SRX Services Gateway
Highlighted
SRX Services Gateway

logging

‎07-24-2019 04:10 PM

Some questions relating to syslog configuration below:

1-) What is the diffence between cli-commands file and interactive-commands file for logging?

2-)What are the reasons that there is a default-log-message under the system syslog stanza as there is a messages log file under the groups sys system syslog? If these files are the same, what reasons could be result in creating extra file log? 

3-) Format sd-syslog and structured-data are same?

4) When it comes to optimization on syslog configruation below, which statements really dont need? and why?

5)When it comes to seperating logs from sec policies directly to the external sylog server, what configuration there must be?

6-) Is there any benefit to putting all syslog configuration under the groups.

7-)Which statements in the syslog configurtion below are relating to the data plane logging?

 

SRX650> sh conf | dis se | mat syslog
set groups sys system syslog user * any emergency
set groups sys system syslog host 10.10.10.10 any emergency
set groups sys system syslog host 10.10.10.10 authorization info
set groups sys system syslog host 10.10.10.10 firewall any
set groups sys system syslog host 10.10.10.10 interactive-commands info
set groups sys system syslog file messages any notice
set groups sys system syslog file messages authorization info
set groups sys system syslog file interactive-commands interactive-commands any
set groups sys system syslog file cli-commands interactive-commands any
set groups sys system syslog file emergency any emergency
set groups sys system syslog file firewall firewall notice
set groups sys system syslog file default-log-messages any any
set groups sys system syslog file default-log-messages structured-data
set groups sys system syslog file authorization authorization any
set groups sys system syslog file traffic-log any any
set groups sys system syslog file traffic-log match RT_FLOW_SESSION
set groups sys system syslog file traffic-log archive size 2m
set groups sys system syslog file traffic-log archive files 4
set groups sys system syslog file traffic-log structured-data
set system syslog host 10.10.10.10 source-address 192.168.20.20
set system syslog file default-log-messages any info
set system syslog file default-log-messages match "(FRU Offline)|(FRU Online)|(FRU insertion)|(FRU power)|(FRU removal)|(commit complete)|(copying configuration to juniper.save)|(license add)|(license delete)|(link UP)|(package -X delete)|(package -X update)|(plugged in)|(requested 'commit synchronize' operation)|(requested 'commit' operation)|(unplugged)|Transferred|ifAdminStatus|transfer-file|transitioned|GRES|(AIS_DATA_AVAILABLE)"
set system syslog file default-log-messages structured-data

SRX650>

1 REPLY 1
Highlighted
SRX Services Gateway

Re: logging

[ Edited ]
‎07-24-2019 07:43 PM

Hi Arix,

Please find your answer inline.

1-) What is the difference between cli-commands file and interactive-commands file for logging?
A: When you specify "set system Syslog file interactive-commands interactive-commands any" it means that you've configured syslog to log the interactive-commands which you're typing in your CLI to a file named as "interactive-commands" in your SRX locally. Both cli-commands file and interactive-commands are the same; so you can delete one of them.

 

2-)What are the reasons that there is a default-log-message under the system syslog stanza as there are a messages log file under the groups sys system syslog? If these files are the same, what reasons could be result in creating extra file log?
A: On comparing the configuration for "messages" and "default-log-messages", I can see that the facility is differing. Actually, I don't think extra file log is being created. Someone must've altered it. Because, By default, only critical messages are logged to a local file known as messages on the SRX Series device. For more information, please refer to the following KB article - https://kb.juniper.net/InfoCenter/index?page=content&id=KB16502

 

3-) Format sd-syslog and structured-data are same?
A: No it's not the same. The syslog structure/output will vary between sd-syslog and structured-data. For more information regarding structured-syslog, please refer to the following technical documentation - https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structure...


4) When it comes to optimization on syslog configruation below, which statements really dont need? and why?
A: Please refer to the following KB articles and configure syslog as per your requirement:
https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502
https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509

 

However, from your configuration I would like to correct a few:

> Instead of these below 4 lines, you could've include any any so that all the logs will be sent out 10.10.10.10

set groups sys system syslog host 10.10.10.10 any emergency
set groups sys system syslog host 10.10.10.10 authorization info
set groups sys system syslog host 10.10.10.10 firewall any
set groups sys system syslog host 10.10.10.10 interactive-commands info

 

> One more thing which I observed is the following lines. The below lines can overwhelm your Routing Engine CPU. So, send these logs to the external syslog server rather than saving it locally on the SRX.

set groups sys system syslog file traffic-log any any
set groups sys system syslog file traffic-log match RT_FLOW_SESSION
set groups sys system syslog file traffic-log archive size 2m
set groups sys system syslog file traffic-log archive files 4
set groups sys system syslog file traffic-log structured-data


5)When it comes to separating logs from sec policies directly to the external sylog server, what configuration there must be?
A: Please go through the KB article - https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509

 

6-) Is there any benefit to putting all syslog configuration under the groups.
A: If youre using a chassis cluster, then it is logical to put syslog configuration under the groups. However, I have seen people configuring under groups as well.

 

7-)Which statements in the syslog configurtion below are relating to the data plane logging?
A: The below lines are related to data plane logging:

set groups sys system syslog file traffic-log any any
set groups sys system syslog file traffic-log match RT_FLOW_SESSION
set groups sys system syslog file traffic-log archive size 2m
set groups sys system syslog file traffic-log archive files 4
set groups sys system syslog file traffic-log structured-data

 

========================================================================================================

 

SRX650> sh conf | dis se | mat syslog
set groups sys system syslog user * any emergency
set groups sys system syslog host 10.10.10.10 any emergency
set groups sys system syslog host 10.10.10.10 authorization info
set groups sys system syslog host 10.10.10.10 firewall any
set groups sys system syslog host 10.10.10.10 interactive-commands info
set groups sys system syslog file messages any notice
set groups sys system syslog file messages authorization info
set groups sys system syslog file interactive-commands interactive-commands any
set groups sys system syslog file cli-commands interactive-commands any
set groups sys system syslog file emergency any emergency
set groups sys system syslog file firewall firewall notice
set groups sys system syslog file default-log-messages any any
set groups sys system syslog file default-log-messages structured-data
set groups sys system syslog file authorization authorization any
set groups sys system syslog file traffic-log any any
set groups sys system syslog file traffic-log match RT_FLOW_SESSION
set groups sys system syslog file traffic-log archive size 2m
set groups sys system syslog file traffic-log archive files 4
set groups sys system syslog file traffic-log structured-data
set system syslog host 10.10.10.10 source-address 192.168.20.20
set system syslog file default-log-messages any info
set system syslog file default-log-messages match "(FRU Offline)|(FRU Online)|(FRU insertion)|(FRU power)|(FRU removal)|(commit complete)|(copying configuration to juniper.save)|(license add)|(license delete)|(link UP)|(package -X delete)|(package -X update)|(plugged in)|(requested 'commit synchronize' operation)|(requested 'commit' operation)|(unplugged)|Transferred|ifAdminStatus|transfer-file|transitioned|GRES|(AIS_DATA_AVAILABLE)"
set system syslog file default-log-messages structured-data



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Feedback