07-12-2011 07:00 AM
When you say attacks, what specifically do you mean? Are you just talking about inbound access violations and/or screens?
The easiest way is to setup logging per policy:
set security policies from-zone untrust to-zone <trust> policy <policy> then log session-close
(i prefer session close over session init because it includes more information from the end of the session).
Then you just need to make sure that you have logging enabled (in this case to an external syslog server, can be local as well, but external is recommended)
set security log mode stream
set security log stream <arbitrary stream name> host <ip address of syslog server> format sd-syslog port <port>
set security log source-address <SRX source address>
Also if you have any screens enabled they will automatically get logged as well. Basically you just need to setup the logging, then enable it on a per firewall rule basis.
07-12-2011 07:08 AM
07-12-2011 07:10 AM
if you want to do it for only screen attacks you can do the following:
set system syslog file screen any any
set system syslog file screen match RT_IDS
i don't think you can use the match expression on the security logs.
07-12-2011 07:12 AM
Note that for Frac's solution you would have to log it to the control plane. Today we dont' really support dataplane log filtering (at least not for anything but UTM at the moment.)
To log to the control plane you would use mode event rather than mode stream:
set security log mode event
You can also rate limit the logs going to the control plane.
set security log mode event event-rate 500
07-12-2011 07:40 AM
thanks for all your replies.
My untrust interface has a public IP address and is internet facing so I just want to log all attempts to log in and any kind of port scans to this zone/ interface.
07-12-2011 10:09 AM
From what I read in the post above does this mean that I cannot send my IDP logs to STRM since they have to go to the control plane? I currently have my SRX in stream mode sending all logs to STRM.