This KB provides information on how not to configure Security Logs for STRM / NSM when logs are sent through Dataplane/Revenue ports.

Goal:
Configure SRX to send logs to the STRM / NSM Server through Dataplane.
Problem:
Security Logs are configured on SRX as below, but STRM / NSM is not receiving any dataplane logs from the SRX

security {
          log {
                mode stream;
                format sd-syslog;
                source-address 11.11.11.1;
                stream nsm1 {
                       severity info;
                       format sd-syslog;
                       category all;
                       host {
                               11.11.11.2; 
                               port 5140;
                       }
                }  
         }
  }


On the SRX, Security Logs for STRM/NSM must be configured to be sent through Dataplane/Revenue port and not through Control Port. For example, the Security log cannot have a source IP address of FXP0. The Security Log destination in stream mode cannot be routed through FXP0. This would mean that the log server cannot be in the same subnet as FXP0 and the route to log server should not be through FXP0.


Unsupported Config:

show interface terse
fxp0        up    up
fxp0.0     up    up   inet    11.11.11.1/24

security {
          log {
                mode stream;
                format sd-syslog;
                source-address 11.11.11.1;
                stream nsm1 {
                        severity info;
                        format sd-syslog;
                        category all;
                        host {
                                 11.11.11.2; <<< STRM / NSM shound not be on same subnet of FXP0 interface
                                 port 5140;
                        }
                 }
           }
   }   

root@SRX> show route 11.11.11.2

inet.0: 11 destinations, 12 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

11.11.11.0/24 *[Direct/0] 4w5d 00:07:42
> via fxp0.0