SRX Services Gateway
SRX Services Gateway

How to log screen messages to file

‎01-07-2016 06:03 AM

Hi all,

 

I have two SRX3600 in an active/passive cluster configuration. I have enabled screen under security options and now I'm tryng to log the messages it generates to a file.

 

I have configured the following per Juniper document

 

syslog {
    archive size 128k files 50 world-readable;
    user * {
        any emergency;
    }
    file messages {
        any warning;
        authorization info;
    }
    file interactive-commands {
        interactive-commands any;
    }
    file interface_logs {
        any any;
        match UpDown;
    }
    file IDS_messages {
        any any;
        match RT_SCREEN;
    }
}

 

The trouble is I'm not seeing any logs being generated by the screen. I do see that the statistics for the screen on the active node are going up but I see no logs being generated.

 

# run show security screen statistics zone outside node 1
node1:
--------------------------------------------------------------------------
Screen statistics:

IDS attack type                              Statistics
  ICMP flood                                 144761
  UDP flood                                  22615
  TCP winnuke                                0
  TCP port scan                              962
  ICMP address sweep                         0
  TCP sweep                                  301039
  UDP sweep                                  8336
  IP tear drop                               0
  TCP SYN flood                              392134
  IP spoofing                                2241630
  ICMP ping of death                         0
  IP source route option                     0
  TCP land attack                            0
  TCP SYN fragment                           0
  TCP no flag                                1335
  IP unknown protocol                        38
  IP bad options                             0
  IP record route option                     0
  IP timestamp option                        0
  IP security option                         0
  IP loose source route option               0
  IP strict source route option              0
  IP stream option                           0
  ICMP fragment                              0
  ICMP large packet                          105
  TCP SYN FIN                                0
  TCP FIN no ACK                             369687
  Source session limit                       0
  TCP SYN-ACK-ACK proxy                      0
  IP block fragment                          96640
  Destination session limit                  0

 

Can anyone help me with configuring this?

 

4 REPLIES 4
SRX Services Gateway

Re: How to log screen messages to file

‎01-07-2016 06:57 PM

Hi igor.hamzic81,

 

 

In the default logging mode the SRX 3600 won't log traffic logs to a file, to enable that you have to apply the configuration :

 

 

set security log mode event

Only problem is that this increases the CPU utilization and as such isn't recommended. Optimal solution is to configure a syslog server and send the logs to it using the current mode of logging ( stream ).

Thanks,
Hisham

Please accept my comment as a solution, if it helped in resolving your issue, to help guide other commentators and encourage others.
SRX Services Gateway
Solution
Accepted by topic author igor.hamzic81
‎01-12-2016 06:19 AM

Re: How to log screen messages to file

‎01-08-2016 03:16 AM

Event mode logging is also limited to 1000 events per second.  So on busy systems you may also be missing logs.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: How to log screen messages to file

‎01-12-2016 06:18 AM

Thanks all for the answers. I will set up a log server as this seems like an optimal solution.

SRX Services Gateway

Re: How to log screen messages to file

‎08-29-2018 05:33 PM

Hello,

 

You need to actually configure the match criteria like this "RT_IDS".
see the following configuration example:

#set system syslog host 172.16.xx.10 any any
#set system syslog host 172.16.xx.10 match "RT_IDP|RT_IDS"
#set system syslog host 172.16.xx.10 source-address 172.16.xx.5
#set system syslog host 172.16.xx.10 structured-data brief
#set system syslog file messages any any

Let me know if this works.