SRX Services Gateway
Highlighted
SRX Services Gateway

SRX security logs in Stream mode not working

[ Edited ]
‎09-16-2018 06:26 PM

Hi everyone,

To better understand  Security logs in streammode,  I set up the following  scenario:

SRX-STREAM-SCENARIO.PNG

Above we are using SRX  100.

Design goal:

 SRX  should send all SECURITY LOGS  in stream mode  to SYSLOG server  20.20.20.30

 SRX should send all other logs  to  SYSLOG server  20.20.20.20.

Traffic , from 10.10.10.10 destined to 30.30.30.30,  should be denied and logged, such logs  must be sent to  SYSLOG server  20.20.20.30  as it is a SECURITY LOG.

 

I noticed:

1)  Denied log  for  SRC 10.10.10.10  , DST 30.30.30.30,  is not being  sent to SYSLOG  server 20.20.20.30

2)  SRX instead still sends Security logs to  SYSLOG server 20.20.20.20

 

Please see the attached which shows SRX config,capture   taken on f0/1 on SRX for detail.

 

Let me know if I am missing anything.

 

Thanks

 

 

 EDIT:

I discovered   I have not configured   facility  severity level , Once i configured that,  I see  SRX  sends syslog in stream mode  to syslog  20.20.20.30

 

set security log stream TEST severity level debug.

 

I will leave this post  so it will come  handy  for others  if they encounter such issue.

 

 

 

 

Attachments

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: SRX security logs in Stream mode not working

‎09-16-2018 10:11 PM
Hi, First off have you got "set security log mode stream" In your configuration ? As Event and stream behave diferently (event mode which from memory is the default on Branch devices sends the loging information to the control plain while stream just sends it from the forwarding plane) Regards Shane
Highlighted
SRX Services Gateway

Re: SRX security logs in Stream mode not working

[ Edited ]
‎09-17-2018 12:34 AM

Hi,

 

SRX can either send policy logs in "event" mode or either in "stream" mode, but it cannot be set up to use both at the same time.  Whenever you flip from event to stream, everything configured for policy logging under "system syslog" is ignored.

 

For SRX100 the default mode is "event".

Source: 

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-...

 

Below is a KB article that explains the opposite behavior you are having right now. In that case, the policy logs matched using regex "RT_FLOW" only happens in the Routing Engine, but the configuration is being ignored if the device is set up in "stream".

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB23118

(My apologies beforehand due to bad grammar. I'll be looking forward to correct the article right above).

Feedback