Management
Management

Logging from SRX to security director

‎05-11-2019 11:36 AM
Hi,

I have some SRX devices (345 & 4100) managed by security director. Security director has a separate log collector installed and this is integrated to security director fine.

My 4100 is managed via its fxp0 interface ... how can I configure this to send it’s logs to the security director? Do I need a rule to allow this traffic - the Junos log collector sits in a separate zone to the management interface of the SRX. Does that even matter?

One of my other SRX devices sits after a firewall and this will need a rule to allow. What ports do I need from the SRX to the log collector.

When it’s all working should I just see new events in security director?

I ran a tcp dump on the collector and can see traffic coming from my 4100 fxp interface ... but nothing shows in security director.

Bit of a long one - has anyone experienced this before?

Thanks
8 REPLIES 8
Management

Re: Logging from SRX to security director

‎05-12-2019 05:01 AM

Since you have verified the logs arrive on log collector that means the SRX side of the configuration is complete and working.

 

So the issue is going to be in the Space side configuration.

Is the fxp0 address recognized inside Space for the SRX?

Ideally as the address used to add the device to space.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Management

Re: Logging from SRX to security director

‎05-12-2019 05:21 AM
Yes it is using the management (fxp0) to connect to JUNOS.

I’ve been reading that the log collector can be fussy if the logs aren’t ‘structured’? Is there a particular way the Juniper should be reporting to the JUNOS software? Ie. I can see the traffic coming in - but it’s not in the right format ...
Management

Re: Logging from SRX to security director

[ Edited ]
‎05-12-2019 08:56 PM

Hi oban3jimmy,

 

yes, it has to be in a structured format which you can configure in SRX.

  • Event mode

set system syslog host 10.0.0.2 any any
set system syslog host 10.0.0.2 match "!RT_FLOW_SESSION"

set security log mode event
set security log format sd-syslog
set security log source-address 10.0.0.1
set security log stream securitylog format syslog
set security log stream securitylog category all
set security log stream securitylog host 10.0.0.2

  • Stream mode

Not working with the following configuration:

set system syslog host 10.0.0.2 any any

set security log mode stream
set security log format sd-syslog
set security log source-address 10.0.0.1
set security log stream securitylog format syslog
set security log stream securitylog category all
set security log stream securitylog host 10.0.0.2

 

From SRX to Log Collector 514 port should be open.

 

You can use SD to configure the same.

 

SD > Devices > Right click on the device > Select Modify Configuration > Security Logging tab as mentioned in Screenshot.

Picture1.png

Management

Re: Logging from SRX to security director

‎05-16-2019 02:10 PM
I’ve tried it in both modes and whatever I do; the log collector doesn’t receive it properly.

I’ve run a command on log collector and it doesn’t view the feed as structured.

Is it me or is logging to security director / log collector a pain?

Thanks
Management

Re: Logging from SRX to security director

[ Edited ]
‎05-16-2019 08:46 PM

Hi,

 

LC should work normally if required configurations are in place.

 

Send us a output of below commands from LC CLI:

/etc/init.d/elasticsearch status
/etc/init.d/jingest status
curl -XGET --insecure --tlsv1.2 https://127.0.0.1:9200/_cat/indices?v
curl -XGET --insecure --tlsv1.2 https://127.0.0.1:9200/_cluster/health

tcpdump -n -nn -vvvv port 514 and host <SRX_IP>

From the SRX, send us the configuration for stream/event mode.

 

-PL

Management
Solution
Accepted by topic author oban3jimmy
‎05-20-2019 03:58 AM

Re: Logging from SRX to security director

‎05-20-2019 03:57 AM
Thanks all,

It was the config on the SRX in the end;

set security log mode stream
set security log format sd-syslog
set security log source-address x.x.x.x
set security log stream securitylog format welf
set security log stream securitylog host x.x.x.x
set security log stream hostx.x.x.x format welf
set security log stream hostx.x.x.x host x.x.x.x
set security log stream logcollector format syslog
set security log stream logcollector host x.x.x.x
set security log stream logcollector format sd-syslog
set security log stream logcollector host port 514
set security log stream logcollector category all
Management

Re: Logging from SRX to security director

‎05-20-2019 04:52 AM
Can we configure the format? It should be sd-syslog only..

set security log stream logcollector format syslog
set security log stream logcollector host x.x.x.x
set security log stream logcollector format sd-syslog

Regards,
Pravin
Management

Re: Logging from SRX to security director

‎05-20-2019 05:04 AM
I couldn’t seem to get it working with just those lines - strange really. The above is the only time I could get security director to be happy with the logs