SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
Telnet-1
Contributor
Telnet-1
Posts: 191
Registered: ‎05-05-2010
0

Re: SRX Branch + NSM + Logging + High CPU

[ Edited ]
Options

‎03-29-2011 01:28 PM - edited ‎03-29-2011 01:29 PM

Hi motd ,

 

And when turning NSM to a sysog server from page   765  as  you mentioned , i will configure its ip at SRx as external syslog srever , right ?

 

Also will i be able to view these logs from Log viewer Tab (  the same as if i was adding the SRX to NSM ) ?

 

Message 11 of 14 (1,360 Views)
 
Reply
Super Contributor
motd
Posts: 221
Registered: ‎12-16-2008
0

Re: SRX Branch + NSM + Logging + High CPU

Options

‎03-30-2011 08:00 AM

Yes, only one change is required on the NSM server itself.

 

The other changes you are making is simply instructing the SRX to send its traffic logs to a syslog server instead of logging them locally to disk or flash.

 

The logs show up in the log viewer just like before

Message 12 of 14 (1,337 Views)
 
Reply
Trusted Contributor
markpr
Posts: 70
Registered: ‎01-23-2008
0

Re: SRX Branch + NSM + Logging + High CPU

Options

‎05-11-2011 01:38 PM

If anyone else is struggling with this, the configurations detailed here are good and we are successfully logging in stream mode to external syslog servers and to NSM2011.1 now - but there are a few caveats as of JunOS 10.4

 

1) " UI_CONFIGURATION_ERROR: Process: rtlogd, path: [edit security log], statement: stream strm-stream-log, Stream has no meaning when system-event-mode is on" - this is a bogus error and can be ignored. It appears whether the system is in log mode stream or log mode event.

 

2) default-log-messages - in log mode event, the traffic logs appear here by default (or more correctly the control plane logs appear here). When in log mode stream, the traffic logs are sent straight from the dataplane and traffic logs do not appear here. Assume this means the webui will not show the traffic logs either.

 

3) stream mode only supported outbound on a physical interface not over a VPN (st interfaces). If you have branch offices connected via VPN you will not be able forward traffic logs in stream mode. You have to use event mode if you want to collect those traffic logs. This was our big problem in testing out stream mode.

 

We noticed some small differences in the data contents in structured (stream) vs non-structured (event) but the STRM DSM and NSM does support both.

 

Message 13 of 14 (1,195 Views)
 
Reply
Trusted Contributor
Luca
Posts: 300
Registered: ‎06-11-2009
0

Re: SRX Branch + NSM + Logging + High CPU

Options

‎07-04-2011 04:59 PM

Hello,

I'm having issues with this.  We had our SRX set to log to NSM using event mode.  This was causing high CPU so i have made the changes suggested in this thread. 

 

We have our SRXs running in a HA cluster.  I have put the configuration under each node in the groups configuration section.  NSM has also been changed to allow syslog over UDP. 

 

Also - We are managing the SRX cluster via the FXP, and NSM is using the FXP of each node for management as well.

 

Here is the config:


 show configuration groups node0 security log
mode stream;
format sd-syslog;
source-address 10.150.7.18;
stream nsm-stream {
    category all;
    host {
        10.203.0.34;
        port 5140;


show configuration groups node0 system syslog

file default-log-messages {
    any any;
    structured-data;

 

This configuration is the same on node1.

In NSM all i see is logs from source 0.0.0.0 destintion 0.0.0.0.  Nothing else.

 

Any thoughts on this?

Setting it to stream mode has fixed the CPU issue, but now logs do not appear properly.



Message 14 of 14 (991 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.