05-05-2017 02:45 AM
From the SRX device we are sending syslogs to syslog server. however the hostname if missing only for RT_FLOW logs when we are checking on syslog server. We are not doing any kind of filtering or modification of logs. for logs apart from RT_FLOW we can see hostname in the syslog before 'RT_FLOW' field.
Here is one sample:
Apr 10 10:38:39 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed idle Timeout: 10.54.17.68/56528->10.26.124.50/161 None 10.54.17.68/56528->10.16.124.50/161 None None 17 CST000000xx7304 DD_WS mgt-out 140085954 1(83) 0(0) 213 UNKNOWN UNKNOWN N/A(N/A) eth1.12 UNKNOWN
Request you to provide your inputs asap as the security monitoring is impacted.
05-05-2017 04:06 AM
Thank you for posting your query here.
I do not think RT_FLOW logs contain Hostname as one of its attributes.
Please refer the below link where I checked all the attributes different RT_FLOW message will contain-
Was it giving hostname to you on earlier versions. AFAIK hostname was never part of RT_FLOW logs.
Hope this Helps
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.
05-05-2017 04:44 AM
first of all thank you for the help ..
that's the issue ... earlier it was populating the hostname before version 15.1.
any help will be highly appreciated.
05-05-2017 04:49 AM
and the link you have shared explains the message after the field RT_FLOW.
where the hostname should get appended to the message in the header(syslog header)
"Apr 10 10:38:39 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed........ "
"Apr 10 10:38:39 test_hostname RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed........ "
05-05-2017 10:29 AM
[JNCSP-SEC Ingenious Champion]