SRX Services Gateway
Reply
Contributor
Telnet-1
Posts: 198
Registered: ‎05-05-2010
0

Re: SRX Branch + NSM + Logging + High CPU

[ Edited ]

Hi motd ,

 

And when turning NSM to a sysog server from page   765  as  you mentioned , i will configure its ip at SRx as external syslog srever , right ?

 

Also will i be able to view these logs from Log viewer Tab (  the same as if i was adding the SRX to NSM ) ?

 

Super Contributor
motd
Posts: 221
Registered: ‎12-16-2008
0

Re: SRX Branch + NSM + Logging + High CPU

Yes, only one change is required on the NSM server itself.

 

The other changes you are making is simply instructing the SRX to send its traffic logs to a syslog server instead of logging them locally to disk or flash.

 

The logs show up in the log viewer just like before

Trusted Contributor
markpr
Posts: 70
Registered: ‎01-23-2008
0

Re: SRX Branch + NSM + Logging + High CPU

If anyone else is struggling with this, the configurations detailed here are good and we are successfully logging in stream mode to external syslog servers and to NSM2011.1 now - but there are a few caveats as of JunOS 10.4

 

1) " UI_CONFIGURATION_ERROR: Process: rtlogd, path: [edit security log], statement: stream strm-stream-log, Stream has no meaning when system-event-mode is on" - this is a bogus error and can be ignored. It appears whether the system is in log mode stream or log mode event.

 

2) default-log-messages - in log mode event, the traffic logs appear here by default (or more correctly the control plane logs appear here). When in log mode stream, the traffic logs are sent straight from the dataplane and traffic logs do not appear here. Assume this means the webui will not show the traffic logs either.

 

3) stream mode only supported outbound on a physical interface not over a VPN (st interfaces). If you have branch offices connected via VPN you will not be able forward traffic logs in stream mode. You have to use event mode if you want to collect those traffic logs. This was our big problem in testing out stream mode.

 

We noticed some small differences in the data contents in structured (stream) vs non-structured (event) but the STRM DSM and NSM does support both.

 

Trusted Contributor
Luca
Posts: 314
Registered: ‎06-11-2009
0

Re: SRX Branch + NSM + Logging + High CPU

Hello,

I'm having issues with this.  We had our SRX set to log to NSM using event mode.  This was causing high CPU so i have made the changes suggested in this thread. 

 

We have our SRXs running in a HA cluster.  I have put the configuration under each node in the groups configuration section.  NSM has also been changed to allow syslog over UDP. 

 

Also - We are managing the SRX cluster via the FXP, and NSM is using the FXP of each node for management as well.

 

Here is the config:


 show configuration groups node0 security log
mode stream;
format sd-syslog;
source-address 10.150.7.18;
stream nsm-stream {
    category all;
    host {
        10.203.0.34;
        port 5140;


show configuration groups node0 system syslog

file default-log-messages {
    any any;
    structured-data;

 

This configuration is the same on node1.

In NSM all i see is logs from source 0.0.0.0 destintion 0.0.0.0.  Nothing else.

 

Any thoughts on this?

Setting it to stream mode has fixed the CPU issue, but now logs do not appear properly.



Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.