SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  syslog server configuration with Branch SRX 210 H

    Posted 05-19-2010 08:23

    Hi,

    I am trying to configure SYSLOG Server with Branch SRX 210-H.

    Kindly help me out….

     

    Also suggest preferable syslog server.

     

    Regards,

    VKG



  • 2.  RE: syslog server configuration with Branch SRX 210 H

    Posted 05-19-2010 10:39

    I would suggest reading http://kb.juniper.net/KB16509 for configuration guidance and using SPLUNK as a Syslog Server

     

    Xavi



  • 3.  RE: syslog server configuration with Branch SRX 210 H

    Posted 05-19-2010 11:00

    Very good article indeed...

     

    based on the following

     

  • Date and time of the message
  • Message type (session-init or session-close)
  • Source address and port number
  • Destination address and port number
  • IP information
  • Session index (sid)
  • Policy index (pid)
  • Bytes sent and received
  • Session duration

    •  

    Is it possible to segregate session-init / session-close from deny and permit policies? 

     

    Based on this output...  it wouldn't seem as if it isnt but IMA newb so... 

     

    It would be nice to seperate the two into two files, one for policy default-permit, and one for policy default-deny scenarios.

     

    user@host> show log messages | match RT_FLOW_SESSION
         Dec 23 15:01:41 test RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP RST: 19
    2.168.10.60/3933->172.24.60.143/80 junos-http 172.24.30.178/8280->172.24.60.143/
    80 interface-nat None 6 http-out trust untrust 7188 8(2698) 5(525) 2

     

    EDIT:  I acutally found that this is pretty easy as the RT_FLOW_SESSION_DENY is the flag for a policy that is defined as a deny / log...  Just not the implicit deny at the end of all policy chains.

     

     

     



  • 4.  RE: syslog server configuration with Branch SRX 210 H

    Posted 05-25-2010 06:16

    Hi Xhoms,

    Thanks for your reply…!

    I have been configured as KB16509 with SPLUNK as a syslog server, But I unable to configure splunk perfectly (unable to gather log in syslog indexing)…could you help me to configure splunk  

      

    Kindly oblige to guide me.

     

    Thanks

    VKG



  • 5.  RE: syslog server configuration with Branch SRX 210 H

    Posted 05-25-2010 10:35

    I'n not a SPLUNK expert but I got my instance work as a Syslog server just adding a UDP data input in the port 514 of type Syslog

     

    Splunk -> Manager -> Data Inputs -> UDP

    port: 514

    Source Type: syslog

     

    The experience with Splunk is much better if you use the "structured syslog format" in the SRX side

     

    admin@SRX-240-1# show security log

    mode stream;

    format sd-syslog;

    source-address 192.168.1.2;

    stream splunk {

      host {

        95.17.163.67;

        }

      }



  • 6.  RE: syslog server configuration with Branch SRX 210 H
    Best Answer

    Posted 05-28-2010 06:46

    Hi Xhoms,

    I followed you and just gathered all structured logs in SPLUNK perfectly.

    Indeed Thanks…!

     

    Regards,

    Vinod Gupta