SRX Services Gateway
Highlighted
SRX Services Gateway

Capturing security flow messages (RT_FLOW)

‎08-09-2017 06:26 AM

Hi, 

 

I am trying to understand why some SRXs I have are showing RT_FLOW_SESSION_CREATE messages in the logs and some are not.  Looking at the configuration they are all the same for logging to the file messages 

 

set system syslog file messages any info
set system syslog file messages authorization info

 

all security policies contain a then log session-init and then log session-close  

 

I can, for example, create a very specific match condition and it populates the file. 

 

eg set system syslog file accepted-traffic any any
set system syslog file accepted-traffic match RT_FLOW.*ISP_X_SIP

 

Just can't understand why the output is different for show log messages on the different SRX boxes with the same configuration for a logging point of view, 

 

thanks

6 REPLIES 6
Highlighted
SRX Services Gateway

Re: Capturing security flow messages (RT_FLOW)

‎08-09-2017 10:03 AM
Hello,
Which SRX models are you use?
Can you copy "show security log" command output?
Regards,
Lado
Highlighted
SRX Services Gateway

Re: Capturing security flow messages (RT_FLOW)

‎08-10-2017 03:22 AM

Hi Amnesiac

 

it returns security logging disabled.  

 

Model: srx1500
Junos: 15.1X49-D80.4   

 

SRX cluster SITEA shows no security flow logs in log messages 

SRX cluster SITEB shows  messages all security flow in log messages 

 

thanks

 

Highlighted
SRX Services Gateway

Re: Capturing security flow messages (RT_FLOW)

‎08-10-2017 03:30 AM

Try

root@srx#set security log mode event
root@srx#commit

Regards, Wojtek

Highlighted
SRX Services Gateway

Re: Capturing security flow messages (RT_FLOW)

‎08-22-2017 07:28 AM

Hi Wojtek

 

Unfortunately, even after that command.  it still shows  show security log

Security logging is disabled

 

I also can see no RT_FLOW output in the log messages

Highlighted
SRX Services Gateway

Re: Capturing security flow messages (RT_FLOW)

‎08-22-2017 08:15 PM

can you show us the security log configurations on both devices.

set system syslog = control plane logging

set security log = dataplane logging. <==== which file are you logging to here? are they both set to log to messages?

What mode are you using? event mode will send it to the control plane infrastructure and stream will send it to remote syslog. The error about security logging not enabled is related to whether you enable cache for auditing. You can get rid of that error with "set security log cache", but I don't know the long term effect of this statement though.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: Capturing security flow messages (RT_FLOW)

‎08-22-2017 08:18 PM

Maybe you have to turn on traceoptions for security log to get more details about what is happening.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]