vMX
Highlighted
vMX

Only send logs of dropped traffic from SRX to Syslog server

‎12-24-2019 07:10 AM

I have a customer who is receiving tons of logs from his SRX to the Syslog server. He requested only to send logs for the traffic which is dropped, he doesn't care about the permitted traffic. How can I configure this under the Syslog host?


thanks in advance.

4 REPLIES 4
vMX
Solution
Accepted by topic author hbaytie01
‎12-25-2019 11:28 PM

Re: Only send logs of dropped traffic from SRX to Syslog server

‎12-24-2019 08:31 AM

If it is a branch SRX (log mode is event) you may try this:

 

set system syslog host <syslog server ip> any any
set system syslog host <syslog server ip> match "RT_FLOW_SESSION_DENY"

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
vMX

Re: Only send logs of dropped traffic from SRX to Syslog server

‎12-25-2019 06:11 AM

Thanks, Nellikka for your answer, 

But if I'm planning to use stram mode, how can I configure to match the "RT_FLOW_SESSION_DENY"

Highlighted
vMX

Re: Only send logs of dropped traffic from SRX to Syslog server

‎12-25-2019 06:32 PM

There is no option to filter only deny logs in stream mode. Since you need only deny/dropped  logs, one workaround is to enable logging only on deny security policies (log session-init) and remove/disable logging from other security policies (ie log session-init and log session close).

 

 

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
vMX

Re: Only send logs of dropped traffic from SRX to Syslog server

‎12-25-2019 11:29 PM

thanks for your support, i really appreciate it.