I am trying to understand why some SRXs I have are showing RT_FLOW_SESSION_CREATE messages in the logs and some are not. Looking at the configuration they are all the same for logging to the file messages
set system syslog file messages any info set system syslog file messages authorization info
all security policies contain a then log session-init and then log session-close
I can, for example, create a very specific match condition and it populates the file.
eg set system syslog file accepted-traffic any any set system syslog file accepted-traffic match RT_FLOW.*ISP_X_SIP
Just can't understand why the output is different for show log messages on the different SRX boxes with the same configuration for a logging point of view,
can you show us the security log configurations on both devices.
set system syslog = control plane logging
set security log = dataplane logging. <==== which file are you logging to here? are they both set to log to messages?
What mode are you using? event mode will send it to the control plane infrastructure and stream will send it to remote syslog. The error about security logging not enabled is related to whether you enable cache for auditing. You can get rid of that error with "set security log cache", but I don't know the long term effect of this statement though.
[KUDOS PLEASE! If you think I earned it! If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]