SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Security Policy logs to NSM and locally

    Posted 07-13-2011 01:31

    Hi

     

    I have SRX240. I want to see the seucrity policy logs locall and also wants to send to NSM. Can any one guide me the configuration for this.

     

    Thanks

     

     


    #logging


  • 2.  RE: Security Policy logs to NSM and locally
    Best Answer

    Posted 07-13-2011 17:33

    Hi ,

     

    Please refer http://kb.juniper.net/InfoCenter/index?page=content&id=KB16509,if you want to check the policy logs on the srx. To send it to NSM refer kb http://kb.juniper.net/InfoCenter/index?page=content&id=KB16448 

     

     

    Thanks,

    Vistior



  • 3.  RE: Security Policy logs to NSM and locally

    Posted 07-17-2011 09:38

    check flow log via local and syslog server, that means you need to set security log mode to event. this will forward log info to event daemon on control plane. by default, flow log info will be written into file messages. also you can set system syslog server. srx can copy the flow log to syslog server.

     

    but i am afraid there is a problem, when setting to event mode and srx using in ISP network, huge traffic will generate lots of log info. this info will be forwarded to control plane. from security point of view, can we treat it as a DoS attack to RE?



  • 4.  RE: Security Policy logs to NSM and locally

    Posted 07-18-2011 12:33

    Thanks to both but could you please explain

     

    1- If I want to check the logs for a particular policy how can I do it? Because log file capturing RT_FLOW_SESSION would show logs for all policies

     

    2- If I want to send the logs to NSM, Kindly correct me if I understand correctly. If mode is event under [security log] then following lines are essential:

     

    set system syslog file default-log-messages any any
    set system syslog file default-log-messages structured-data

     

    BUT If mode is stream under [security log] then above lines no need?

     

    Thanks



  • 5.  RE: Security Policy logs to NSM and locally

    Posted 07-18-2011 14:29
    If you have NSM in stream mode, you configure "security log ..." and set udp/syslog via udp/5140.


  • 6.  RE: Security Policy logs to NSM and locally

    Posted 07-18-2011 19:07

    here is my understanding. if it is wrong, please correct me.

     

    if we enable stream mode, which means security log will not go to control plane. so syslog file setting can not capture the security log. i am right?



  • 7.  RE: Security Policy logs to NSM and locally

    Posted 08-07-2011 11:35
    @caiyu wrote:

    here is my understanding. if it is wrong, please correct me.

     

    if we enable stream mode, which means security log will not go to control plane. so syslog file setting can not capture the security log. i am right?

    You are right. If set to stream mode, the SRX will "stream" the logs out the dataplane directly to the configured log destination. It will never reach the control plane this way and hence can not be written to a local file.

     



  • 8.  RE: Security Policy logs to NSM and locally

    Posted 08-07-2011 09:10

    Hi aeroplane,

     

    Regarding the question below :

    1- If I want to check the logs for a particular policy how can I do it? Because log file capturing RT_FLOW_SESSION would show logs for all policies

     

    you can use match :

     

    > show log  file-name | match  "policy-name"

     

    **************  Click on the button saying " Accept  as Solution"  if  My Post solved your problem  **************