SRX Services Gateway
SRX Services Gateway

Juniper SRX240 not sending traffic logs to Syslog server

‎10-09-2019 12:23 PM

I am not seeing traffic logs coming into my syslog server from my SRX240. I am seeing occasional hits from the firewall with CMDLINE_READ_LINE and CFG_AUDIT_SET messages but no actual traffic logs. There should be a significant amount of traffic coming from this device and it was working at one point. Does anyone have any ideas short of rebooting the box? This unit is set to be retired for a newer SRX model but I need it working until we are ready to upgrade. I am running 12.1X46-D86

 

host 10.x.x.52 {
any any;
match RT_FLOW_SESSION;
}

 

policy 0846_01222019 {
description "Default trust-untrust outbound traffic. Ticket# 6261";
match {
source-address LANS-WM;
destination-address any;
application [ junos-icmp-ping junos-http junos-https junos-ntp junos-dns-udp ];
}
then {
permit {
inactive: application-services {
utm-policy wm-websense;
}
}
log {
session-init;
}
}
}

3 REPLIES 3
SRX Services Gateway
Solution
Accepted by topic author joshuamichaelsanders
‎10-09-2019 02:06 PM

Re: Juniper SRX240 not sending traffic logs to Syslog server

‎10-09-2019 12:32 PM

Hi,

 

Please check under hierarchy [edit security log]; "mode event" has to be set.

 

This is because the logs generated by the security-policies are data-plane logs and with the "mode event"  they will be sent to the Routing-Engine of the SRX (control-plane level) and at that point these logs will be matched by the syslog file you have configured under [edit system syslog].

 

If the amount of logs is high it could affect your Routing-Engine hence it is recommended to set "mode stream" and have the data-plane logs being sent from the data-plane itself to an external server.

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-system-stream-s...

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: Juniper SRX240 not sending traffic logs to Syslog server

‎10-09-2019 02:07 PM

Thank you much! During a POC of Firemon we set our log to stream vs event and I forgot to check there.

 

SRX Services Gateway

Re: Juniper SRX240 not sending traffic logs to Syslog server

‎10-14-2019 10:57 AM

You are very welcome, Im glad to hear it is working as expected.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!