Knowledge Search


×
 

[ScreenOS] Configuring Syslog

  [KB4759] Show Article Properties


Summary:
This article provides information on how to configure Syslog.
Symptoms:

Provide a step-by-step guide to configuring Syslog.

Cause:

Solution:

The WebUI instructions for configuring syslog are provided in the Administration section (Part 3 - Chapter 11) of  Concepts & Examples ScreenOS Reference Guide Administration, Release 6.3.0, Rev. 02 pps 367 - 368.

To configure Syslog, perform the following steps:

Step one: Open the WebUI. For more information, refer to KB4317 - [ScreenOS] Accessing your Juniper firewall device using the WebUI.

Step two: From the ScreenOS console menu, click Configuration, select Report Settings, and then click Syslog.

Step three: From the Syslog page, click to select Enable Syslog Messages.

Note: From the 'Source interface' drop-down menu, select the interface from which syslog packets are sent.

Step four: Enter the necessary information for each syslog server you are adding. Syslog messages can be sent to up to 4 designated syslog servers.
Enable: Select this option to enable the syslog server.

IP/ Hostname: The IP address of the syslog host.

Port: The port to which the security device sends syslog messages. The default port is UDP 514.

Security Facility: The security facility, which classifies and sends security specific messages to the syslog host.

Facility: The regular facility, which classifies and sends all other messages for events unrelated to security.

Event Log: Select this option to send event log entries to the syslog host.

Traffic Log: Select this option to send traffic log entries to the syslog host.

TCP: Select this option to use TCP as the transport protocol for communication between the device and syslog server. By default UDP is used. 
         Before selecting TCP option, consult KB14982 - Device May Become Unmanageable after Enabling TCP Syslog

For this example, 192.168.1.2 has been used as the Syslog Host Name. It is recommended to leave the Syslog port as the default value (514):



   Click APPLY to save the syslog configuration.

The CLI commands for the above implementation are as follows:

set syslog config 192.168.1.2
set syslog config 192.168.1.2 facilities local0 local0
set syslog config 192.168.1.2 log traffic
set syslog src-interface <<interface name>>
set syslog enable

NOTE: The difference between “security facility” and “facility” is that “security facility” is specific for logging of security related events. Facility logs all other events.

Security events would be, for example:

  • Authentication violations
  • Policy violations
  • Replays of security attributes
  • Encryption failures
  • Decryption failures
  • Key-generation failures
  • Cryptographic and non-cryptographic module self-test failures
  • Internet Key Exchange (IKE) Phase 1 authentication failures
  • IKE Phase 2 authentication failures

When a level is chosen, that level of events AND ABOVE are logged.

There are eight log event levels:

  • Local0 == Debug level. Hence, Debug level and above (i.e. ALL) events are logged
  • Local1 == Info level (Info / Notify / Warning / Error / Critical / Alert / Emergency level events are logged)
  • Local2 == Notify level (Notify / Warning / Error / Critical / Alert / Emergency level events are logged
  • Local3 == Warning level (Warning / Error / Critical / Alert / Emergency level events are logged
  • Local4 == Error level (Error / Critical / Alert / Emergency level events are logged)
  • Local5 == Critical level (Critical / Alert / Emergency level events are logged)
  • Local6 == Alert level (Alert and Emergency level events are logged).
  • Local7 == Emergency level (Only Emergency level events are logged).
Related Links: