- J-Net
- :
- Forums
- :
- SRX Services Gateway
- :
- SRX3600 sending logs to remote syslog server
- Application Acceleration 
- BLOG: Community Talk 
- BLOG: Information Experience (iX) 
- Community Feedback 
- Contrail Platform Developers 
- Ethernet Switching 
- Identity & Policy Control - SBR Carrier & SRC 
- Intrusion Prevention 
- Junos 
- Junos Automation (Scripting) 
- Junos Space Developer 
- Junosphere 
- Management 
- Routing 
- ScreenOS Firewalls (NOT SRX) 
- SRX Services Gateway 
- Training, Certification, and Career Topics 
- vMX 
- vSRX 
- Wireless LAN 
- Juniper Open Learning 
- Day One Books Archive 
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
SRX3600 sending logs to remote syslog server
Hello. I'm trying to configure our SRX3600 cluster to send syslog messages to the remote syslog/SIEM server. I have the following configured on the cluster.
syslog {
archive size 128k files 50 world-readable;
user * {
any emergency;
}
host 10.64.20.50 {
any any;
authorization any;
firewall any;
source-address 192.168.246.1;
explicit-priority;
structured-data {
brief;
}
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
file interface_logs {
any any;
match UpDown;
}
source-address 192.168.246.1;
}
The routing for the cluster:
routing-options {
static {
route 0.0.0.0/0 {
next-hop 192.168.170.1;
retain;
}
route 10.64.20.50/32 next-table internet.inet.0;
}
}
routing-instances {
internet {
instance-type virtual-router;
#interface commands excluded for brevity
routing-options {
static {
route 0.0.0.0/0 {
next-hop 193.25.220.1;
retain;
}
route 10.0.0.0/8 {
next-hop 192.168.246.254;
retain;
}
route 192.168.254.0/24 {
next-hop 192.168.246.254;
retain;
}
route 192.168.0.0/16 {
next-hop 192.168.246.254;
retain;
}
route 192.168.234.0/24 {
next-hop 192.168.246.254;
retain;
}
route 192.168.90.0/23 {
next-hop 192.168.246.254;
retain;
}
route 192.168.55.0/24 {
next-hop 192.168.246.254;
retain;
}
}
}
}
}
When configured like this I'm not seeing anything being sent to remote server.
The funny thing is that I'm sending screen messages to the same server and they are coming through without a problem with the following configuration:
security {
log {
mode stream;
format sd-syslog;
source-address 192.168.246.1;
stream SIEM_log {
category all;
host {
10.64.20.50;
port 514;
}
}
}
Any help on what I'm missing here would be great.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SRX3600 sending logs to remote syslog server
Do your security policies also include the log option in them?
The security logs are only generated for policies that have the log parameter set.
And any deny policy must log on session intiation not close.
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SRX3600 sending logs to remote syslog server
Hi, Igor
Can you change the source address for system syslog to an address of an interface part of inet.0 (default routing-instance):
syslog { archive size 128k files 50 world-readable; user * { any emergency; } host 10.64.20.50 { any any; authorization any; firewall any; source-address 192.168.246.1; explicit-priority; structured-data { brief; } }
I think that 192.168.246.1 is configured on an interface in internet virtual-router and becuase the System logs are sent from the inet.0 instance there is a problem.
Please let us know.
Kudos are appreciated too!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SRX3600 sending logs to remote syslog server
[ Edited ]Hi.
That's the thing. All of my interfaces are in the internet routing instance. As far as I can see there are no interfaces assigned to inet.0. Here is some output:
# run show route
inet.0: 9 destinations, 9 routes (8 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 14w6d 08:27:24
> to 192.168.170.1 via fxp0.0
10.64.8.96/32 *[Static/5] 14w6d 08:27:25
to table internet.inet.0
10.64.8.202/32 *[Static/5] 14w6d 08:27:25
to table internet.inet.0
10.64.20.50/32 *[Static/5] 14w6d 08:27:25
to table internet.inet.0
161.53.123.5/32 *[Static/5] 14w6d 08:27:25
to table internet.inet.0
161.53.160.5/32 *[Static/5] 14w6d 08:27:25
to table internet.inet.0
192.168.170.0/24 *[Direct/0] 14w6d 08:27:25
> via fxp0.0
192.168.170.253/32 *[Local/0] 14w6d 08:27:25
I see that there is interfaxe fxp0.0 in inet.0 but I don't have it configured anywhere in the configuration.
