SRX Services Gateway
SRX Services Gateway

Hostname missing from SRX syslogs

05.05.17   |  
‎05-05-2017 02:45 AM

From the SRX device we are sending syslogs to syslog server. however the hostname if missing only for RT_FLOW logs when we are checking on syslog server. We are not doing any kind of filtering or modification of logs. for logs apart from RT_FLOW we can see hostname in the syslog before 'RT_FLOW' field.

Here is one sample:
Apr 10 10:38:39 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed idle Timeout: 10.54.17.68/56528->10.26.124.50/161 None 10.54.17.68/56528->10.16.124.50/161 None None 17 CST000000xx7304 DD_WS mgt-out 140085954 1(83) 0(0) 213 UNKNOWN UNKNOWN N/A(N/A) eth1.12 UNKNOWN

Request you to provide your inputs asap as the security monitoring is impacted. Smiley Sad

5 REPLIES
SRX Services Gateway

Re: Hostname missing from SRX syslogs

05.05.17   |  
‎05-05-2017 03:21 AM

fyi ... JUNOS version is 15.1..

and this is happening for unstructured logs. Smiley Indifferent

SRX Services Gateway

Re: Hostname missing from SRX syslogs

05.05.17   |  
‎05-05-2017 04:06 AM

Hi Pawarsudarshan,

 

 

Thank you for posting your query here.

 

I do not think RT_FLOW logs contain Hostname as one of its attributes.

 

Please refer the below link where I checked all the attributes different RT_FLOW message will contain-

https://apps.juniper.net/syslog-explorer/#message=RT_FLOW_SESSION_CREATE&product=Junos%20OS&release=...

 

Was it giving hostname to you on earlier versions. AFAIK hostname was never part of RT_FLOW logs.

 

Hope this Helps Smiley Happy

 

Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy 

SRX Services Gateway

Re: Hostname missing from SRX syslogs

05.05.17   |  
‎05-05-2017 04:44 AM

Hi Pulkit,

 

first of all thank you for the help .. Smiley Happy

 

that's the issue ... earlier it was populating the hostname before version 15.1.

 

any help will be highly appreciated. Smiley Happy

SRX Services Gateway

Re: Hostname missing from SRX syslogs

05.05.17   |  
‎05-05-2017 04:49 AM

and the link you have shared explains the message after the field RT_FLOW.

 

where the hostname should get appended to the message in the header(syslog header)

 

current::

"Apr 10 10:38:39 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed........ "

 

expected::

 

"Apr 10 10:38:39 test_hostname RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed........ "

Highlighted
SRX Services Gateway

Re: Hostname missing from SRX syslogs

05.05.17   |  
‎05-05-2017 10:29 AM
Could you please check if your issue related to this bug:

https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1183441
Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com