SRX

Hi, 

I am trying to understand why some SRXs I have are showing RT_FLOW_SESSION_CREATE messages in the logs and some are not.  Looking at the configuration they are all the same for logging to the file messages 

set system syslog file messages any info
set system syslog file messages authorization info

all security policies contain a then log session-init and then log session-close  

I can, for example, create a very specific match condition and it populates the file. 

eg set system syslog file accepted-traffic any any
set system syslog file accepted-traffic match RT_FLOW.*ISP_X_SIP

Just can't understand why the output is different for show log messages on the different SRX boxes with the same configuration for a logging point of view, 

thanks

Hi Amnesiac

it returns security logging disabled.  

Model: srx1500
Junos: 15.1X49-D80.4   

SRX cluster SITEA shows no security flow logs in log messages 

SRX cluster SITEB shows  messages all security flow in log messages 

thanks

Try

root@srx#set security log mode event
root@srx#commit

Regards, Wojtek

Hi Wojtek

Unfortunately, even after that command.  it still shows  show security log

Security logging is disabled

I also can see no RT_FLOW output in the log messages

can you show us the security log configurations on both devices.

set system syslog = control plane logging

set security log = dataplane logging. <==== which file are you logging to here? are they both set to log to messages?

What mode are you using? event mode will send it to the control plane infrastructure and stream will send it to remote syslog. The error about security logging not enabled is related to whether you enable cache for auditing. You can get rid of that error with "set security log cache", but I don't know the long term effect of this statement though.

Maybe you have to turn on traceoptions for security log to get more details about what is happening.