- J-Net
- :
- Forums
- :
- SRX Services Gateway
- :
- Re: SIEM cannot received log when SRX using stream...
- Application Acceleration 
- BLOG: Community Talk 
- BLOG: Information Experience (iX) 
- Community Feedback 
- Contrail Platform Developers 
- Ethernet Switching 
- Identity & Policy Control - SBR Carrier & SRC 
- Intrusion Prevention 
- Junos 
- Junos Automation (Scripting) 
- Junos Space Developer 
- Junosphere 
- Management 
- Routing 
- ScreenOS Firewalls (NOT SRX) 
- SRX Services Gateway 
- Training, Certification, and Career Topics 
- vMX 
- vSRX 
- Wireless LAN 
- Juniper Open Learning 
- Day One Books Archive 
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
SIEM cannot received log when SRX using stream mode?
Hi All,
May i know whether we need do some special config to make SIEM can received log from SRX using stream mode? Or does SIEM need special setting that it can received log stream from SRX? I'm using below url. Reachibility no issue and i'm use reth interface as mangement.
http://91sec.blogspot.my/2015/10/juniper-srx-logging-configuration.html
Appreciate someone help.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
[ Edited ]Hi,
Please share your configuration from the SRX.
- What is the output of "show route <SIEM IP>" ?
- Is that interface through which SIEM is reachable, part of a VR ?
- What is the source address being used for stream mode logs ?
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Hi sahilsha
Below is the config. FYI, no issue reachibility from SRX to SIEM. Previously the mode is "event" but due to CPU high in SRX then i change using stream mode. After i change to stream mode then SIEM not received log from SRX. But using Junos Space Log Collector no issue. So i'm not sure whether SIEM have need some changes also due to stream mode. Appreciate someone advise.
{primary:node0}
test@srx5800> show configuration security log
mode stream;
inactive: event-rate 1000;
format sd-syslog;
source-address 10.70.50.18;
stream TO-SIEM {
format sd-syslog;
category all;
host {
10.60.30.50;
}
}
stream TO-LOG-COLLECTOR {
format sd-syslog;
category all;
host {
10.60.30.51;
}
}
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
[ Edited ]Hi,
Thanks for providing the configuration.
Please answer the following questions as well :-
- What is the output of "show route <SIEM IP>" ?
- Is that interface through which SIEM is reachable, part of a VR ?
- Which interface has the address 10.70.50.18 ?
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Hi sahilsha
There is no VR in this firewall. If just change the mode supposedly it not issue right?
{primary:node0}
test@srx5800> show route x.x.x.x
inet.0: 16 destinations, 18 routes (16 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.0.0.0/8 *[Static/5] 37w0d 20:18:03
> to x.x.x.x via reth0.380
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Can you confirm that the source address configured for logging ( 10.70.50.18) is on the interface facing the route to the SEIM (reth0.380).
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Hi Spuluka,
Yes, It's confirm. The issue that it's work on mode event but after i changes on stream mode the SIEM not received any log from SRX. But when i changes back to mode event then no issue for SIEM received the log.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Hi,
Please provide the following output from shell :-
%srx-cprod.sh -s spu -c "sh usp rtlog conn"
%srx-cprod.sh -s spu -c "sh usp rtlog stream"
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Sorry, I missed this little note above:
After i change to stream mode then SIEM not received log from SRX.
But using Junos Space Log Collector no issue.
I would do a packet capture on the SIEM or the switch port span right before the SIEM to verify the log data is reaching the server. And I suspect there is either a host setup to accept the logs missing or a log format issue. Although most SIEM I've seen accept Structured Data syslog.
Another possibility is some kind of bug related to the SIEM and Junos version. So a quick search of the PR database for your SIEM vendor and Junos version could see if one exists already.
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Hi Shilsa,
Does command that u inform need root previlege? Just for tour information the SIEM is "McAfee ESM" with ver 9.6.0.
% srx-cprod.sh -s spu -c "sh usp rtlog steam"
======== Start SPU0.0, node0.fpc0.pic0, spu ========
================ node0.fpc0.pic0 ================
Permission denied, couldn't create TNP socket to SCB.
======== End SPU0.0, node0.fpc0.pic0 ========
======== Start SPU0.1, node0.fpc0.pic1, spu ========
================ node0.fpc0.pic1 ================
Permission denied, couldn't create TNP socket to SCB.
======== End SPU0.1, node0.fpc0.pic1 ========
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
McAfee seems to be recommending the configuration be done in the syslog hierarching instead of security log hierarchy. Not sure if that makes a difference in the log formatting or not.
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Hi Spuluka,
Thanks for the url given. FYI, we have 3 SRX 5800 (Cluster , A, B , C) chassis cluster and one of them (Cluster A) is MacAfee can received the syslog may be because it have direct connected to Cluster A. But Cluster B and C is using routing to reach MacAfee.
Hopefully someone out there can give some workaround because now they think it SRX issue not SIEM issue.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Can you arrange a packet capture at the SIEM or the connected port?
That is really the way to verify which side this is on. Since you have the same configuration successfully pushing logs to the Space log collector and not to the SIEM, I'm leaning toward the issue being with the SIEM config.
But once you verify whether or not the data is arriving at the SIEM that gives you the ammunition to work with TAC on either side and resolve the issue.
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Hi,
Yes this would need root privileges.
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Hi sahilsha,
Sorry for late reply. Kindly please see attachment for log that u requested, I'm dont know how to anaylysis it. Appreciate your help.
Thanks
Attachments
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Hi kronicklez,
Looks like the SRX is sending the logs as the transmitted bytes are there on the SPUs :-
0: name=TO-SIEM, ip(H)=a446747 (a 44 67 47), port=514, codec=2, sev=7 ip_id=233, tx=233, txByte=138936, txFail=0, dropByte=0 sevDropCnt=0 fwd egress=0, fwd ingress=0.
This looks to be a problem on the SIEM as the SRX is sending the logs.
You can take packet captures on the SIEM to verify if it is receiving the logs from the SRX.
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Hi sahilsha,
Thanks for your feedback. I will ask the SIEM vendor to do packet capture on their side and keep update this issue to make sure in the future if anyone have same issue then they know the solution.
Thanks again
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Hi sahilsha,
Why when i change the security log mode stream then i cannot see syslog such as login in and login out. I can see log RT-FLOW only. Is it because the stream mode on forwarding plane only but cannot control plane syslog?
Thanks and appreciate your feedback
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Hi,
In stream mode logging, the traffic logs (RT_FLOW) are sent directly from the PFE to the syslog server in order to offload the RE from processing these.
Hence you will not be able to see them in local files on the SRX as they are not reaching the RE which is responsible for writing these logs to the files.
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SIEM cannot received log when SRX using stream mode?
Hi sahilsha,
In the syslog server itself (SIEM) it cannot see the syslog such as change log, interactive-command n etc in mode stream. But it not have issue on session flow log. Is it the limitation of mode stream?
We need the SIEM can see what ever syslog in the SRX such as config change and etc.
Thanks and appreciate your advise.