SRX Services Gateway
SRX Services Gateway

SIEM cannot received log when SRX using stream mode?

‎12-23-2016 02:50 AM

Hi All,

 

 

May i know whether we need do some special config to make SIEM can received log from SRX using stream mode? Or does SIEM need special setting that it can received log stream from SRX? I'm using below url. Reachibility no issue and i'm use reth interface as mangement.

 

 

http://91sec.blogspot.my/2015/10/juniper-srx-logging-configuration.html

 

 

Appreciate someone help.

30 REPLIES 30
SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

[ Edited ]
‎12-23-2016 03:38 AM

Hi,

 

Please share your configuration from the SRX.

 

  • What is the output of "show route <SIEM IP>" ?
  • Is that interface through which SIEM is reachable, part of a VR ?
  • What is the source address being used for stream mode logs ?

 

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎12-23-2016 05:02 AM

Hi

 

 

{primary:node0}
test@srx5800> show configuration security log
mode stream;
inactive: event-rate 1000;
format sd-syslog;
source-address 10.70.50.18;
stream TO-SIEM {
    format sd-syslog;
    category all;
    host {
        10.60.30.50;
    }
}
stream TO-LOG-COLLECTOR {
    format sd-syslog;
    category all;
    host {
        10.60.30.51;
    }
}

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

[ Edited ]
‎12-23-2016 05:14 AM

Hi,

 

Thanks for providing the configuration.

 

Please answer the following questions as well :-

 

  • What is the output of "show route <SIEM IP>" ?
  • Is that interface through which SIEM is reachable, part of a VR ?
  • Which interface has the address 10.70.50.18 ?

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎12-23-2016 05:50 AM

Hi

 

There is no VR in this firewall. If just change the mode supposedly it not issue right?

 

{primary:node0}
test@srx5800> show route x.x.x.x

inet.0: 16 destinations, 18 routes (16 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.0/8         *[Static/5] 37w0d 20:18:03
                    > to x.x.x.x via reth0.380

 

 

 

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎12-23-2016 04:55 PM

Can you confirm that the source address configured for logging ( 10.70.50.18) is on the interface facing the route to the SEIM (reth0.380).

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎12-23-2016 05:52 PM

Hi Spuluka,

 

 

Yes, It's confirm. The issue that it's work on mode event but after i changes on stream mode the SIEM not received any log from SRX. But when i changes back to mode event then no issue for SIEM received the log.

 

 

Thanks

Highlighted
SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎12-23-2016 10:22 PM

Hi,

 

Please provide the following output from shell :-

 

%srx-cprod.sh -s spu -c "sh usp rtlog conn"

%srx-cprod.sh -s spu -c "sh usp rtlog stream"

 

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎12-24-2016 03:23 AM

Sorry, I missed this little note above:

After i change to stream mode then SIEM not received log from SRX. 
But using Junos Space Log Collector no issue.

I would do a packet capture on the SIEM or the switch port span right before the SIEM to verify the log data is reaching the server.  And I suspect there is either a host setup to accept the logs missing or a log format issue.  Although most SIEM I've seen accept Structured Data syslog. 

 

Another possibility is some kind of bug related to the SIEM and Junos version.  So a quick search of the PR database for your SIEM vendor and Junos version could see if one exists already.

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎12-24-2016 08:28 PM

Hi Shilsa,

 

Does command that u inform need root previlege? Just for tour information the SIEM is "McAfee ESM" with ver 9.6.0.

 

% srx-cprod.sh -s spu -c "sh usp rtlog steam"
======== Start SPU0.0, node0.fpc0.pic0, spu ========
================ node0.fpc0.pic0 ================
Permission denied, couldn't create TNP socket to SCB.
======== End SPU0.0, node0.fpc0.pic0 ========

======== Start SPU0.1, node0.fpc0.pic1, spu ========
================ node0.fpc0.pic1 ================
Permission denied, couldn't create TNP socket to SCB.
======== End SPU0.1, node0.fpc0.pic1 ========

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎12-25-2016 04:58 AM

McAfee seems to be recommending the configuration be done in the syslog hierarching instead of security log hierarchy.  Not sure if that makes a difference in the log formatting or not.

 

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26237/en_US/...

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎12-25-2016 06:53 AM

Hi Spuluka,

 

Thanks for the url given. FYI, we have 3 SRX 5800 (Cluster , A, B , C) chassis cluster and one of them (Cluster A) is  MacAfee can received the syslog may be because it have direct connected to  Cluster A. But Cluster B and C is using routing to reach MacAfee.

 

Hopefully someone out there can give some workaround because now they think it SRX issue not SIEM issue.

 

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎12-25-2016 07:01 AM

Can you arrange a packet capture at the SIEM or the connected port?

 

That is really the way to verify which side this is on.  Since you have the same configuration successfully pushing logs to the Space log collector and not to the SIEM, I'm leaning toward the issue being with the SIEM config.

 

But once you verify whether or not the data is arriving at the SIEM that gives you the ammunition to work with TAC on either side and resolve the issue.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎12-26-2016 01:50 AM

Hi,

 

Yes this would need root privileges.

 

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎01-01-2017 04:11 AM

Hi ,

 

Sorry for late reply. Kindly please see attachment for log that u requested, I'm dont know how to anaylysis it. Appreciate your help.

 

Thanks

Attachments

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎01-01-2017 05:55 AM

Hi ,

 

Looks like the SRX is sending the logs as the transmitted bytes are there on the SPUs :-

 

0:  name=TO-SIEM, ip(H)=a446747 (a 44 67 47), port=514, codec=2, sev=7
     ip_id=233, tx=233, txByte=138936, txFail=0, dropByte=0
     sevDropCnt=0
     fwd egress=0, fwd ingress=0.

This looks to be a problem on the SIEM as the SRX is sending the logs.

 

You can take packet captures on the SIEM to verify if it is receiving the logs from the SRX.

 

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎01-01-2017 07:18 AM

Hi ,

 

 

Thanks for your feedback. I will ask the SIEM vendor to do packet capture on their side and keep update this issue to make sure in the future if anyone have same issue then they know the solution.

 

Thanks again

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎01-06-2017 12:45 AM

Hi ,

 

 

Why when i change the security log mode stream then i cannot see syslog such as login in and login out. I can see log RT-FLOW only. Is it because the stream mode on forwarding plane only but cannot control plane syslog?

 

Thanks and appreciate your feedback

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎01-06-2017 06:29 PM

Hi,

 

In stream mode logging, the traffic logs (RT_FLOW) are sent directly from the PFE to the syslog server in order to offload the RE from processing these.

 

Hence you will not be able to see them in local files on the SRX as they are not reaching the RE which is responsible for writing these logs to the files.

 

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎01-06-2017 11:55 PM

Hi ,

 

In the syslog server itself (SIEM) it cannot see the syslog such as change log, interactive-command n etc in mode stream. But it not have issue on session flow log. Is it the limitation of mode stream?

 

We need the SIEM can see what ever syslog in the SRX such as config change and etc.

 

Thanks and appreciate your advise.