SRX

Hello,

I recently implemented session-init logging on my SRX210 to capture what is trying to talk to it from the outside world so I can figure out what I need to allow (turns out a blanket deny policy is a bad idea when you are getting a DHCP address from your ISP...). I'm not getting messages that I don't fully understand like this example:

2013-06-02T13:42:40-04:00 10.0.4.1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created X.X.X.X/52482->Y.Y.Y.Y/7 None X.X.X.X/52482->Y.Y.Y.Y/7 None None 17 log-incomming internet junos-host 20367 N/A(N/A) fe-0/0/7.0 UNKNOWN UNKNOWN UNKNOWN

My first question is in regards to the first "None" that is in bold above. Most of what I see is "icmp" and was seeing some other port names until I blocked them, but I don't understand what it is trying to tell me with "None". Most of the cases have non-named target ports, but I would have expected this example to be listed as "echo". Can anyone explain or point to documentation that explains this?

The second bolded item is the protocol-id, but I can't seem to find a definition of what id values translate to. Is there a map somewhere?

Finally the last bolded items don't appear to be documented. Anyone know what they are (or where they are documented)?

Thanks,

-dave 

---

@iamgnat wrote:

The second bolded item is the protocol-id, but I can't seem to find a definition of what id values translate to. Is there a map somewhere? 

---

I found the IANA official list. I didn't realize that was a standardized thing (obviously I'm not fluent in networking).

Hello,

I hope you are doing great,

I am not an expert on logging but I think I can help you with this.

First of all I would like to reffer you to Juniper KB16509

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16509

Based on Juniper documentation:

http://www.juniper.net/techpubs/en_US/junos13.1/information-products/topic-collections/syslog-messages/syslog-messages.pdf#search=%22RT_FLOW%20logging%22

If you go to chapter 93 page 691 you will find the information you need about the information on the log.

Here is the list of protocol numbers in case that you are interested:

http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

The ones that you have listed as UNKNOWN I will need to see a real log in order to determine what is that information I will updating that as soon as I can.

I hope this information will be helpful.

Regards,

Luis Sandi

In addition, you can also temporarily change the syslog format to 'structured', and you'll see what each field represents.

set security log stream xxxx format sd-syslog

This has helped me decipher the fields in the past.

Regards,

Sam

---

@samc wrote:

In addition, you can also temporarily change the syslog format to 'structured', and you'll see what each field represents.

 

set security log stream xxxx format sd-syslog

 

This has helped me decipher the fields in the past.

---

Thanks Sam. I'll give that a try a bit later when I have a few minutes and see if that clear things up at all.

---

@samc wrote:

In addition, you can also temporarily change the syslog format to 'structured', and you'll see what each field represents.

 

set security log stream xxxx format sd-syslog

---

That didn't seem to do anything for me. I tried:

# show security log 
source-address router-ip;
stream xxxx {
    format sd-syslog;
    host {
        syslog-ip;
        port 541;
    }
}

 But the messages my syslog server got after the commit were still the unformated like shown in the OP.

I did try the command exactly as you included, but the check failed due to wanting the source-adddress supplied.

Hello.

Old thread, but i wanted to follow up. Perhaps the securlty log option doesn't work on branch SRX?

On a SRX210, I created the following, and with the structured-data option, there's a description for each field:

root> show configuration system syslog

file trafficlog {
    any any;
    match RT_SESSION;
    structured-data;
}

Here is syslog BEFORE structured data is enabled:

Apr 29 23:36:35   RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.222.1/1024->192.168.1.33/41888 icmp 192.168.222.1/1024->192.168.1.33/41888 None None 1 Trust_to_Untrust Trust Untrust 54 N/A(N/A) fe-0/0/6.0 UNKNOWN UNKNOWN UNKNOWN

Apr 29 23:36:39   RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed response received: 192.168.222.1/1024->192.168.1.33/41988 icmp 192.168.222.1/1024->192.168.1.33/41988 None None 1 Trust_to_Untrust Trust Untrust 55 1(128) 0(0) 3 UNKNOWN UNKNOWN N/A(N/A) fe-0/0/6.0 UNKNOWN

Here is syslog AFTER structured data is enabled (i cleaned up some extraneous info):

<14>1 2013-04-30T00:20:20.510Z - RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.36 source-address="192.168.1.33" source-port="43188" destination-address="192.168.222.1" destination-port="1024" service-name="icmp" nat-source-address="192.168.1.33" nat-source-port="43188" nat-destination-address="192.168.222.1" nat-destination-port="1024" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="Untrust_to_Trust" source-zone-name="Untrust" destination-zone-name="Trust" session-id-32="69" username="N/A" roles="N/A" packet-incoming-interface="fe-0/0/7.0" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"]

<14>1 2013-04-30T00:20:23.860Z - RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.36 reason="response received" source-address="192.168.1.33" source-port="43188" destination-address="192.168.222.1" destination-port="1024" service-name="icmp" nat-source-address="192.168.1.33" nat-source-port="43188" nat-destination-address="192.168.222.1" nat-destination-port="1024" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="Untrust_to_Trust" source-zone-name="Untrust" destination-zone-name="Trust" session-id-32="69" packets-from-client="1" bytes-from-client="128" packets-from-server="1" bytes-from-server="128" elapsed-time="4" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="fe-0/0/7.0" encrypted="UNKNOWN"]

Hope this helps.

Regards,

Sam

---

@Pankesito wrote:

First of all I would like to reffer you to Juniper KB16509

---

Yes those are essentially the steps I took to enable the logging (I'm logging remotely though).

---

@Pankesito wrote:

If you go to chapter 93 page 691 you will find the information you need about the information on the log.

---

Other than being for 13.1 instead of 12.1 that is same information as the document I linked. The issue is that it stops it's definition at the interface which leaves the three UNKNOWN items as undefined. It's those items I am looking for the definition of.

---

@Pankesito wrote:

The ones that you have listed as UNKNOWN I will need to see a real log in order to determine what is that information I will updating that as soon as I can.

---

Other than having IP address information obfuscated the message I included in my original post is a real message.