Screen OS

HI!

I'm quiet new with our Juniper SSG-140 firewall.

I've made it so far that all services are working. Basically we just want to use it to see which webpages are called up and find out if any inappropriate stuff is going on by logging all web activities. Just standard rules any-2-any, no restrictions.

If I open up the font end of the SSG I can see that logging is enabled already, 'cause I see the logs running unter reports / polcies / view details with about 3600 entries. But that's it. I only see the +/- 3600 entries, not one more.

I guess
a) there's a logging size restriction set to 3600 or
b) there's not much mor space to log more.

How can I increase these settigs and is it possible to redirect the logging maybe to some external USB-HDD (1TB) drive connected to the SSG front? Or maybe a syslog server?

Any help appreciated!
DWMIT

A FAT formatted USB hard drive that is under 2 Gb in size can be used with the SSG for logging.

You will want to run 'set log usb enable' from the CLI to actually use the drive.

You can also send the logs to a syslog server under Configuration > Report Settings > Syslog on your SSG device.

I have the details of using local usb logging posted to the configuration library section.  Essentially, the device automatically manages your log sizes to use the available storage without running you out of space on the internal storage.  So adding the 2 gig usb drive gives you lots more room for these texts logs.

http://forums.juniper.net/t5/Configuration-Library/ScreenOS-Configure-Logging-to-USB-Device/m-p/64641/highlight/true#M164

Naturally, a syslog setup is a more permanent solution for collection and management if you have the resources for it.

Thanks for your help!
Is there any recommendation for a syslog server software (for Windows) that works best with this? Or just any good?
Is there a Juniper syslog setup guide here? Or where to search?

My best regards,

DWMIT

Kiwi syslog is pretty good, Splunk can be setup to listen on UDP port 514 to take in syslog information.

Syslog setup is pretty simple:

Configuration > Report Settings > Syslog

Check 'Enable syslog messages'

Normally a good idea to choose a source interface that is on the same subnet as your syslog server

Check 'Enable' and enter the IP address of your syslog server, the port (514), and the facilities (LOCAL0 is fine) and then choose the type of item you want to track

• Event log - event log entries
• Traffic log - traffic log entries
• TCP - syslog over TCP

Setting a source address is good when you are using a syslog server setup that segregates logs by host. For example, we use a FreeBSD syslog server that places logs from each device in a directory with each host having a log name like host1.log, host2.log, host3.log, etc

I set 'Source interface' to my Trust interface on the SSG because I want the logs to come from the same source IP that my syslog server is expecting to see them from (i.e. IP 192.168.1.1 is 'host3' so the log will be 'host3.log' on my syslog server).

Syslog is pretty straight forward so any syslog server will work fine, one that automatically rotates the logs for you after a certain size or at a set interval is nice as well.

Hi NateK!

Thanks for that quick and excellent answer.
Well, I took Kiwi now and had set the parameters like:

Firewall: 192.168.0.221, trust on eth 0/0
Kiwi running @ 192.168.0.8, UDP port 514

I have set the Firewall like:

checked "Enable syslog messages"
checked "Enable syslog backup"
Source interface: ethernet0/0
No. 1
checked "Enable"
IP/Hostname: 192.168.0.8
port: 514
Security Facility: LOCAL0
Facility: LOCAL0
checked: all logs.

I've set the Kiwi-Server on 192.168.0.8 like:
...
Checked "Listend to UDP syslog messages"
port: 514
Bind to address: [none]
Data encoding: System

Windows Firewall: off

Unfortunately no events are visible on the Kiwi-Syslog display. Maybe I making any stupid mistake. Any idea what could be wrong?

The Juniper says: "Syslog cannot connect to the TCP server 192.168.0.8; the connection is closed." Why?
But I enabled UDP and TCP logging on the Kiwi, bonded with the FW (192.168.0.221).
Any ALG settings to choose? (By default all ALG are NOT checked, right?)
The web-syslog is reachable all over the network: http://192.168.0.8:8088
 

Greetz!
DWMIT

You shouldn't need any ALG or helper settings for a policy rule.

Is Kiwi setup to listen for TCP syslog messages? You may want to try straight UDP on the firewall and in Kiwi.

You can also run a test from Kiwi to make sure that it is in fact receiving syslog traffic.

Hi Natek!

Now, as I switched off TCP logging in the firewall, it works straight.

I don't know, if TCP logging is needed, but I now see all I want to see on the Kiwi.
Thanks for your help and suggestions!

DWMIT

I think that normally people use syslog over TCP to 'hedge their bets' as far as syslog traffic reaching the syslog server.

In my experience syslog over TCP tends to complicate things and one could also setup 2 x syslog server using UDP if one was concerned about the reliablity of syslog via UDP.

Glad you got things setup and sorted out.

Hi,

Please guide me how to redirect the log(/var/log) to USB drive automatically in Junos Platform . Is it posible to redirect the log to USB drive in Junos, SRX and EX series ?

Thanks in advance for any kinds of your help.

I know that you can do this on SSG or Netscreen firewalls but I can't find anything in our site notes, Juniper KB, etc other than using USB for software upgrades or copying files to USB on an ad hoc basis.

I could be wrong but I think your only options with Junos are local files or syslog.

Unfortunately, you cannot redirect the log location in Junos.  The best you can do is copy them off the device to usb.  See kb 16240

Copy logs to usb

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16240

Logging setup on SRX

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16634