SRX

Hi Guys,

traffic events are not showing on our srx345 jweb. 'Monitor > Events > Firewall' it always shows "Traffic logging is not Enable" but we've did it many times already. even in the security policies log. no problem on cli we can see the traffic log on show log. security log is in event mode as it is configured by default in enterprise SRX 

Hello,

What is the version that you are running on the device. If you are running Junos OS release 15.1X49-D100 and later, J-Web has been enhanced to support on-box reporting which works in stream mode.

This is the configuration that should be present to make this work:

security {
log {
mode stream; <<< Don't use event mode.
report; <<<
source-address X.X.X.X
stream XXXXX {
host {
X.X.X.X
}
}

Please follow this KB for more information:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB32479&pmv=print&actp=METADATA&searchid=&type=currentpaging

Regards,

Prakash

Hi,

I believe you have followed this KB: https://kb.juniper.net/InfoCenter/index?page=content&id=KB19490&actp=METADATA

Can you please double check the below?

J-web will recognize the following settings as the syslog file that contains the traffic log: 

file policy_session {
        any any;                   // This can be any of [any/any, any/info, user/any, user/info]
        match RT_FLOW;             // Need exact the same match string for system in searching logs for policy
        archive world-readable;    // Requried
        structured-data;           // Preferred for fast searching when using filters 
    }

You can do a quick check on the file permissions and whether the RT_FLOW tag is seen in the file.

file list detail /var/log/<log-file-name>

show log log-file-name | match RT_FLOW

If you can share details of the log file configuration and above two commands it would help.

Regards,

Vikas