Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to confirm that the firewall is sending syslog information to an external server?

0

0

Article ID: KB4852 KB Last Updated: 28 Jun 2010Version: 4.0
Summary:
How to confirm that the firewall is sending syslog information to an external server?
Symptoms:
external syslog
udp port 514
The syslog server is not receiving any logs from the firewall
Solution:

To confirm the firewall is sending the syslogs to the correct location, Use  snoop and/or  debug syslog  to see the packets that are actually being transmitted.

(Recall: Snoop provides a layer 2 through layer 4 view of the packet as it comes in and out of the NetScreen interfaces. Debug on the other hand provides flow information about the packet as it traverses through the interfaces of the NetScreen device )

Sample set up directions and  output are shown below. Note, snoop and debug are run from the CLI  prompt of the firewall.

  1. Create a snoop filter to capture the syslog packet information
         snoop filter ip dst-port 514>
  2. Set the packet length to display
         snoop detail len 1514
  3. Enable the capturing of the snoop details
         snoop detail
  4. Enable snoop
         snoop 
         Respond Y or press enter when the message "Start Snoop, type ESC or 'snoop off' to stop, continue?" is presented.
  5. Enable debugging of the syslog packets
         debug syslog all
  6. Clear the debug buffer
         cl db
  7. Generate a log event; such as logging into the firewall device via the WebUI
  8. Press the <ESC> key to stop the capture or enter
         snoop off
         undebug syslog
  9. Display the debug buffer stream
         get db s>

The following information was displayed to the console:

## 10:39:13 : syslogmsg : NetScreen device_id=Kats_NS5GT  [Root]system-warning-00519: Admin user "netscreen" logged in for Web(http) management (port 80) from 10.24.28.111:1407 (2005-10-06 10:39:13)
## 10:39:13 : syslog fac -1 level 4
## 10:39:13 : sending syslog message to 10.24.28.111/514 (173) NetScreen device_id=Kats_NS5GT  [Root]system-warning-00519: Admin user "netscreen" logged in for Web(http) management (port 80) from 10.24.28.111:1407 (2005-10-06 10:39:13)

255444.0: 1(o):0010db3b1351->001125d6155e/0800
              172.24.29.109->172.24.28.111/17, tlen=219
              vhl=45, tos=00, id=26979, frag=0000, ttl=64
              udp:ports 2368->514, len=199
              00 11 25 d6 15 5e 00 10 db 3b 13 51 08 00 45 00     ..%..^...;.Q..E.
              00 db 69 63 00 00 40 11 7e a2 ac 18 1d 6d ac 18     ..ic..@.~....m..
              1c 6f 09 40 02 02 00 c7 3d 94 3c 31 33 32 3e 4b     .o.@....=.<132>K
              61 74 73 5f 4e 53 35 47 54 3a 20 4e 65 74 53 63     ats_NS5GT:.NetSc
              72 65 65 6e 20 64 65 76 69 63 65 5f 69 64 3d 4b     reen.device_id=K
              61 74 73 5f 4e 53 35 47 54 20 20 5b 52 6f 6f 74     ats_NS5GT..[Root
              5d 73 79 73 74 65 6d 2d 77 61 72 6e 69 6e 67 2d     ]system-warning-
              30 30 35 31 39 3a 20 41 64 6d 69 6e 20 75 73 65     00519:.Admin.use
              72 20 22 6e 65 74 73 63 72 65 65 6e 22 20 6c 6f     r."netscreen".lo
              67 67 65 64 20 69 6e 20 66 6f 72 20 57 65 62 28     gged.in.for.Web(
              68 74 74 70 29 20 6d 61 6e 61 67 65 6d 65 6e 74     http).management
              20 28 70 6f 72 74 20 38 30 29 20 66 72 6f 6d 20     .(port.80).from.
              31 37 32 2e 32 34 2e 32 38 2e 31 31 31 3a 31 34     172.24.28.111:14
              30 37 20 28 32 30 30 35 2d 31 30 2d 30 36 20 31     07.(2005-10-06.1
              30 3a 33 39 3a 31 33 29 00                          0:39:13).   


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search