SIEM cannot received log when SRX using stream mode?

Hi,

Please share your configuration from the SRX.

• What is the output of "show route <SIEM IP>" ?
• Is that interface through which SIEM is reachable, part of a VR ?
• What is the source address being used for stream mode logs ?

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Hi sahilsha

Below is the config. FYI, no issue reachibility from SRX to SIEM. Previously the mode is "event" but due to CPU high in SRX then i change using stream mode. After i change to stream mode then SIEM not received log from SRX. But using Junos Space Log Collector no issue. So i'm not sure whether SIEM have need some changes also due to stream mode.  Appreciate someone advise.

{primary:node0}
test@srx5800> show configuration security log
mode stream;
inactive: event-rate 1000;
format sd-syslog;
source-address 10.70.50.18;
stream TO-SIEM {
    format sd-syslog;
    category all;
    host {
        10.60.30.50;
    }
}
stream TO-LOG-COLLECTOR {
    format sd-syslog;
    category all;
    host {
        10.60.30.51;
    }
}

Hi,

Thanks for providing the configuration.

Please answer the following questions as well :-

• What is the output of "show route <SIEM IP>" ?
• Is that interface through which SIEM is reachable, part of a VR ?
• Which interface has the address 10.70.50.18 ?

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Hi sahilsha

There is no VR in this firewall. If just change the mode supposedly it not issue right?

{primary:node0}
test@srx5800> show route x.x.x.x

inet.0: 16 destinations, 18 routes (16 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.0.0.0/8         *[Static/5] 37w0d 20:18:03
                    > to x.x.x.x via reth0.380

Can you confirm that the source address configured for logging ( 10.70.50.18) is on the interface facing the route to the SEIM (reth0.380).

Hi Spuluka,

Yes, It's confirm. The issue that it's work on mode event but after i changes on stream mode the SIEM not received any log from SRX. But when i changes back to mode event then no issue for SIEM received the log.

Thanks

Hi,

Please provide the following output from shell :-

%srx-cprod.sh -s spu -c "sh usp rtlog conn"

%srx-cprod.sh -s spu -c "sh usp rtlog stream"

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Sorry, I missed this little note above:

After i change to stream mode then SIEM not received log from SRX. 
But using Junos Space Log Collector no issue.

I would do a packet capture on the SIEM or the switch port span right before the SIEM to verify the log data is reaching the server.  And I suspect there is either a host setup to accept the logs missing or a log format issue.  Although most SIEM I've seen accept Structured Data syslog. 

Another possibility is some kind of bug related to the SIEM and Junos version.  So a quick search of the PR database for your SIEM vendor and Junos version could see if one exists already.

Hi Shilsa,

Does command that u inform need root previlege? Just for tour information the SIEM is "McAfee ESM" with ver 9.6.0.

% srx-cprod.sh -s spu -c "sh usp rtlog steam"
======== Start SPU0.0, node0.fpc0.pic0, spu ========
================ node0.fpc0.pic0 ================
Permission denied, couldn't create TNP socket to SCB.
======== End SPU0.0, node0.fpc0.pic0 ========

======== Start SPU0.1, node0.fpc0.pic1, spu ========
================ node0.fpc0.pic1 ================
Permission denied, couldn't create TNP socket to SCB.
======== End SPU0.1, node0.fpc0.pic1 ========

McAfee seems to be recommending the configuration be done in the syslog hierarching instead of security log hierarchy.  Not sure if that makes a difference in the log formatting or not.

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26237/en_US/...

Hi Spuluka,

Thanks for the url given. FYI, we have 3 SRX 5800 (Cluster , A, B , C) chassis cluster and one of them (Cluster A) is  MacAfee can received the syslog may be because it have direct connected to  Cluster A. But Cluster B and C is using routing to reach MacAfee.

Hopefully someone out there can give some workaround because now they think it SRX issue not SIEM issue.

Can you arrange a packet capture at the SIEM or the connected port?

That is really the way to verify which side this is on.  Since you have the same configuration successfully pushing logs to the Space log collector and not to the SIEM, I'm leaning toward the issue being with the SIEM config.

But once you verify whether or not the data is arriving at the SIEM that gives you the ammunition to work with TAC on either side and resolve the issue.

Hi,

Yes this would need root privileges.

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Hi sahilsha,

Sorry for late reply. Kindly please see attachment for log that u requested, I'm dont know how to anaylysis it. Appreciate your help.

Thanks

Hi kronicklez,

Looks like the SRX is sending the logs as the transmitted bytes are there on the SPUs :-

0:  name=TO-SIEM, ip(H)=a446747 (a 44 67 47), port=514, codec=2, sev=7
     ip_id=233, tx=233, txByte=138936, txFail=0, dropByte=0
     sevDropCnt=0
     fwd egress=0, fwd ingress=0.

This looks to be a problem on the SIEM as the SRX is sending the logs.

You can take packet captures on the SIEM to verify if it is receiving the logs from the SRX.

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Hi sahilsha,

Thanks for your feedback. I will ask the SIEM vendor to do packet capture on their side and keep update this issue to make sure in the future if anyone have same issue then they know the solution.

Thanks again

Hi sahilsha,

Why when i change the security log mode stream then i cannot see syslog such as login in and login out. I can see log RT-FLOW only. Is it because the stream mode on forwarding plane only but cannot control plane syslog?

Thanks and appreciate your feedback

Hi,

In stream mode logging, the traffic logs (RT_FLOW) are sent directly from the PFE to the syslog server in order to offload the RE from processing these.

Hence you will not be able to see them in local files on the SRX as they are not reaching the RE which is responsible for writing these logs to the files.

Regards,

Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.

Hi sahilsha,

In the syslog server itself (SIEM) it cannot see the syslog such as change log, interactive-command n etc in mode stream. But it not have issue on session flow log. Is it the limitation of mode stream?

We need the SIEM can see what ever syslog in the SRX such as config change and etc.

Thanks and appreciate your advise.