SRX

Dear all:

Our company have an SRX3600 firewall, the software version is 12.1X44-D40.2.

Recently we found that when we turned syslog on the CPU usage would rise from 20% to 80%.
These two processes : eventd & rtlogd consume about 50% CPU resource .
Our syslog are configured as below:

file sesseion_init.log {
    any any;
    archive files 1;
    structured-data;
}
file policy_session {
    user info;
    match RT_FLOW;
    archive size 5120000 world-readable;
    structured-data;
}
When I search on Juniper website , I found that there's similar bug but is fixed after Junos 12.1R1. So I am wondering is it device capability problem or another software bug.

Hi Frank Fang,

I belive you have configured log mode as event (#show security log), where all traffic/policy logs will be sent to Control plane from Dataplane. In this case if the traffic rate is high , logging rate will be high and it can cause high CPU. This is expected behavior. The best option would be to chnage the logging mode to stream and send the traffic logs to external syslog server. You can also try changing the event rate, if you want to keep event mode only.

As per below URL, we can see Juniper recommends stream mode looging on High end device.

We recommend that only stream mode be used for security logs on high-end SRX Series devices. We do not recommend using event mode logging for high-end SRX Series devices. Supported logging rates apply to stream mode only. Logs may be dropped if you configure event mode logging on high-end SRX Series devices.

http://www.juniper.net/documentation/en_US/junos12.1/topics/concept/security-system-log-message-overview.html

Stream mode logging config.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16224&smlogin=true