Routing
Highlighted
Routing

How to Filtering the syslog flooding ?

‎11-30-2017 05:31 PM

HI all,

 

Can someone guide me how to filter the log messages as per below that flooding the firewall. I'm try do config  as per below but cannot work. Appreciate some advise.

 

{primary:node1}
FW02> show configuration system syslog
archive size 1m files 10;
user * {
    any emergency;
}
host x.x.x.x {
    any any;
    change-log any;
    interactive-commands any;
    inactive: match RT_FLOW_SESSION;
    port 516;
    structured-data;
}
host x.x.x.x {
    any any;
    change-log any;
    interactive-commands any;
    inactive: match RT_FLOW_SESSION;
    port 516;
    structured-data;
}
file messages {
    any notice;
    authorization info;
    explicit-priority;
}
file filter-log {
    any notice;
    match "!(.*Mosquitto.*)";
    explicit-priority;
}

 

GKD-re[4608]: %DAEMON-5: 2017-12-01 08:45:00.321485 ERROR Failed to connect to message broker: No route to host.
Dec  1 08:45:00.321 2017  FW01 GKD-re[4608]: %DAEMON-5: 2017-12-01 08:45:00.321525 INFO Mosquitto error The client is not currently connected. (errno=65). Reconnecting to MQTT in 2s.
Dec  1 08:45:01.725 2017  FW01 GKD-lchassis[5395]: %DAEMON-5: 2017-12-01 08:45:01.725512 ERROR Failed to connect to message broker: No route to host.
Dec  1 08:45:01.725 2017  FW01 GKD-lchassis[5395]: %DAEMON-5: 2017-12-01 08:45:01.725543 INFO Mosquitto error The client is not currently connected. (errno=65). Reconnecting to MQTT in 2s.
Dec  1 08:45:02.026 2017  FW01 GKD-chassis[4742]: %DAEMON-5: 2017-12-01 08:45:02.026516 ERROR Failed to connect to message broker: No route to host.
Dec  1 08:45:02.026 2017  FW01 GKD-chassis[4742]: %DAEMON-5: 2017-12-01 08:45:02.026546 INFO Mosquitto error The client is not currently connected. (errno=6

 

Thanks

3 REPLIES 3
Highlighted
Routing

Re: How to Filtering the syslog flooding ?

‎11-30-2017 05:54 PM

Hi all,

 

 

it's ok.  i already get it.

Highlighted
Routing

Re: How to Filtering the syslog flooding ?

‎12-25-2017 11:51 PM

Hi,

Good to know that you figured it out. You can refer to these examples in future:

https://kb.juniper.net/KB22177

https://kb.juniper.net/KB9382

Hope this helps

--------------------------------------------------------------------------------------------------------
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
--------------------------------------------------------------------------------------------------------

Hope this helps

--------------------------------------------------------------------------------------------------------
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
--------------------------------------------------------------------------------------------------------
Highlighted
Routing

Re: How to Filtering the syslog flooding ?

[ Edited ]
‎12-26-2017 11:07 AM

Hi Folks,

 

Just my 2 cents on this…

 

Historically I have seen eventd spiking with using multiple match conditions with syslog; thus please fix the unwanted traffic hitting the firewall term and syslog as a best practice.

 

 

 

-Python JNCIE 3X [SP|DC|ENT] JNCIP-SEC JNCDS 3X [ WAN | DC|SEC] JNCIS-Cloud JNCIS-DevOps CCIP ITIL
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.