Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configuring Syslog

0

0

Article ID: KB4759 KB Last Updated: 10 Jun 2020Version: 12.0
Summary:

This article provides information on how to configure Syslog.

Symptoms:

Provide a step-by-step guide to configuring Syslog.

Solution:

The WebUI instructions for configuring syslog are provided in the Administration section (Part 3 - Chapter 11) of  Concepts & Examples ScreenOS Reference Guide Administration, Release 6.3.0, Rev. 02 pps 367 - 368.

To configure Syslog, perform the following steps:
  1. Open the WebUI. For more information, refer to KB4317 - [ScreenOS] Accessing your Juniper firewall device using the WebUI.

  2. From the ScreenOS console menu, click Configuration, select Report Settings, and then click Syslog.

  3. From the Syslog page, click to select Enable Syslog Messages.

    Note: From the 'Source interface' drop-down menu, select the interface from which syslog packets are sent.

  4. Enter the necessary information for each syslog server you are adding. Syslog messages can be sent to up to 4 designated syslog servers.

    Enable: Select this option to enable the syslog server.
    IP/ Hostname: The IP address of the syslog host.
    Port: The port to which the security device sends syslog messages. The default port is UDP 514.
    Security Facility: The security facility, which classifies and sends security specific messages to the syslog host.
    Facility: The regular facility, which classifies and sends all other messages for events unrelated to security.
    Event Log: Select this option to send event log entries to the syslog host.
    Traffic Log: Select this option to send traffic log entries to the syslog host.
    TCP: Select this option to use TCP as the transport protocol for communication between the device and syslog server. By default UDP is used. 
             Before selecting TCP option, consult KB14982 - Device May Become Unmanageable after Enabling TCP Syslog

    For this example, 192.168.1.2 has been used as the Syslog Host Name. It is recommended to leave the Syslog port as the default value (514):

  5. Click APPLY to save the syslog configuration.

    The CLI commands for the above implementation are as follows:

    set syslog config 192.168.1.2
    set syslog config 192.168.1.2 facilities local0 local0
    set syslog config 192.168.1.2 log traffic
    set syslog src-interface <<interface name>>
    set syslog enable

    NOTE: The difference between “security facility” and “facility” is that “security facility” is specific for logging of security related events. Facility logs all other events.

    Security events would be, for example:

    • Authentication violations
    • Policy violations
    • Replays of security attributes
    • Encryption failures
    • Decryption failures
    • Key-generation failures
    • Cryptographic and non-cryptographic module self-test failures
    • Internet Key Exchange (IKE) Phase 1 authentication failures
    • IKE Phase 2 authentication failures

    When a level is chosen, that level of events AND ABOVE are logged.

    There are eight log event levels:

    • Local0 == Debug level. Hence, Debug level and above (i.e. ALL) events are logged
    • Local1 == Info level (Info / Notify / Warning / Error / Critical / Alert / Emergency level events are logged)
    • Local2 == Notify level (Notify / Warning / Error / Critical / Alert / Emergency level events are logged
    • Local3 == Warning level (Warning / Error / Critical / Alert / Emergency level events are logged
    • Local4 == Error level (Error / Critical / Alert / Emergency level events are logged)
    • Local5 == Critical level (Critical / Alert / Emergency level events are logged)
    • Local6 == Alert level (Alert and Emergency level events are logged).
    • Local7 == Emergency level (Only Emergency level events are logged).
Modification History:

2020-06-09: Replaced old WebUI screenshots with new WebUI screenshots.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search