Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to generate syslog messages for IPsec and limit syslog to capture only IPsec logs

0

0

Article ID: KB25090 KB Last Updated: 29 Jul 2020Version: 5.0
Summary:

This article provides information on how to generate syslog messages for IPsec and limit syslog to capture only IPsec logs.

Solution:
When configuring the syslogs, the following options are displayed:
SRX650-Branch1# set system syslog file vpn-syslog ?
 Possible completions:
  allow-duplicates     Do not suppress the repeated message
  any                  All facilities
  + apply-groups         Groups from which to inherit configuration data
  + apply-groups-except  Don't inherit configuration data from these groups
  > archive              Archive file information
  authorization        Authorization system
  change-log           Configuration change log
  conflict-log         Configuration conflict log
  daemon               Various system processes < Notice the 'daemon' option. It is to be used for IPsec.
  dfc                  Dynamic flow capture
  explicit-priority    Include priority and facility in messages
  external             Local external applications
  firewall             Firewall filtering system
  ftp                  FTP process
  interactive-commands  Commands executed by the UI
  kernel               Kernel
  match                Regular expression for lines to be logged
  ntp                  NTP process
  pfe                  Packet Forwarding Engine
  security             Security related  < Notice the 'security option, which seems like the suitable match; but it is not.
> structured-data      Log system message in structured format
  user                 User processes
The security option seems to be the possible answer; but it is not. The syslog for VPN does not show up with this facility. The correct option is use is daemon, which carries IPsec related information and more.

Verification:

Configure the syslogs:
[edit]
root@D10_31-SRX650-Branch1# set system syslog file vpn-syslog daemon any
[edit]
root@D10_31-SRX650-Branch1# commit

[edit]
root@D10_31-SRX650-Branch1# run show security ipsec security-associations 
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
  <131073 ESP:3des/sha1 6a4410fe 3580/ unlim   U   root 500   1.1.2.1         
  >131073 ESP:3des/sha1 6cf0880f 3580/ unlim   U   root 500   1.1.2.1
Clear the IPsec tunnel:
[edit]
root@D10_31-SRX650-Branch1# run clear security ike security-associations
Run the syslog; notice that besides the IPsec, there is a lot more information being displayed that is not required:
[edit]
root@D10_31-SRX650-Branch1# run show log vpn-syslog
Jun 21 11:35:53 D10_31-SRX650-Branch1 clear-log[88880]: logfile cleared
Jun 21 11:36:18 D10_31-SRX650-Branch1 rpd[1166]: EVENT <UpDown> st0.0 index 70 <Broadcast PointToPoint Multicast>
Jun 21 11:36:18 D10_31-SRX650-Branch1 mib2d[1187]: SNMP_TRAP_LINK_DOWN: ifIndex 622, ifAdminStatus up(1), ifOperStatus down(2), ifName st0.0
Jun 21 11:36:18 D10_31-SRX650-Branch1 rpd[1166]: EVENT UpDown st0.0 index 70 <Broadcast PointToPoint Multicast Localup>
Jun 21 11:36:18 D10_31-SRX650-Branch1 rpd[1166]: EVENT UpDown st0.0 index 70 50.50.50.1 -> 50.50.50.1 <Broadcast PointToPoint Multicast Localup>
Jun 21 11:36:18 D10_31-SRX650-Branch1 rpd[1166]: bgp_ifachange_group:6517: NOTIFICATION sent to 50.50.50.10 (External AS 65010): code 6 (Cease) subcode 6 (Other Configuration Change), Reason: Interface change for the peer-group
Jun 21 11:36:18 D10_31-SRX650-Branch1 rpd[1166]: RPD_OSPF_NBRDOWN: OSPF neighbor 50.50.50.10 (realm ospf-v2 st0.0 area 0.0.0.0) state changed from Full to Down due to KillNbr (event reason: interface went down)
Jun 21 11:36:18 D10_31-SRX650-Branch1 kmd[1169]: IKE Phase-1: Negotiation completed; SA expires on Thu Jun 21 2012 19:36:18 -0700 { 63dfceb0 0a6584ff - 4dd55033 15b86bfa } - [local_id=ipv4(udp:500,[0..3]=1.1.1.1), local_ip=1.1.1.1, local_port=500, remote_id=ipv4(any:0,[0..3]=1.1.2.1), remote_ip=1.1.2.1, remote_port=500]
Jun 21 11:36:18 D10_31-SRX650-Branch1 kmd[1169]: IKE Phase-1: (Initiator) The symmetric crypto key has been generated Successfully [local_ip=1.1.1.1, local_port=500, remote_ip=1.1.2.1, remote_port=0]
Jun 21 11:36:18 D10_31-SRX650-Branch1 kmd[1169]: IKE Phase-2: (Initiator) The symmetric crypto key has been generated Successfully [local_ip=1.1.1.1, local_port=500, remote_ip=1.1.2.1, remote_port=500]
Jun 21 11:36:18 D10_31-SRX650-Branch1 rpd[1166]: EVENT <UpDown> st0.0 index 70 <Up Broadcast PointToPoint Multicast>
Jun 21 11:36:18 D10_31-SRX650-Branch1 rpd[1166]: EVENT UpDown st0.0 index 70 <Up Broadcast PointToPoint Multicast>
Jun 21 11:36:18 D10_31-SRX650-Branch1 kmd[1169]: KMD_PM_SA_ESTABLISHED: Local gateway: 1.1.1.1, Remote gateway: 1.1.2.1, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 1340c4ec, AUX-SPI: 0, Mode: tunnel, Type: dynamic
Jun 21 11:36:18 D10_31-SRX650-Branch1 kmd[1169]: IKE Phase-2: Completed negotiations, connection established with tunnel-ID:131073 and lifetime 2985 seconds/0 KB - Local gateway: 1.1.1.1, Remote gateway: 1.1.2.1, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Protocol: ESP, Auth algo: sha1, Encryption algo: 3des-cbc, Direction: inbound, SPI: 1340c4ec, AUX-SPI: 0, Mode: tunnel, Type: dynamic
Jun 21 11:36:18 D10_31-SRX650-Branch1 kmd[1169]: KMD_PM_SA_ESTABLISHED: Local gateway: 1.1.1.1, Remote gateway: 1.1.2.1, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 35d1965, AUX-SPI: 0, Mode: tunnel, Type: dynamic
Jun 21 11:36:18 D10_31-SRX650-Branch1 kmd[1169]: IKE Phase-2: Completed negotiations, connection established with tunnel-ID:131073 and lifetime 2985 seconds/0 KB - Local gateway: 1.1.1.1, Remote gateway: 1.1.2.1, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Protocol: ESP, Auth algo: sha1, Encryption algo: 3des-cbc, Direction: outbound, SPI: 35d1965, AUX-SPI: 0, Mode: tunnel, Type: dynamic
Jun 21 11:36:18 D10_31-SRX650-Branch1 mib2d[1187]: SNMP_TRAP_LINK_UP: ifIndex 622, ifAdminStatus up(1), ifOperStatus up(1), ifName st0.0
Jun 21 11:36:18 D10_31-SRX650-Branch1 rpd[1166]: EVENT UpDown st0.0 index 70 50.50.50.1 -> 50.50.50.1 <Up Broadcast PointToPoint Multicast>
To limit the output to generate only IPsec related logs,  add the following command:
[edit]
root@D10_31-SRX650-Branch1# show system syslog | display set 
set system syslog file vpn-syslog daemon any
set system syslog file vpn-syslog match kmd  < Notice the 'kmd'keyword here. Many more specific filters can be used.  This is just one example.
Now toggle the tunnel and notice the output:
[edit]
root@D10_31-SRX650-Branch1# run clear log vpn-syslog

