SRX Services Gateway
SRX Services Gateway

SRX3600 sending logs to remote syslog server

‎01-16-2019 02:19 PM

Hello. I'm trying to configure our SRX3600 cluster to send syslog messages to the remote syslog/SIEM server. I have the following configured on the cluster.

 

syslog {
    archive size 128k files 50 world-readable;
    user * {
        any emergency;
    }
    host 10.64.20.50 {
        any any;
        authorization any;
        firewall any;
        source-address 192.168.246.1;
        explicit-priority;
        structured-data {
            brief;
        }
    }
    file messages {
        any notice;
        authorization info;
    }
    file interactive-commands {
        interactive-commands any;
    }
    file interface_logs {
        any any;
        match UpDown;
    }
    source-address 192.168.246.1;
}

The routing for the cluster:


routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop 192.168.170.1;
            retain;
        }
         route 10.64.20.50/32 next-table internet.inet.0;
    }
}

routing-instances {
    internet {
        instance-type virtual-router;

 

#interface commands excluded for brevity


        routing-options {
            static {
                route 0.0.0.0/0 {
                    next-hop 193.25.220.1;
                    retain;
                }
                route 10.0.0.0/8 {
                    next-hop 192.168.246.254;
                    retain;
                }
                route 192.168.254.0/24 {
                    next-hop 192.168.246.254;
                    retain;
                }
                route 192.168.0.0/16 {
                    next-hop 192.168.246.254;
                    retain;
                }
                route 192.168.234.0/24 {
                    next-hop 192.168.246.254;
                    retain;
                }
                route 192.168.90.0/23 {
                    next-hop 192.168.246.254;
                    retain;
                }
                route 192.168.55.0/24 {
                    next-hop 192.168.246.254;
                    retain;
                }
            }
        }
    }
}

 

When configured like this I'm not seeing anything being sent to remote server.

The funny thing is that I'm sending screen messages to the same server and they are coming through without a problem with the following configuration:

 

security {
    log {
        mode stream;
        format sd-syslog;
        source-address 192.168.246.1;
        stream SIEM_log {
            category all;
            host {
                10.64.20.50;
                port 514;
            }
        }
    }

 

Any help on what I'm missing here would be great.

12 REPLIES 12
SRX Services Gateway

Re: SRX3600 sending logs to remote syslog server

‎01-16-2019 04:45 PM

Do your security policies also include the log option in them?

The security logs are only generated for policies that have the log parameter set.

And any deny policy must log on session intiation not close.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SRX3600 sending logs to remote syslog server

‎01-16-2019 05:04 PM

Hi, Igor

 

Can you change the source address for system syslog to an address of an interface part of inet.0 (default routing-instance):

 

syslog {
    archive size 128k files 50 world-readable;
    user * {
        any emergency;
    }
    host 10.64.20.50 {
        any any;
        authorization any;
        firewall any;
        source-address 192.168.246.1;
        explicit-priority;
        structured-data {
            brief;
        }
    }

I think that 192.168.246.1 is configured on an interface in internet virtual-router and becuase the System logs are sent from the inet.0 instance there is a problem.

 

Please let us know.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: SRX3600 sending logs to remote syslog server

[ Edited ]
‎01-17-2019 12:35 AM

Hi.

 

@

That's the thing. All of my interfaces are in the internet routing instance. As far as I can see there are no interfaces assigned to inet.0. Here is some output:

 

# run show route

inet.0: 9 destinations, 9 routes (8 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 14w6d 08:27:24
                    > to 192.168.170.1 via fxp0.0
10.64.8.96/32      *[Static/5] 14w6d 08:27:25
                      to table internet.inet.0
10.64.8.202/32     *[Static/5] 14w6d 08:27:25
                      to table internet.inet.0
10.64.20.50/32     *[Static/5] 14w6d 08:27:25
                      to table internet.inet.0
161.53.123.5/32    *[Static/5] 14w6d 08:27:25
                      to table internet.inet.0
161.53.160.5/32    *[Static/5] 14w6d 08:27:25
                      to table internet.inet.0
192.168.170.0/24   *[Direct/0] 14w6d 08:27:25
                    > via fxp0.0
192.168.170.253/32 *[Local/0] 14w6d 08:27:25

 

I see that there is interfaxe fxp0.0 in inet.0 but I don't have it configured anywhere in the configuration.

