SRX Services Gateway
Reply
Contributor
paulkil
Posts: 127
Registered: ‎11-05-2010
0

syslog logging on SRX650 and SRX240

Hi Guys,

how can I log all attempts/ attacks to my untrust zone/interface on the srx650 and SRX240 platforms?

 

Thanks,

 

Paul

Trusted Contributor
bwoodberg
Posts: 24
Registered: ‎11-16-2010

Re: syslog logging on SRX650 and SRX240

Hi Paul,

 

When you say attacks, what specifically do you mean?  Are you just talking about inbound access violations and/or screens?

 

The easiest way is to setup logging per policy:

 

set security policies from-zone untrust to-zone <trust> policy <policy> then log session-close

 

(i prefer session close over session init because it includes more information from the end of the session).

 

Then you just need to make sure that you have logging enabled (in this case to an external syslog server, can be local as well, but external is recommended)

 

set security log mode stream

set security log stream <arbitrary stream name> host <ip address of syslog server> format sd-syslog port <port>

set security log source-address <SRX source address>

 

Also if you have any screens enabled they will automatically get logged as well.  Basically you just need to setup the logging, then enable it on a per firewall rule basis.

Super Contributor
AdamLin
Posts: 167
Registered: ‎08-02-2010
0

Re: syslog logging on SRX650 and SRX240

An addition to policy logging; if you want to log deny-policies you should log session-init instead of close.
Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Trusted Contributor
Frac
Posts: 61
Registered: ‎11-15-2007
0

Re: syslog logging on SRX650 and SRX240

Hi,

 

if you want to do it for only screen attacks you can do the following:

 

set system syslog file screen any any
set system syslog file screen match RT_IDS


i don't think you can use the match expression on the security logs.

 

Grtz,

Frac

http://juniper-frac.blogspot.com
Trusted Contributor
bwoodberg
Posts: 24
Registered: ‎11-16-2010
0

Re: syslog logging on SRX650 and SRX240

Note that for Frac's solution you would have to log it to the control plane.  Today we dont' really support dataplane log filtering (at least not for anything but UTM at the moment.)

 

To log to the control plane you would use mode event rather than mode stream:

 

e.g.

set security log mode event

 

You can also rate limit the logs going to the control plane.

set security log mode event event-rate 500

Contributor
paulkil
Posts: 127
Registered: ‎11-05-2010
0

Re: syslog logging on SRX650 and SRX240

Hi guys,

thanks for all your replies.

 

My untrust interface has a public IP address and is internet facing so I just want to log all attempts to log in and any kind of port scans to this zone/ interface.

 

Thanks again,

 

Paul

Contributor
paulkil
Posts: 127
Registered: ‎11-05-2010
0

Re: syslog logging on SRX650 and SRX240

Hi again,

do any of your above replies answer my requirements?

 

Many thanks,

 

Paul

Trusted Contributor
ttl_expired
Posts: 438
Registered: ‎11-11-2008
0

Re: syslog logging on SRX650 and SRX240

From what I read in the post above does this mean that I cannot send my IDP logs to STRM since they have to go to the control plane?  I currently have my SRX in stream mode sending all logs to STRM.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.