Junos OS

last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Can't receive security log in stream mode

    Posted 01-13-2012 08:09

    Hi, I've been trying to redirect security log  to my log server, as follows

     

    xxxx@j2350> show configuration security log
    mode stream;
    format sd-syslog;
    source-address 10.0.0.1;
    stream mon {
    severity warning;
    category all;
    host {
    10.0.0.4;
    port 514;
    }
    }

     

    however, I can't seem to receive it at all, tcpdump on the receiving side shows nothing, in the documentation, it says the log will be send in data plane through "revenue port", what is that?  my screen policy are applied to DMZ zone which is sepreate interface than the 10.0.0.4 interface. 

     

    nonetheless, I did a tcpdump on both interface and there's no traffic showing up at all, please help!



  • 2.  RE: Can't receive security log in stream mode

    Posted 01-17-2012 18:21

    can any one help?



  • 3.  RE: Can't receive security log in stream mode
    Best Answer

    Posted 01-19-2012 18:19

    Say, if you have chassis cluster setup, the fxp0 interface is the management interface, and no data-plane logs can be sent out via this port using stream mode. When you are using stream mode, the logs will be sent out via any non-fxp0 port(revenue port). If the destination is reachable only through fxp0 port, you cannot have stream mode logging enabled.our

     

    If the source-address specified in your config is that of fxp0 interface, you are sourcing the traffic from fxp0 which is not possible. You can have the data-plane logging sent out through fxp0 only using event mode, again you should choose optimal event-rate in this case, so that you don't run out of CPU cycles.

     

     



  • 4.  RE: Can't receive security log in stream mode

    Posted 01-19-2012 18:25

    Yes, if you are attempting to send-out the traffic through fxp0, this will not happen, and tcpdump will not show any traffic.

     

    On looking at the IP information, you are sending it to a directly connected host, so routing should not be an issue,

    could you post the interface configuration?



  • 5.  RE: Can't receive security log in stream mode

    Posted 01-19-2012 20:50

    This is a J2350 Device that doesn't have a fxp0 and seperate data-plane, I am assuming that all 4 built-in GE port is the date plane port.

     

    in my case 

     

    ge-0/0/0.0 is configured as 10.0.0.1/16  that sending to 10.0.1.4 is directly connected through a switch

     

    ge-0/0/3 is up link , security screening are applied there,  I am assuming that of I source ip is 10.0.0.1, router should choose ge-0/0/0.0 to send it out, which is exactly what I expect, but that doesn't happen.



  • 6.  RE: Can't receive security log in stream mode

    Posted 01-21-2012 08:45

    Could you try changing the severity to 'info' instead of warning?

    AFAIK, security logs are of severity 'info' and not 'warning'.