FLOW vs EVENT Management

12.25.13   |  
‎12-25-2013 12:30 AM

Hello Expert


What is the benefit of sending flows from firewal to STRM as compared to sending only events (security logs through syslog)? I mean what we cannot achieve through only event manamgent becuase even management still sending the complete security logs from firewall to STRM.




Re: FLOW vs EVENT Management

01.18.14   |  
‎01-18-2014 10:49 AM

Hi aeroplane,

to me the only questions is what does cost me more performance on my SRX devices.


  • IDP Logs & System Logs will remain standard Syslogs.


In regards to Traffic logging we'll have two possibilities:

  • Flow Logging (set to sample rate 1, else you'll miss packets), further I'm not sure if denied packets will be logged
  • Syslog Logging (100% sure that permits an denys on policys where "Log on session close" || "Log on session init" is enabled will be forwarded.

 Maybe some of the juniper folks do have internal papers in regards to FLOW / SYSLOG and will provide it to you and me Smiley Very Happy (to me, no SE or Account team did want to provide things like these and we did buy a highend box ....).


Best Regards



Re: FLOW vs EVENT Management

05.08.15   |  
‎05-08-2015 08:19 PM

The purpose of flow data is to provide administrators visibility on how systems are communicating on the network. Flows provide detailed information about network activity and allow STRM to build a passive database on assets, ports, protocols, direction, applications, number of packets, bytes transferred, and even an index of the source and destination payload. This is the information STRM/JSA displays on the Network Activity tab.


Event data can be thought of as data that STRM/JSA can collect from outside devices. This can be event streamed to STRM/JSA by firewalls, intrusion systems, antivirus systems, operating systems, email servers, authentication systems, databases, or any appliance or software that creates a notification. STRM/JSA supports event data from over 350 different log sources. STRM/JSA uses device support modules (DSMs) to understand and categorize events from log sources. Log sources that generate identity contribute the building asset profiles in STRM/JSA.  


Please note if i am talking about flows its not notification whether event is notification that is generated by devices or applications as its been be default( in some cases may be manually we can).  Thats why DSM's are necessary to parse the detail. For flow its for a network same iresspective of  between a source destination what may be the device is. 


Please understood event is giving you only logs which are defined , where flow will give you end to end communication between source and destination in realtime(a.s.a.p) . Flow is end to end communication what is happening , whereas event is defined and parsing is necessary (in most cases).


Hope this clears your query. If anything comes please let me know.


Smiley Happy