SRX Services Gateway
Highlighted
SRX Services Gateway

srx1500 enable both control plane and data plane logging

[ Edited ]
‎02-21-2020 07:44 AM

Device: SRX1500 JunOS 19.3

I am confused how to send both "control plane" and "data plane" related logs  to the same syslog server as I can't seem to get both at the same time.

 

If I enable "data plane (security log)" logging, then I receive firewall related flow logs, but not other types of syslogs.
If I enable "control plane (system log)" logging, then I receive other types of syslogs, but not firewall logs.
If I have both types of logging present in my configuration, then I only receive firewall logs.
Logs are being sent with a source of lo0.0 and out an normal data plane interface (i.e. ge-0/0/0.0)

 

How can I send both control plane and data plane syslogs to the same syslog server?

 

###################
# Example Security log configuration
###################

security {
  log {

    mode stream;
    stream SYSLOG_SERVER {
      format syslog;
      category all;
      host {
        <syslog server ip address>
      }
    }
  }
}

I receive only these types of events on my syslog server:
Facility: RT_FLOW
Event Types:
RT_FLOW_SESSION_CREATE
RT_FLOW_SESSION_CLOSE
RT_FLOW_SESSION_DENY


###################
# Example System log configuration
###################
system {
  syslog {
    host <syslog server ip address>
      any info;
    }
  }

}

 

I receive all events (facilities user, kernel, sshd, etc) on my syslog server, EXCEPT RT_FLOW.

1 REPLY 1
Highlighted
SRX Services Gateway

Re: srx1500 enable both control plane and data plane logging

[ Edited ]
‎02-21-2020 12:04 PM

ryanhitch,

 

You should be able to receive both type of logs if both are configured at the same time. Have you try both reported configurations at the same time:

 

security {
  log {
    mode stream; <<data-plane logs will be sent from the data-plane itself, not from the RE (recommended)
    stream SYSLOG_SERVER {
      format syslog;
      category all;
      host {
        <syslog server ip address>
system {
  syslog {
    host <syslog server ip address>  <<<< no traffic logs are sent due to "stream mode" configured under security log
      any info;                             but system event logs will be sent to your server
    }

 

Having both configurations at the same time should force the RE to send event logs to your server and the dataplane to send traffic logs to your server.

 

 

 

Please mark my answer as the Solution if it applies.