Junos Space Developer
Highlighted
Junos Space Developer

Junos Security Log Director - not parsing log 'RT_IDS: RT_SCREEN_UDP'

02.12.18   |  
‎02-12-2018 11:15 AM

Hi,

 

I've recently deployed a SD distributed log collector solution (v17), log receiver is getting all logs from the SRX devices, and I can see logs on Junos Space, but when I look for the same logs inside Security Director>Monitor>All Events, I'm missing these type of logs:

RT_IDS: RT_SCREEN_UDP: UDP flood! source: 10.10.10.64:9001, destination: 10.10.0.57:9002, zone name: FW_CON, interface name: reth0.106, action: alarm-without-drop

 

To be fair, it's the only log that is not UI, I can see all the rest, and I can't generate any other log for testing, since the devices are in a production enviroment.

 

Any lights on the matter? Is it SD's normal behavior not to parse these kind of logs?

 

Thanks in advanced

1 REPLY
Junos Space Developer
Solution
Accepted by topic author Narkissus
‎02-13-2018 08:43 AM

Re: Junos Security Log Director - not parsing log 'RT_IDS: RT_SCREEN_UDP'

02.13.18   |  
‎02-13-2018 08:42 AM

Jtac made me notice I was using the wrong format under the stream configuration.

 

root@dev> show configuration security log
mode stream;
format sd-syslog;
source-address #myIp;
stream streamlog {
severity info;
format sd-syslog;  >>>>>> previously syslog, changed to sd-syslog