Can't receive security log in stream mode

[ Edited ]
01.13.12   |  
‎01-13-2012 08:09 AM

Hi, I've been trying to redirect security log  to my log server, as follows


xxxx@j2350> show configuration security log
mode stream;
format sd-syslog;
stream mon {
severity warning;
category all;
host {;
port 514;


however, I can't seem to receive it at all, tcpdump on the receiving side shows nothing, in the documentation, it says the log will be send in data plane through "revenue port", what is that?  my screen policy are applied to DMZ zone which is sepreate interface than the interface. 


nonetheless, I did a tcpdump on both interface and there's no traffic showing up at all, please help!


Re: Can't receive security log in stream mode

01.17.12   |  
‎01-17-2012 06:20 PM

can any one help?

Accepted by topic author IssueNine
‎08-26-2015 01:27 AM

Re: Can't receive security log in stream mode

01.19.12   |  
‎01-19-2012 06:18 PM

Say, if you have chassis cluster setup, the fxp0 interface is the management interface, and no data-plane logs can be sent out via this port using stream mode. When you are using stream mode, the logs will be sent out via any non-fxp0 port(revenue port). If the destination is reachable only through fxp0 port, you cannot have stream mode logging enabled.our


If the source-address specified in your config is that of fxp0 interface, you are sourcing the traffic from fxp0 which is not possible. You can have the data-plane logging sent out through fxp0 only using event mode, again you should choose optimal event-rate in this case, so that you don't run out of CPU cycles.




Re: Can't receive security log in stream mode

01.19.12   |  
‎01-19-2012 06:24 PM

Yes, if you are attempting to send-out the traffic through fxp0, this will not happen, and tcpdump will not show any traffic.


On looking at the IP information, you are sending it to a directly connected host, so routing should not be an issue,

could you post the interface configuration?


Re: Can't receive security log in stream mode

01.19.12   |  
‎01-19-2012 08:50 PM

This is a J2350 Device that doesn't have a fxp0 and seperate data-plane, I am assuming that all 4 built-in GE port is the date plane port.


in my case 


ge-0/0/0.0 is configured as  that sending to is directly connected through a switch


ge-0/0/3 is up link , security screening are applied there,  I am assuming that of I source ip is, router should choose ge-0/0/0.0 to send it out, which is exactly what I expect, but that doesn't happen.


Re: Can't receive security log in stream mode

01.21.12   |  
‎01-21-2012 08:44 AM

Could you try changing the severity to 'info' instead of warning?

AFAIK, security logs are of severity 'info' and not 'warning'.