Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX-IDP/STRM] How to forward syslogs with packet logging (PCAP) from SRX to STRM

0

0

Article ID: KB28786 KB Last Updated: 24 Nov 2015Version: 3.0
Summary:

This article describes how to forward syslogs with packet logging (PCAP) from an SRX device to an external syslog server, such as STRM. It explains the types of logs, and includes a sample configuration on the SRX device.

Note: This feature is supported only on high-end SRX platforms (such as the SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800).

Symptoms:

The goal is to show how to forward syslogs with packet logging (PCAP) from SRX to STRM. While the example below uses port 5, any port can be used, but it must match in both the STRM and SRX configuration. PCAPs are sent via UDP.

Solution:

Step 1: Enable packet capture and logging on the IDP policy level

set security idp idp-policy Test rulebase-ips rule 1 then notification log-attacks
set security idp idp-policy Test rulebase-ips rule 1 then notification packet-log pre-attack 10
set security idp idp-policy Test rulebase-ips rule 1 then notification packet-log post-attack 3
set security idp idp-policy Test rulebase-ips rule 1 then notification packet-log post-attack-timeout 60

Note: Match conditions and action need to be configured.


Step 2: Enable packet capture on the IDP sensor level

set security idp sensor-configuration packet-log total-memory 5
set security idp sensor-configuration packet-log max-sessions 15
set security idp sensor-configuration packet-log source-address 10.0.0.1
set security idp sensor-configuration packet-log host 10.0.0.2
set security idp sensor-configuration packet-log host port 5

Note: When the packet capture object is prepared, SRX transmits the packet captures from IP 10.0.0.1 to port 5 to device 10.0.0.2 (STRM). If the log source (SRX) IP is different from the source address configured here, STRM will not recognize the log source and will not display the log with PCAP in the WebUI. However, the PCAP is stored on STRM under the directory /store/pcap/.

Important: The IDP option must be enabled in the firewall policy to send the traffic to the IDP module.


Step 3: Add the log source in the STRM

Admin -> Data Source -> Events -> Log Sources

Add the log source with the configuration below:

Log Source Type -> Juniper SRX-series Services Gateway
Protocol Configuration -> PCAP Syslog Combination
Incoming Port -> 5
(Configured on SRX: set security idp sensor-configuration packet-log host port 5)

Note: Other information, like log source name and IP, also needs to be configured.


Step 4: Verify the configuration on the SRX

Packet capture configuration on the IDP sensor level:

root@SRX# show security idp sensor-configuration
packet-log {
  total-memory 5;
  max-sessions 15;
  source-address 10.0.0.1;
  host {
    10.0.0.2;
    port 5;
  }
} 

Packet capture and logging configuration on the IDP policy level:

root@SRX# show security idp idp-policy LAB_Test
rulebase-ips {
    rule 1 {
        match {
            source-address any;
            destination-address any;
            application default;
            attacks {
                predefined-attacks [ ICMP:INFO:ECHO-REQUEST ICMP:INFO:ECHO-REPLY ];
            }
        }
        then {
            action {
                no-action;
            }
            notification {
                log-attacks;
                packet-log {
                    pre-attack 10;
                    post-attack 3;
                    post-attack-timeout 60;
                }
            }
        }
    }
} 

Note: Other parameters--such as attacks, source-address, and destination-address--are for reference only.


Step 5: Verify the configuration on the STRM

Navigate to the path:

Admin -> Data Source -> Events -> Log Sources

Verify the information below:

Log Source Status -> Success
Protocol -> PCAPSyslog
Log Source Type -> Juniper SRX-series Services Gateway
Enabled -> True


Step 6: Display the PCAP data column on the STRM

  1. Click the Events tab. The Events interface appears.
  2. Using the Search drop-down list box, select New Search. The new event search window appears.
  3. Configure your column definitions:
    • From the Available Columns list in the Column Definition section, click PCAP Data.
    • Click the Add icon (->) in the bottom set of the Add and Remove buttons to move the PCAP Data column to the Columns list.
    • Click Filter.

The event search results appear, displaying the PCAP Data column. If PCAP data is available for an event, an icon appears in the PCAP Data column.

Using the PCAP icon, you can view the PCAP data or download the PCAP file to your desktop.

For more information, see the STRM user guide.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search