SRX

Now I've deployed SRX with log session close for all policy .I cannot logging on local because logging  is larger than RE can handle  when I logging to local CPU high 99 percent  .Now I send dataplane log to syslog server and syslog server very slow .I want to know how can I determine eps of logging dataplane  

thank you

Hi sean

Using syslog in event mode causes high CPU as it is processed by RE.

You could configure SRX to send syslog messages in stream mode to reduce CPU utilization.

Refer:

http://kb.juniper.net/InfoCenter/index?cmid=no&page=content&id=KB16753

Regards,

Raveen

I'm interested in this question as well. 

When syslog is being sent out the dataplane, there is only one way that i know of to validate...

outbound firewall filter with count on the interface...  assuming 1 event per packet, it should be possible to determine an average eps.

Hoping others may have an alternate way?  anything from the shell?

Thanks,

Sam

HI.

Here is what I had done before to validate if the SRX was sending syslogs out the dataplane...

Hope this helps.

set firewall filter syslog term 1 from source-address 10.x.x.x/32
set firewall filter syslog term 1 from destination-address 10.y.y.y/32
set firewall filter syslog term 1 then accept
set firewall filter syslog term 1 then count count_syslog
set firewall filter syslog term LAST then accept

set interfaces reth1.0 family inet filter output syslog



SRX> show firewall filter syslog

Filter: syslog
Counters:
Name                                                Bytes              Packets
count_syslog                                     31734286                39900

Regards,

Sam

clear counter  and show within 1 sec ?

yeah.  something like that.

or "show firewall filter syslog | match count_syslog | refresh 10"

This should give you a running count every 10 seconds... can copy/paste into excel and graph...

Regards,

Sam

very useful