SRX Services Gateway
SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎01-07-2017 03:43 AM

The logs you are looking for require a configuration under system syslog to send.

 

https://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/security-system-log-message-...

 

Your setup above under security log does not cover the control plane events.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎01-07-2017 07:24 AM

Hi Spuluka,

 

Thanks for the url given. I'm already read that url given and it;s look like it some of limitation when we use mode stream right? Please corrrect me if i wrong cause my english not so good.

 

Appreciate your feedback .

 

 

Thanks

 

 

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎01-07-2017 07:47 AM

Yes, on the SRX in Stream mode you need to have TWO configuration stanza setup per those instructions in order to get all of the syslog messages.  You appear to need to add the system syslog one from what is missing on your SEIM.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎01-07-2017 08:01 AM

Hi Supuluka,

 

When u said "TWO configuration stanza setup " are u refer  to which part? Below is my config. Can u advise me what need to change to make sure on SIEM can see both syslog on Control Plan such as commit, interactive command n etc. At same time SIEM also can see log RT-FLOW.

 

 

{primary:node0}
test@SRX5800> show configuration system syslog
archive size 1m files 10;
user * {
    any emergency;
}
inactive: host 7.7.7.1 { ----------------------------------> If i activate this then SIEM cannot see log RT-FLOW
    any any;
    change-log any;
    interactive-commands any;
    inactive: match RT_FLOW_SESSION;
    source-address x.x.x.x;
    structured-data;
}
inactive: host 7.7.7.2 {
    any any;
    change-log any;
    interactive-commands any;
    source-address x.x.x.x;
    structured-data;
}
file messages { ------------------------------------> This log cannot see on SIEM
    any notice;
    authorization info;
    explicit-priority;
}
file interactive-commands { -------------------> This log cannot see on SIEM
    interactive-commands any;
}

 

Thanks and appreciate your advise

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎01-07-2017 08:16 AM

I think you need these two stanzas:

control plane logs - remove the match for flow

host 7.7.7.1 { see log RT-FLOW
    any any;
    change-log any;
    interactive-commands any;
    source-address x.x.x.x;
    structured-data;
}

security logs

security log 
  mode stream;
  format sd-syslog;
  source-address 10.70.50.18;
stream TO-SIEM {
    format sd-syslog;
    category all;
    host {
        10.60.30.50;
    }
}

 

 

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎01-07-2017 08:29 AM

Hi Spuluka,

 

 

If i enable the control plane log then the SIEM cannot received security log. That's a reason i deactivate the control plane logs. Your SIEM can see both log at same time?

 

 

Thanks and appreciate your feedback

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

[ Edited ]
‎01-07-2017 09:00 AM

Yes, at a previous company we did have all logging working to Q-radar SEIM.

 

I think you issue with the syslog stanza without having the match condition added.  This can tend to restrict what messages are sent.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎01-07-2017 08:09 PM

Hi Spuluka,

 

 

But the config match RT_FLOW is deactivate. How it can restrict the syslog to SIEM?

 

inactive: match RT_FLOW_SESSION;

 

 

Thanks

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎01-08-2017 02:40 AM

Hi Folks,

I could find some interesting information,

 

The traffic events in stream mode must be sent from one of the revenue ports. Using management ports such as fxp0 (or a revenue port in functional-zone management, in case of SRX) is not supported. Additionally, do not forget to configure the routing table to send traffic events from a revenue port. Syslog packets for traffic events in stream mode look up the default routing instance (inet.0) first by default.

 

Also, please refer the below KB's for more details,

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509&actp=search&smlogin=true

http://www.juniper.net/techpubs/en_US/junos12.1x46/topics/task/configuration/security-system-stream-...

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16917&actp=search

http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/task/configuration/security-system-stream-...

 

-Python JNCIE 3X [SP|DC|ENT] JNCIP-SEC JNCDS 3X [ WAN | DC|SEC] JNCIS-Cloud JNCIS-DevOps CCIP ITIL
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.
SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

‎01-08-2017 06:29 AM

Hi Phyton,

 

 

I'm use reth interface as source address to send log to SIEM.

 

Thanks

SRX Services Gateway

Re: SIEM cannot received log when SRX using stream mode?

[ Edited ]
‎10-10-2019 10:25 AM

Hi Guys

 

We have the same issue where the Log Collector does not receive logs from the SRX 550M gateway when switched to stream mode.

Here is our configuration as per https://kb.juniper.net/InfoCenter/index?page=content&id=KB23843 

Note: UNTRUST-vr is using revenue port, 1.1.1.2/32 is just a dummy loopback IP created for testing purposes

 

set interfaces lo0 unit 0 family inet address 1.1.1.2/32
set routing-options static route 10.209.0.170/32 next-table UNTRUST-vr.inet.0
set security log mode stream
set security log format sd-syslog
set security log source-address 1.1.1.2
set security log stream TC1LC1 severity alert
set security log stream TC1LC1 format sd-syslog
set security log stream TC1LC1 category all
set security log stream TC1LC1 host 10.209.0.170
set security log stream TC1LC1 host port 514
set system syslog host 10.209.0.170 any any
set system syslog host 10.209.0.170 structured-data
set system syslog file policy_session user info
set system syslog file policy_session match RT_FLOW
set system syslog file policy_session archive size 1m
set system syslog file policy_session archive files 1000
set system syslog file policy_session archive world-readable
set system syslog file policy_session structured-data
set system syslog time-format
set system syslog source-address 10.50.0.211

 Route for log collector 10.209.0.170

show route 10.209.0.170

inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.209.0.170/32 *[Static/20] 1d 05:34:00
to table UNTRUST-vr.inet.0

UNTRUST-vr.inet.0: 948 destinations, 949 routes (948 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.209.0.0/24 *[OSPF/10] 1d 05:32:13, metric 212
> to 10.62.65.21 via reth5.0