SRX

Hi,

I'm running into a problem with the logging of policy's on our cluster of SRX-240's running JUNOS 12.1R4.7. Logging is configured as follows:

    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        host 192.168.1.100 {
            any critical;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
        file policy_session {
            user info;
            match RT_FLOW;
            archive size 1000k world-readable;
            structured-data;
        }
    }

The policy_session file exists, lots of policy's have logging configured on them, but the file remains empty. I can clear the file, but that's about it. Any idea on what causes this problem?

Regards,

Steven

Weird. What are the permissions of the file:

admin@SRX210> file list detail /var/log/messages
-rw-rw---- 1 root wheel 6205 Dec 21 09:04 /var/log/messages
total 1

admin@SRX210>

replace messages with policy_session

File permissions are:

-rw-rw-r-- 1 root wheel 64 Dec 21 11:15 /var/log/policy_session

This should be OK. All other log files have the same permissions set.

Could you post your complete config or at a minimum the security policies? Double-check that the standby srx has the same configuration.

Hello

What is the setting for [security log].  It should be mode event not stream.

set security log mode event

Hi,

I did set the log mode to event, but still no go...

Steven

Configuration looks good, can you please check if your log filesystem is full or near capacity using show system storage command. If so, please use request system storage cleanup option to cleanup unused files.

I checked and there is more than enough disk space left on both nodes of the cluster. Also both cluster members have the same active configuration running.

I added the line 'user info;' to the host section and I didn't see any policies getting logged to our syslog server also. Only critical messages show up on the server. Beats me...

What about replacing user info with any any? Also could you post your policies with the logging statements? 

Thanks

That did the trick indeed! For some reason the severity levels changed in the newer versions of Junos.

Thanks!

Do you have event policies configured? I wonder if this applies to you?? I'm not sure I quite grasp this blurb from the 12.1 release notes, but here it is:

• Event policy support to override the system log priority of the triggering
event—Startingwith JunosOS Release 12.1, you can configure an event policy to override
the default system log priority of a triggering event so that the system logs the event
with a different facility type, severity level, or both. To override the priority of the
triggering event, configure the priority-override statement at the [edit event-options
policy policy-name then] hierarchy level. To override the facility type with which the
triggering event is logged, include the facility statement and the new facility type. To
override the severity level with which the triggering event is logged, include the severity

statement and the new severity level.

http://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/release-notes/12.1/junos-release-notes-12.1.pdf

No, I haven't got any event policies configured. There isn't an event-options section in our config.