Security

Hello,

I've inherited a SSG520 firewall and I'm attempting to get a better handle on the logs. I need to track what certain policies are blocking (or not), and unfortunately the built-in logs fill up and clear out too fast for my use. Is there a way I can set logs to export to an external location, or some other trick to make them persist longer?

There's a netscreen 25 I'd like to do something similar with, as well. 

Thanks for your time.

ScreenOS logs auto-roll simply based on storage space available.  So the options are:

• Log less things and thus have more room for the rest
• Add a USB storage and point logs here to increase space
• Send logs to a syslog server for central storage

Thanks for the info, spuluka. 

Would you point me towards instructions for sending logs to a syslog server? I'm still learning my way around this interface. 

These are the basic syslog setup instructions.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB4759

That should do it, thanks again.

Is there a unique format to the logs from Juniper? I'm sending these logs over to a "loganalyzer" log server but the formatting seems off. Each "log" on the log server seems to contain a mishmash of multiple logs from the firewall. 

I've not seen a combination type behavior before.  But I suspect this is a configuration issue on the syslog software.  Each event is sent as a separate line with the fields separated.  The syslog server should seem them as separate events.

I suspect it may be bundling multiple events together, probably based on the event time or received time parameter in an effort to be helpful.  These are generally referred to in syslog servers as "parsers" or "event correlation" so I would check those terms in the help search for the software.

the events you receive and save are the same you would see in the reports menu and traffic logs on the device itself.