not to configure Security Logs for STRM / NSM when logs are sent through Dataplane/Revenue ports.
Symptoms:
Goal:
Configure SRX to send logs to the STRM / NSM Server through Dataplane.
Problem:
Security Logs are configured on SRX as below, but STRM / NSM is not receiving any dataplane logs from the SRX
security {
          log {
                mode stream;
                format sd-syslog;
                source-address 11.11.11.1;
                stream nsm1 {
                       severity info;
                       format sd-syslog;
                       category all;
                       host {
                               11.11.11.2; 
                               port 5140;
                       }
                }  
         }
  }

Solution:
On the SRX, Security Logs for STRM/NSM must be configured to be sent through Dataplane/Revenue port and not through Control Port. For example, the Security log cannot have a source IP address of FXP0. The Security Log destination in stream mode cannot be routed through FXP0. This would mean that the log server cannot be in the same subnet as FXP0 and the route to log server should not be through FXP0.


Unsupported Config:
show interface terse
fxp0        up    up
fxp0.0     up    up   inet    11.11.11.1/24
security {
          log {
                mode stream;
                format sd-syslog;
                source-address 11.11.11.1;
                stream nsm1 {
                        severity info;
                        format sd-syslog;
                        category all;
                        host {
                                 11.11.11.2; <<< STRM / NSM shound not be on same subnet of FXP0 interface
                                 port 5140;
                        }
                 }
           }
   }   

root@SRX> show route 11.11.11.2

inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

11.11.11.0/24 *[Direct/0] 4w5d 00:07:42
> via fxp0.0

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search