Good notes, thanks for posting that.

Could you post the complete syslog and security log configurations for reference?

Not much more to the config, other then some basic logging to the messages file and user console as per some recomendations found in other forum posts and KBs.

security

log {
    mode stream;
    format sd-syslog;
    source-address [Device IP];
    stream NSM_Syslog {
        category all;
        host {
            [NSM IP];
            port 5140;
        }
    }
}

 system

syslog {
    archive size 200k files 3;
    user * {
        any emergency;
    }
    file default-log-messages {
        any info;
        match "!(WEBFILTER_URL_PERMITTED|WEBFILTER_SERVER_CONNECTED)";
        structured-data;
    }
    file messages {
        any critical;
        authorization info;
    }
    file interactive-commands {
        interactive-commands error;
    }
}

Attached is an image of the CPU use on an SRX210 that was doing traffic logging locally then was switched to streaming to NSM directly.

Note that the graph is almost flat after the commit (spike) the CPU load used to climb in step with the number of open sessions every day, now it is less than the idle time!

I like this feature, but just wanted to point out that the SRX branch runs on CPU anyway.  There are no ASICs.  You have to move into the SRX1400 and above to get hardware forwarding.  But I think the biggest advantage is now the syslog stream is moved to the fwdd/flowd process instead of going to the RE.

Regardless if the branch series uses one CPU (I didn't suggest anything else), logging in event mode uses the internal syslog server and writes to internal flash, which is VERY slow, as per my above post there is  a huge CPU load penalty to logging to the internal storage.

Thus stream mode still reduces load by a large factor and something you should use if you are doing ANY traffic/IDP logging. Take a look at my CPU graph for a 210 it is a 40% drop, but then again I am logging most traffic.

Yes, its the flash that is the bottleneck and will slow down the RE cpu. Especially on the more powerful 650s this can become a major issue, I've seen them fail because of this. I always recommend stream logging, but I'd like to see SRX implement some sort of small in-memory buffer like netscreen had so we can look at the last X logs entries on the device itself. For the branch, that would be ideal and event mode could be removed from the default config.

Interesting you had to specify "category all" though, in my experience thats usually the one setting that causes logs not to be sent. So if anyone has troubles, try removing that statement.

Next up, getting NSM to stop logging notices to deviceDeamon.0 every time it receives a syslog message.

Hi

By the way, why not to write logs to the RAM disk?

You can create a link to it from shell like

ln -s /jail/mfs/ramlog /var/log/ramlog

And direct logging to it

lab@srx# show system syslog file ramlog
any any;

lab@srx# run file list /var/log/ramlog detail
lrwxr-xr-x  1 lab   wheel         16 Nov 13 12:32 /var/log/ramlog@ -> /jail/mfs/ramlog
total 1

lab@srx# run file list /jail/mfs/ramlog detail  
-rw-rw----  1 root  wheel       7622 Nov 13 12:55 /jail/mfs/ramlog

It kind of works in lab, but I don't recommend this for production - just
an idea...

Hi Pk,

I have also faced some issues on IDP logs showing o nNSM 2011.1   I configured message any any on SRXs,but under predefined DI/IDP category, we cannot see the IDP logs. If we clear filters, we can see the logs, so I don't know if they are real IDP logs or we can directly see logs under there.. Some ideas about it?? 

Good morning,

I have SRX-240's - trying to implement stream based logging to HOPEFULLY address a problem with jflow and syslog F'ing each other in high load environments.

When logging in "event" mode I set the facility to 4.  My syslogd then takes all "facility 4" msgs and writes them to my common firewall log file.

When I implement "stream" mode, the msgs are written to the syslog default (/var/log/messages) and not where I want them.

How can I set the facility in stream mode?  I realize there's a stream name / tag, but what does that mean really?  I didn't notice a stream name embedded in the syslog messages.

I run rsyslogd so I can tweak this using attributes other than "facility" - but I'd prefer to stick with facility if I can.

TIA for any help!

Gary