What is the benefit of sending flows from firewal to STRM as compared to sending only events (security logs through syslog)? I mean what we cannot achieve through only event manamgent becuase even management still sending the complete security logs from firewall to STRM.
to me the only questions is what does cost me more performance on my SRX devices.
IDP Logs & System Logs will remain standard Syslogs.
In regards to Traffic logging we'll have two possibilities:
Flow Logging (set to sample rate 1, else you'll miss packets), further I'm not sure if denied packets will be logged
Syslog Logging (100% sure that permits an denys on policys where "Log on session close" || "Log on session init" is enabled will be forwarded.
Maybe some of the juniper folks do have internal papers in regards to FLOW / SYSLOG and will provide it to you and me (to me, no SE or Account team did want to provide things like these and we did buy a highend box ....).
The purpose of flow data is to provide administrators visibility on how systems are communicating on the network. Flows provide detailed information about network activity and allow STRM to build a passive database on assets, ports, protocols, direction, applications, number of packets, bytes transferred, and even an index of the source and destination payload. This is the information STRM/JSA displays on the Network Activity tab.
Event data can be thought of as data that STRM/JSA can collect from outside devices. This can be event streamed to STRM/JSA by firewalls, intrusion systems, antivirus systems, operating systems, email servers, authentication systems, databases, or any appliance or software that creates a notification. STRM/JSA supports event data from over 350 different log sources. STRM/JSA uses device support modules (DSMs) to understand and categorize events from log sources. Log sources that generate identity contribute the building asset profiles in STRM/JSA.
Please note if i am talking about flows its not notification whether event is notification that is generated by devices or applications as its been be default( in some cases may be manually we can). Thats why DSM's are necessary to parse the detail. For flow its for a network same iresspective of between a source destination what may be the device is.
Please understood event is giving you only logs which are defined , where flow will give you end to end communication between source and destination in realtime(a.s.a.p) . Flow is end to end communication what is happening , whereas event is defined and parsing is necessary (in most cases).
Hope this clears your query. If anything comes please let me know.