This article contains a basic example configuration on an SRX device to send structured, control plane syslog events to a Juniper Secure Analytics (JSA) appliance.
Configure system log messages to be sent to a JSA appliance.
The following example shows how to configure the SRX device to forward all system (control plane) logs to a JSA device (10.10.10.1).
Configuration Example:
root@srx# set system syslog host 10.10.10.1 any any
root@srx# set system syslog host 10.10.10.1 port 514
root@srx# set system syslog host 10.10.10.1 structured-data
-
Set the syslog host to the IP address of the JSA, and set the log facilities/level to "any any".
-
Set the destination-port that the JSA is configured to receive the logs.
-
Configure the logs as "structured." This is required in order for JSA to be able to recognize the logs.
To summarize the commands:
set system syslog host 10.10.10.1 any any
set system syslog host 10.10.10.1 port 514
set system syslog host 10.10.10.1 structured-data
Important: If you are also configuring traffic logs, it is recommended that you configure traffic logs using stream mode to avoid high CPU on the RE (Routing Engine). For an example of how to send traffic logs from the SRX device to JSA, refer to KB16224 - [Includes video] How to forward traffic logs from an SRX device to JSA/STRM.
View SRX logs on JSA devices
To view the logs, use a browser and log in to the JSA WebUI. Click the Log Activity tab. Then select "Real Time (streaming)" from the "Viewing real time flows" drop-down menu.
2021-02-01: Minor changes made for clarity and products regrouped