 

@spuluka

 

First I want to try to get who is trying to log in/out of the device and then I can try to do the other stuff. Baby steps Smiley Happy

 
 
SRX Services Gateway

Re: SRX3600 sending logs to remote syslog server

‎01-17-2019 06:39 AM

You can just configure an ip on a loopback interface (lo0) in the default instance (inet.0) and then either forward the traffic via a firewall filter as described in https://forums.juniper.net/t5/SRX-Services-Gateway/SYSLOG-Help-with-SRX/td-p/313444 - or by doing route-leakning between the Internet routing-instance and inet.0... can be done via eg. rib groups.


--
Best regards,

Jonas Hauge Klingenberg
Systems Engineer, SEC DATACOM A/S (Denmark)
SRX Services Gateway
Solution
Accepted by topic author igor.hamzic81
‎02-20-2019 04:59 PM

Re: SRX3600 sending logs to remote syslog server

‎01-18-2019 11:04 PM

Igor,

 

Because you already have the routing in place, you could just configure an IP address on the loopback interface, that by default is in the master routing-instance, and source the packets from there. This will be the same solution of the NTP issue you are having as well.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: SRX3600 sending logs to remote syslog server

‎01-21-2019 06:55 PM

Hi thanks for the reply. I will try this in a few days as I'm in the middle of network upgrades which I have to finish first.

 

Just one question before I try this. Can I use on the loopback interface an IP address from the range that is in the virtual routing table or must the IP address on the loopback be from a seperate range?

Highlighted
SRX Services Gateway

Re: SRX3600 sending logs to remote syslog server

‎01-22-2019 10:27 PM

Hi, Igor

 

I will advise to use a different subnet, maybe one that you could use as the "management subnet". Still I believe you could also use an IP address from the range of the virtual router because the default-instance uses a separate routing-table (inet.zero) and anyway the syslog traffic is always undirectional, from SRX to syslog server.

 

Give it a try a let us know.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: SRX3600 sending logs to remote syslog server

‎02-11-2019 03:08 PM

Hi, Igor

 

Were you able to fix the problem?

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: SRX3600 sending logs to remote syslog server

‎02-20-2019 04:53 PM

Sorry for the late reply everyone but other work just took over and I didn't go near this until today. Anyway I added a new network to the loopback interface and it worked as a charm. I can now see logs form the SRX with the IP I configured on the lo0 interface as source and destination IP in the syslog.

 

It somehow feels strange that I have to use loopback for this to work but that could just be my primarily Cisco background Smiley Happy

 

Thank you everyone for the help.

SRX Services Gateway

Re: SRX3600 sending logs to remote syslog server

‎08-07-2019 01:54 PM

I am having a similar issue.  Can you advise?

 

syslog {
archive size 100k files 3;
user * {
any emergency;
}
host 172.16.253.253 {
any any;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file kmd-logs {
daemon info;
match KMD;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
source-address 2.2.2.2;

 

I can ping 2.2.2.2 from the 172.16.253.0/24 subnet

 

T.inet.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 22w5d 19:15:14
to table ISP-V300.inet.0
1.1.1.1/32 *[Direct/0] 22w5d 19:15:19
> via lo0.0
2.2.2.2/32 *[OSPF/10] 22w5d 19:14:54, metric 1
> to 192.168.151.254 via ge-5/0/4.151
to 192.168.150.254 via ge-0/0/4.150
10.10.0.0/24 *[Static/5] 22w5d 19:15:14
to table HOSTED-DR.inet.0
10.11.0.0/24 *[Static/5] 22w5d 19:15:14
to table HOSTED-DR.inet.0
to 192.168.150.254 via ge-0/0/4.150
172.16.101.0/24 *[OSPF/10] 22w5d 19:14:54, metric 2
to 192.168.151.254 via ge-5/0/4.151
> to 192.168.150.254 via ge-0/0/4.150
172.16.253.0/24 *[OSPF/10] 22w5d 19:14:54, metric 2
> to 192.168.151.254 via ge-5/0/4.151
to 192.168.150.254 via ge-0/0/4.150

 

Thanks

Todd

SRX Services Gateway

Re: SRX3600 sending logs to remote syslog server

‎08-07-2019 04:01 PM

Hi, I would advise to open a new thread for this.

 

Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: SRX3600 sending logs to remote syslog server

‎08-07-2019 05:11 PM

is the source interface 2.2.2.2 on the interface ge-5/0/4.151

 

can you ping on the SRX from this source to the syslog

 

ping 172.16.253.253 source 2.2.2.2

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home