@aeroplane wrote:
But in SRX240, I made one file under [system syslog] and capturing the RT_FLOW_SESSION this file shows log only if I make the mode event. If I remove the command "set security log mode event" the file does not show any logs. it means the default mode is stream?
Yes, that's right aeroplane. In order to have the syslog file receive actual traffic logs from the dataplane, you need to enable event mode logging (this will cause the dataplance traffic logs to be pushed to the control plane, where they will be picked up by syslog).
Hope this helps.