Junos
Reply
Contributor
IssueNine
Posts: 18
Registered: ‎03-12-2011
0
Accepted Solution

Can't receive security log in stream mode

[ Edited ]

Hi, I've been trying to redirect security log  to my log server, as follows

 

xxxx@j2350> show configuration security log
mode stream;
format sd-syslog;
source-address 10.0.0.1;
stream mon {
severity warning;
category all;
host {
10.0.0.4;
port 514;
}
}

 

however, I can't seem to receive it at all, tcpdump on the receiving side shows nothing, in the documentation, it says the log will be send in data plane through "revenue port", what is that?  my screen policy are applied to DMZ zone which is sepreate interface than the 10.0.0.4 interface. 

 

nonetheless, I did a tcpdump on both interface and there's no traffic showing up at all, please help!

Contributor
IssueNine
Posts: 18
Registered: ‎03-12-2011
0

Re: Can't receive security log in stream mode

can any one help?

Regular Visitor
prabha
Posts: 8
Registered: ‎04-23-2010
0

Re: Can't receive security log in stream mode

Say, if you have chassis cluster setup, the fxp0 interface is the management interface, and no data-plane logs can be sent out via this port using stream mode. When you are using stream mode, the logs will be sent out via any non-fxp0 port(revenue port). If the destination is reachable only through fxp0 port, you cannot have stream mode logging enabled.our

 

If the source-address specified in your config is that of fxp0 interface, you are sourcing the traffic from fxp0 which is not possible. You can have the data-plane logging sent out through fxp0 only using event mode, again you should choose optimal event-rate in this case, so that you don't run out of CPU cycles.

 

 

Regular Visitor
prabha
Posts: 8
Registered: ‎04-23-2010
0

Re: Can't receive security log in stream mode

Yes, if you are attempting to send-out the traffic through fxp0, this will not happen, and tcpdump will not show any traffic.

 

On looking at the IP information, you are sending it to a directly connected host, so routing should not be an issue,

could you post the interface configuration?

Contributor
IssueNine
Posts: 18
Registered: ‎03-12-2011
0

Re: Can't receive security log in stream mode

This is a J2350 Device that doesn't have a fxp0 and seperate data-plane, I am assuming that all 4 built-in GE port is the date plane port.

 

in my case 

 

ge-0/0/0.0 is configured as 10.0.0.1/16  that sending to 10.0.1.4 is directly connected through a switch

 

ge-0/0/3 is up link , security screening are applied there,  I am assuming that of I source ip is 10.0.0.1, router should choose ge-0/0/0.0 to send it out, which is exactly what I expect, but that doesn't happen.

Regular Visitor
prabha
Posts: 8
Registered: ‎04-23-2010
0

Re: Can't receive security log in stream mode

Could you try changing the severity to 'info' instead of warning?

AFAIK, security logs are of severity 'info' and not 'warning'.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.