SRX

below is the syslog config on my SRX.

show system syslog

archive size 1m files 5;
user * {
any emergency;
}
host x.x.x.x {
any any;
}
host x.x.x.x{
any any;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
file auditlog {
authorization info;
change-log any;
interactive-commands any;
}
file authlog {
authorization info;
}
file fw-filter {
firewall any;
}
source-address x.x.x.x;

I am having problem understanding the configuration.

user * {
any emergency;
}

does this mean any events related to user should be logged as emergency? or any event which is emergency should be logged?

host x.x.x.x{
any any;

what does "any any " means in this case?

Can some one help me with this.

Hi Abhishek,

user — Notify a specific user of the log event.
 
* is all kind of users.

It says save all emergency kind of logs for any users

User * means all kind of Users

any means : All facilities

Emergency: Generate Panic Conditions

++++++++++++++++++++++++

Host X.x.x.x

any any

First any ALL Facility ( Daemon , firewall , kernel ,pfe etc)

Second any : all Levels of logs ( error, critical,info, emergency etc)

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi Abhishek,

Following link will explain about facility and Logging details:

http://www.juniper.net/techpubs/en_US/junos14.1/topics/reference/general/syslog-facilities-severity-levels.html
 

user —> Notify a specific user of the log event.
 
* -> all kind of users.

 
It says save all emergency kind of logs for any users

 
_____________________________________

User * means all kind of Users

any means : All facilities

Emergency: Generate Panic Conditions

++++++++++++++++++++++++

Host X.x.x.x

any any

First any ALL Facility ( Daemon , firewall , kernel ,pfe etc)

Second any : all Levels of logs ( error, critical,info, emergency etc)

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
....

I appreciate your help rparthi.

Also looking at the configuration I posted can you please help me understand which logs are being logged locally and which of them are forwaded to sysylog.

Hello Abhishek

Attribute containing host{ } will be sent to external syslog server.

And attribute with file{ } will log locally into file.

Regards,

Raveen

Thanks Raveen, so according to the below configs

show system syslog

user * {
    any emergency;
}
host 10.0.0.10 {
    any any;
    source-address 10.0.0.1;
}
file security {
    security info;
}
file policy_session {
    archive;
}
file auditlog {
    authorization notice;
    change-log any;
    interactive-commands any;
}
file auth {
    authorization info;
}
file fw-filter {
    firewall any;
}
file ids {
    any any;
    match RT_IDS;
    archive world-readable;
    structured-data;
}
source-address 10.0.0.1;

and

show security log

mode event;
format sd-syslog;
source-address 10.0.0.1;
stream securitylog {
    severity info;
    category all;
    host {
        10.0.0.10;
        port 514;
    }
}

are the logs from security, policy_session, auditlog, auth fw_filter and ids are getting logged locally to file. 

Logs about users and security are being forwaded to syslog 10.0.0.10.

Please correct me if I am wrong.

Hello.

You're essentially sending all logs (both RE and dataplane logs) to syslog server.

"mode event" in the "secuity log" stanza will forward all the traffic logs to the routing engine.

And since you have "set system syslog host 10.0.0.10 any any" configured, everything will be sent to the syslog server with src-address 10.0.0.1.

You'll need to watch your RE CPU utilization, if using "mode event".

My suggestion would be to leave the "system syslog" setting as is, and see if you do want to see all the logs.  Usually, "any info" or "any notice" level should be sufficient.  You can monitor the logs on the syslog servers and tweak as needed.

I would send the security log straight out the dataplane via "mode stream".  You won't be able to view the traffic logs on the SRX itself, but you also don't risk spiking the RE CPU.

Regards,

Sam

Hi Abhishek,

< set system syslog configuration>  is for Control Plane Logging.

All processes that are running on the device (like JSRPD , Chassisd, kmd) generate logs are called  control plane logs.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

< Set security log> :  dataplane or PFE logs:
+++++++++++++++++

There are 2 modes of dataplane logs

1.Stream Mode
2. Event Mode

1.Stream Mode
++++++++++++

Session information generated through security policy are called traffic logs or dataplane logs.

It will be sent to the configured syslog server under security log hierarcy.

It will not goto Routing engine (system syslog)

2. Event Mode:
++++++++++++++++

Session information generated through security policy are called traffic logs or dataplane logs.

Event mode will push the PFE logs to the routing engine and you can see it the show system syslog server.

Event mode is known to cause High CPU on the RE . Stream mode is recommended.

Branch Devices by default has Event Mode security log settings.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Following KB articles will help configuring Logging correctly:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16502
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16509
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16506

http://kb.juniper.net/InfoCenter/index?page=content&id=KB19490
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16224

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hello.

I've found that another aspect of "set system syslog user * any emergency" is that emergency logs are printed to terminal screen. 

You can try change to "any any" and there'll be lots of logs printed to both console and ssh sessions -- unprompted.

(ESC-Q) to stop the scrolling.

Regards,

Sam