[edit]
root@D10_31-SRX650-Branch1# run clear security ipsec security-associations

[edit]
root@D10_31-SRX650-Branch1# run show log vpn-syslog
Jun 21 11:37:14 D10_31-SRX650-Branch1 clear-log[89157]: logfile cleared
Jun 21 11:37:17 D10_31-SRX650-Branch1 kmd[1169]: IKE Phase-2: (Initiator) The symmetric crypto key has been generated Successfully [local_ip=1.1.1.1, local_port=500, remote_ip=1.1.2.1, remote_port=500]
Jun 21 11:37:17 D10_31-SRX650-Branch1 kmd[1169]: KMD_PM_SA_ESTABLISHED: Local gateway: 1.1.1.1, Remote gateway: 1.1.2.1, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 99f58e0f, AUX-SPI: 0, Mode: tunnel, Type: dynamic
Jun 21 11:37:17 D10_31-SRX650-Branch1 kmd[1169]: KMD_PM_SA_ESTABLISHED: Local gateway: 1.1.1.1, Remote gateway: 1.1.2.1, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 39ad5bab, AUX-SPI: 0, Mode: tunnel, Type: dynamic
Jun 21 11:37:17 D10_31-SRX650-Branch1 kmd[1169]: IKE Phase-2: Completed negotiations, connection established with tunnel-ID:131073 and lifetime 2982 seconds/0 KB - Local gateway: 1.1.1.1, Remote gateway: 1.1.2.1, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Protocol: ESP, Auth algo: sha1, Encryption algo: 3des-cbc, Direction: inbound, SPI: 99f58e0f, AUX-SPI: 0, Mode: tunnel, Type: dynamic
Jun 21 11:37:17 D10_31-SRX650-Branch1 kmd[1169]: IKE Phase-2: Completed negotiations, connection established with tunnel-ID:131073 and lifetime 2982 seconds/0 KB - Local gateway: 1.1.1.1, Remote gateway: 1.1.2.1, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Protocol: ESP, Auth algo: sha1, Encryption algo: 3des-cbc, Direction: outbound, SPI: 39ad5bab, AUX-SPI: 0, Mode: tunnel, Type: dynamic

This time, the output is much more specific to IPsec.

Notes:

  • If you are using high-end platforms, then all the above procedure is applicable; but if the system clock is out of sync with the SPU clock, then the above procedure will not work.
  • Set 'NTP' and make sure that the clock is synchronized between all of the SPC's and the system.
  • If the NTP association is correctly established, then the syslogs will be populated as expected.
Modification History:
2020-07-28: Article reviewed for accuracy; no changes required.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search