SRX Services Gateway
SRX Services Gateway

SRX: No Policy Logs in Web Device Manager

09.28.10   |  
‎09-28-2010 02:57 PM

Hello,

 

I've configured some of my Policies with logging. But when I entered the Web Device Manager and klick on the Logging Symbol under Firewall Policies, i cannot see any entries. I've  found a knowledge base entry how to write the policy logs to a seperate file. this works very well, but i can't see anything in the WebGui. The Problem occours in Junos 10.1R3 and in 10.2R2.11, too.

What the  problem?

 

 show system syslog
archive size 100k files 3;
user * {
    any emergency;
}
inactive: host 10.130.110.1 {
    security any;
    kernel emergency;
    user any;
    change-log any;
}
file messages {
    any critical;
    authorization info;
}
file interactive-commands {
    interactive-commands error;
}
file traffic-log {
    any any;
    match RT_FLOW_SESSION;
}

[edit]

 

 

show security policies from-zone trust to-zone untrust

 

policy Linux-machines-to-any {
    match {
        source-address Range_linux;
        destination-address any;
        application any;
    }
    then {
        permit;
        log {
            session-close;
        }
    }
}

 

 

11 REPLIES
SRX Services Gateway

Re: SRX: No Policy Logs in Web Device Manager

09.28.10   |  
‎09-28-2010 04:04 PM
This is a known issue. The logs are being generated, just not wherever the jweb gui is pointing. You can look at your file from the cli or you can download the files via jweb for offline processing. It is a little bit manual for the time being. Ron
Highlighted
SRX Services Gateway

Re: SRX: No Policy Logs in Web Device Manager

09.29.10   |  
‎09-29-2010 11:37 AM

Thank you for your answer. That means I have to wait until this issue is solved in any future release?!

SRX Services Gateway

Re: SRX: No Policy Logs in Web Device Manager

09.29.10   |  
‎09-29-2010 09:35 PM

Yes, you will have to either wait till it is resolved, use an external syslog server, or live with the alternate log viewing on the box.  My usual solution is using grep to find the logs that match the policy ID I am interested in from the firewall CLI.

 

Ron

SRX Services Gateway

Re: SRX: No Policy Logs in Web Device Manager

02.14.11   |  
‎02-14-2011 06:48 AM

Anyone know if this has been fixed in 10.4?

Thanks!

SRX Services Gateway

Re: SRX: No Policy Logs in Web Device Manager

02.14.11   |  
‎02-14-2011 11:19 AM

Nope.  As in no logging information present.

SRX Services Gateway

Re: SRX: No Policy Logs in Web Device Manager

03.29.11   |  
‎03-29-2011 07:54 AM

Anyone know if this is fixed in 10.4R3?

 

Having a tough time explaing to the customer that his new all singing and dancing firewall cant even show logs in Jweb.  Smiley Mad

--
DM

JNCIP-SEC, JNCIP-ENT, JNCIS-SEC, JNCIS-ENT, JNCIS-FWV, JNCIS-SSL,JNCIA-AC, JNCIA-IDP

-----------
The art of diplomacy is saying "nice doggy" til you can find a rock.
SRX Services Gateway

Re: SRX: No Policy Logs in Web Device Manager

03.29.11   |  
‎03-29-2011 07:18 PM

Go to Monitor/Events and Alarms/Security events. See if the log file(s) configured is being detected by the page. If not the "Creat log configuration" will be enabled. When you click on it it creates the proper syslog config and you can start seeing logs.

 

The important thing is the world readable attribute should be set.

 

This is a sample

 

# show | compare rollback 1
[edit system syslog]
     file inter { ... }
+    file policy_session {
+        user info;
+        match RT_FLOW;
+        archive size 1000k world-readable;
+        structured-data;
+    }

 

Regards

SRX Services Gateway

Re: SRX: No Policy Logs in Web Device Manager

03.30.11   |  
‎03-30-2011 01:27 AM

w00t!

 

Adding the world readable parameter solved my issue here, I now see logs within the log viewer in Jweb.

 

Note, I am using 10.2R3.10

 

Cuddles

 

DM

--
DM

JNCIP-SEC, JNCIP-ENT, JNCIS-SEC, JNCIS-ENT, JNCIS-FWV, JNCIS-SSL,JNCIA-AC, JNCIA-IDP

-----------
The art of diplomacy is saying "nice doggy" til you can find a rock.
SRX Services Gateway

Re: SRX: No Policy Logs in Web Device Manager

03.30.11   |  
‎03-30-2011 01:57 AM

Oops, I spoke too soon.

 

I can get logs for some policies but not for others.

 

Basically I can see the logs in my custom traffic-log file when viewed from the CLI, and this does seem to refelct the corerect policy and zonal match however, when I click on the log icon in the security policay page, I get nothing returned.

 

Are there any caveats to what we can log successfully?  At the moment I am logging on session-close and have been waiting a while for all the sessions to time out fully.

--
DM

JNCIP-SEC, JNCIP-ENT, JNCIS-SEC, JNCIS-ENT, JNCIS-FWV, JNCIS-SSL,JNCIA-AC, JNCIA-IDP

-----------
The art of diplomacy is saying "nice doggy" til you can find a rock.
SRX Services Gateway

Re: SRX: No Policy Logs in Web Device Manager

03.30.11   |  
‎03-30-2011 11:34 AM

You probably have multiple log files configured and the incorrect one is being picked. The log icon logic

picks up the one based on certain criteria - first one in the syslog config

that matches with match=RT_FLOW, world-readable and level=user or any.

if it doesnt matches this then it looks for world-readable and level=user or any.

 

If you are in the Security Events page, you probebly are seeing multiple log files in first field?

 

Best thing is to use Security events page first and see if the logfile is the first one in the list and you are able to search

for the policy you are looking for. If that works, log icon from configuration or Monitoring should work.

 

Regards

 

 

SRX Services Gateway

Re: SRX: No Policy Logs in Web Device Manager

01.06.12   |  
‎01-06-2012 12:33 AM

As an update to this folks, there seems to be a KB article now

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB19490

 

njoy

--
DM

JNCIP-SEC, JNCIP-ENT, JNCIS-SEC, JNCIS-ENT, JNCIS-FWV, JNCIS-SSL,JNCIA-AC, JNCIA-IDP

-----------
The art of diplomacy is saying "nice doggy" til you can find a rock.