@spuluka
First I want to try to get who is trying to log in/out of the device and then I can try to do the other stuff. Baby steps
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SRX3600 sending logs to remote syslog server
You can just configure an ip on a loopback interface (lo0) in the default instance (inet.0) and then either forward the traffic via a firewall filter as described in https://forums.juniper.net/t5/SRX-Services-Gateway/SYSLOG-Help-with-SRX/td-p/313444 - or by doing route-leakning between the Internet routing-instance and inet.0... can be done via eg. rib groups.
--
Best regards,
Jonas Hauge Klingenberg
Systems Engineer, SEC DATACOM A/S (Denmark)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SRX3600 sending logs to remote syslog server
Igor,
Because you already have the routing in place, you could just configure an IP address on the loopback interface, that by default is in the master routing-instance, and source the packets from there. This will be the same solution of the NTP issue you are having as well.
Kudos are appreciated too!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SRX3600 sending logs to remote syslog server
Hi thanks for the reply. I will try this in a few days as I'm in the middle of network upgrades which I have to finish first.
Just one question before I try this. Can I use on the loopback interface an IP address from the range that is in the virtual routing table or must the IP address on the loopback be from a seperate range?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SRX3600 sending logs to remote syslog server
Hi, Igor
I will advise to use a different subnet, maybe one that you could use as the "management subnet". Still I believe you could also use an IP address from the range of the virtual router because the default-instance uses a separate routing-table (inet.zero) and anyway the syslog traffic is always undirectional, from SRX to syslog server.
Give it a try a let us know.
Kudos are appreciated too!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SRX3600 sending logs to remote syslog server
Hi, Igor
Were you able to fix the problem?
Kudos are appreciated too!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SRX3600 sending logs to remote syslog server
Sorry for the late reply everyone but other work just took over and I didn't go near this until today. Anyway I added a new network to the loopback interface and it worked as a charm. I can now see logs form the SRX with the IP I configured on the lo0 interface as source and destination IP in the syslog.
It somehow feels strange that I have to use loopback for this to work but that could just be my primarily Cisco background
Thank you everyone for the help.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SRX3600 sending logs to remote syslog server
I am having a similar issue. Can you advise?
syslog {
archive size 100k files 3;
user * {
any emergency;
}
host 172.16.253.253 {
any any;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file kmd-logs {
daemon info;
match KMD;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
source-address 2.2.2.2;
I can ping 2.2.2.2 from the 172.16.253.0/24 subnet
T.inet.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 22w5d 19:15:14
to table ISP-V300.inet.0
1.1.1.1/32 *[Direct/0] 22w5d 19:15:19
> via lo0.0
2.2.2.2/32 *[OSPF/10] 22w5d 19:14:54, metric 1
> to 192.168.151.254 via ge-5/0/4.151
to 192.168.150.254 via ge-0/0/4.150
10.10.0.0/24 *[Static/5] 22w5d 19:15:14
to table HOSTED-DR.inet.0
10.11.0.0/24 *[Static/5] 22w5d 19:15:14
to table HOSTED-DR.inet.0
to 192.168.150.254 via ge-0/0/4.150
172.16.101.0/24 *[OSPF/10] 22w5d 19:14:54, metric 2
to 192.168.151.254 via ge-5/0/4.151
> to 192.168.150.254 via ge-0/0/4.150
172.16.253.0/24 *[OSPF/10] 22w5d 19:14:54, metric 2
> to 192.168.151.254 via ge-5/0/4.151
to 192.168.150.254 via ge-0/0/4.150
Thanks
Todd
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SRX3600 sending logs to remote syslog server
Hi, I would advise to open a new thread for this.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: SRX3600 sending logs to remote syslog server
is the source interface 2.2.2.2 on the interface ge-5/0/4.151
can you ping on the SRX from this source to the syslog
ping 172.16.253.253 source 2.2.2.2
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home