SRX Services Gateway
SRX Services Gateway

What happens to SRX Security Logs if remote syslog server is unavailable

‎04-09-2019 09:40 AM

If i have an SRX sending data plane security logs in stream mode to an external syslog server, and that server is unreachable for some reason, does the SRX cache or buffer those security logs until the connection is restored? Its seems like i read somewhere that it did with available memory but once that memory buffer was full it would start dropping the messages. I can't seem to find any documentation about what happens to the log messages when the remote syslog system is unavailable. 

I know you can configure multiple syslog servers but I am curious what happens if you only have 1. 

 

Thanks for the help.

5 REPLIES 5
SRX Services Gateway

Re: What happens to SRX Security Logs if remote syslog server is unavailable

‎04-09-2019 09:47 AM

Hi, RRiley

 

The SRX wont buffer the logs.

 

The syslog messages are sent over UDP so there is no acknowledgment mechanism for the SRX to detect if the server is available or not. If you see a syslog session, the server doesnt send any packets to the SRX.

 

Hope this helps.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: What happens to SRX Security Logs if remote syslog server is unavailable

‎04-09-2019 10:09 AM

Thanks for the reply. We are actually using TLS to ship the logs. Sorry i didn't specify that. Not sure if that changes anything. I can see in the 'messages' log when i connect or disconnect from the remote server. 

SRX Services Gateway

Re: What happens to SRX Security Logs if remote syslog server is unavailable

[ Edited ]
‎04-09-2019 04:01 PM

RRiley,

 

Thanks for the confirmation. Unfortunately after some research I was not able to find any documentation that confirms this. However, if we think about it we can tell that the SRX uses TCP (if we are using TLS) and in absence of an Ack message from the remote peer, TCP will retransmit the data until either a reply is received or the connection times out. During the time that the SRX waits for the Ack message I believe it will buffer the messages until a reply is received or the connection times out, in which case the data will be lost.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway
Solution
Accepted by topic author RRiley
‎04-10-2019 05:15 AM

Re: What happens to SRX Security Logs if remote syslog server is unavailable

‎04-10-2019 02:15 AM

When the connection to server is broken, SRX will try to get the connection restored and the logs will be saved in buffer during this period.

 

 

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: What happens to SRX Security Logs if remote syslog server is unavailable

‎04-10-2019 05:15 AM

Thanks everyone. Good to know. I thought i had read an official Juniper document about this but I cannot find it anymore.