old thread, but I ran across this topic while trying to figure out why "show security log" was throwing a fit..
So, from my testing on SRX210, 12.1X44-D30:
there are 2 formats for traffic logs generated by mode 'event':
1) binary
For binary, all that is needed is
set security log mode event
set security log format binary
And a file named bin_messages is automatically created in /var/log directory.
Also "set security log file name xxxx" seems only to apply to binary format.
To view, type "show security log file" or "show security log file /cf/var/log/xxxxxx" to view contents of traffic logs.
"show security log" does nothing -- even with cache enabled (keep reading)
2) syslog/sd-syslog
For syslog/sd-syslog format, the config needed:
set security log mode event
set security log format sd-syslog(or syslog)
Still, "show security log" throws the error "Security logging is disabled"
To view, can configure "set system syslog file xxx ....." and filter RT_FLOW messages, then view via "show log xxx"
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16509
Now, ran across this setting:
"set security log cache"
This must be the audit log (documentation isn't very clear)... but after enabling this command, I now see info when i type "show security log". default lines cached in memory is 10,000 -- at least for SRX210.
* With format set to binary, we only see other security events, such as logins, CLI commands run..but no traffic logs.
* With format set to syslog/sd-syslog, we now see traffic logs, in addition to the other 'security' events.
There are a number of knobs to filter just the interested events (i.e. show security log event-id RT_FLOW_SESSION_CREATE)
Note:
- when viewing "show security log", traffic log format is the same whether set to syslog or sd-syslog.
- when set to format syslog/sd-syslog, it's not required to configure "set system syslog file xxx" to view contents of cache via "show security log"
Hope this helps.
Sam