SRX

 

Hi,

 

when setting up the logging (of control plane) on SRX, Juniper mentions in it's knowledge base that you should put the log configuration inside your groups configuration.

 

On the other hand, if you use NSM to set up an "empty" SRX, then NSM puts the config into the global congif (e.g. not inside groups).

 

I have put it in global config outside of groups and both nodes seem to be logging just fine.

 

So why is it that Juniper says we should put it in groups? What am I missing here?

 

Thanks

Sascha

 

Hi

 

I assume you are speaking about KB16448 which states that

 

• If SRX device was not added as reachable, then add the following commands to the SRX device in order for logs from the RE (control plane) to be sent to NSM:  

set system syslog file default-log-messages any any
set system syslog file default-log-messages structured-data

• Clustered SRX devices should have the above config added to the config group nodes.  Example:
  

  set groups node0 system syslog file default-log-messages any any
  set groups node0 system syslog file default-log-messages structured-data
  set groups node1 system syslog file default-log-messages any any
  set groups node1 system syslog file default-log-messages structured-data

The config sets are 100% equivalent if used for cluster, so there is no difference. In both cases, both nodes will receive the same config. Seems to be an overcomplication from Juniper side.

Thanks PK, I thought so. And yes, I was referring to that KB article.

So unless I want to have different logging options on each separate node (for whatever reason), there is no need to put it into apply groups.

Cheers
Sascha