Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Match condition for logging in system syslog does not work when mode in stream and works with event mode

0

0

Article ID: KB23118 KB Last Updated: 24 Feb 2020Version: 5.0
Summary:
This article provides information on the match condition for logging in system syslog that does not work when mode in stream and works with event mode
Symptoms:
Match condition (match "!RT_FLOW_SESSION" in the following example) was working with event mode and not with stream mode i.e. working with the following config (supposing 10.0.0.2 is the syslog server)
  • Event mode
set system syslog host 10.0.0.2 any any
set system syslog host 10.0.0.2 match "!RT_FLOW_SESSION"

set security log mode event
set security log format sd-syslog
set security log source-address 10.0.0.1
set security log stream securitylog format syslog
set security log stream securitylog category all
set security log stream securitylog host 10.0.0.2
  • Stream mode
Not working with the following configuration:

set system syslog host 10.0.0.2 any any
set system syslog host 10.0.0.2 match "!RT_FLOW_SESSION"

set security log mode stream
set security log format sd-syslog
set security log source-address 10.0.0.1
set security log stream securitylog format syslog
set security log stream securitylog category all
set security log stream securitylog host 10.0.0.2
Solution:
Its as per design,
The Routing engine is the one which puts the match condition and filters the log,
since when we use stream mode the traffic is streamed out of the data plane itself in highe end devices
and dosent reach the RE the match condition dose not work when using stream mode and only works in event mode.


srx high-end device Full Config example
 
system {
    root-authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
    syslog {
        host 10.0.0.2 {
            any any;
            match "!RT_FLOW_SESSION";
        }
    }
}

interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.0.0.1/24;
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family inet {
                address 192.168.0.2/24;
            }
        }
    }
}

security {
    log {
        mode stream;
        format sd-syslog;
        source-address 10.0.0.1;
        stream securitylog {
            format syslog;
            category all;
            host {
                10.0.0.2;
            }
        }
    }
    zones {
        security-zone one {
            interfaces {
                ge-0/0/4.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
    }
    security-zone two {
        interfaces {
            ge-0/0/1.0 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
            }
       }
    }
}

policies {
    from-zone one to-zone two {
        policy 1 {
            match {
                source-address any;
                destination-address any;
                application any;
            }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
        }
        }
    }
    from-zone two to-zone one {
        policy 1 {
            match {
                source-address any;
                destination-address any;
                application any;
            }
        then {
            permit;
                log {
                    session-init;
                    session-close;
                }
        }
        }
    }
}
}

 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search