[j-nsp] Traffic Logging

a. rahman isnaini rst / netsoft risnaini at netsoft.net.id
Tue Dec 2 18:19:54 EST 2008 

Hi Danny,

I'm logging a small traffic for test purpose before redirecting the real 
one to syslog server.
Here the output of showing firewall log detail with filter name 
logging-traffic.
As you can see there are no others traffic logged, but point to point IP 
which BGP session only. (192.168.3.16/30) between two routers.
While suppose to be another traffic passign through...

Time of Log: 2008-12-03 05:50:44 JAVT, Filter: logging-traffic, Filter 
action: accept, Name of interface: local
Name of protocol: TCP, Packet Length: 0, Source address: 
192.168.3.17:179, Destination address: 192.168.3.18:2693
Time of Log: 2008-12-03 05:50:44 JAVT, Filter: pfe, Filter action: 
accept, Name of interface: ge-1/3/0.115
Name of protocol: TCP, Packet Length: 52, Source address: 
192.168.3.18:2693, Destination address: 192.168.3.17:179
Time of Log: 2008-12-03 05:50:21 JAVT, Filter: logging-traffic, Filter 
action: accept, Name of interface: local
Name of protocol: TCP, Packet Length: 51266, Source address: 
192.168.3.17:179, Destination address: 192.168.3.18:2693
Time of Log: 2008-12-03 05:50:21 JAVT, Filter: pfe, Filter action: 
accept, Name of interface: ge-1/3/0.115
Name of protocol: TCP, Packet Length: 71, Source address: 
192.168.3.18:2693, Destination address: 192.168.3.17:179
Time of Log: 2008-12-03 05:50:14 JAVT, Filter: pfe, Filter action: 
accept, Name of interface: ge-1/3/0.115
Name of protocol: TCP, Packet Length: 52, Source address: 
192.168.3.18:2693, Destination address: 192.168.3.17:179
Time of Log: 2008-12-03 05:50:13 JAVT, Filter: logging-traffic, Filter 
action: accept, Name of interface: local
Name of protocol: TCP, Packet Length: 50661, Source address: 
192.168.3.17:179, Destination address: 192.168.3.18:2693
Time of Log: 2008-12-03 05:49:56 JAVT, Filter: logging-traffic, Filter 
action: accept, Name of interface: local
Name of protocol: TCP, Packet Length: 51266, Source address: 
192.168.3.17:179, Destination address: 192.168.3.18:2693
Time of Log: 2008-12-03 05:49:56 JAVT, Filter: pfe, Filter action: 
accept, Name of interface: ge-1/3/0.115
Name of protocol: TCP, Packet Length: 71, Source address: 
192.168.3.18:2693, Destination address: 192.168.3.17:179
Time of Log: 2008-12-03 05:49:44 JAVT, Filter: pfe, Filter action: 
accept, Name of interface: ge-1/3/0.115
Name of protocol: TCP, Packet Length: 52, Source address: 
192.168.3.18:2693, Destination address: 192.168.3.17:179
Time of Log: 2008-12-03 05:49:43 JAVT, Filter: logging-traffic, Filter 
action: accept, Name of interface: local
Name of protocol: TCP, Packet Length: 0, Source address: 
192.168.3.17:179, Destination address: 192.168.3.18:2693
Time of Log: 2008-12-03 05:49:29 JAVT, Filter: logging-traffic, Filter 
action: accept, Name of interface: local
Name of protocol: TCP, Packet Length: 51266, Source address: 
192.168.3.17:179, Destination address: 192.168.3.18:2693
Time of Log: 2008-12-03 05:49:29 JAVT, Filter: pfe, Filter action: 
accept, Name of interface: ge-1/3/0.115

Expecting :

29w1d: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.10.100.32.81(25) 
-> 172.16.5.250(30705), 1 packet
29w1d: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.10.100.32.57(3306) 
-> 172.16.5.250(30716), 1 packet
29w1d: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.10.100.32.57(3306) 
-> 172.16.5.250(30719), 1 packet
29w1d: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.10.100.32.57(3306) 
-> 172.16.5.250(30721), 1 packet
29w1d: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.10.100.3.220(3306) 
-> 172.16.5.250(30722), 1 packet
29w1d: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.10.100.32.57(3306) 
-> 172.16.5.250(30723), 1 packet

a. r. isnaini rangkayo sutan


Danny Vernals wrote:
> The "then log" option only logs to the PFE buffer which is rather
> limited in size and also is only exposed in the "sh firewall log"
> command you mention, it's not sent to the syslog daemon.  However if
> you expect to be logging at a high pps it has the benefit of not
> adding excess load to the RE. To see more detailed output you can use
> "show firewall log detail".
> 
> If you would like to send the logging to messages or any other file
> you specifiy in the syslog config you need to use "then syslog"
> instead.
> 
> I'm not sure what you mean by "it match the log but only shows Point
> to Point session"
> 
> 
> 
> On Mon, Dec 1, 2008 at 10:46 PM, a. rahman isnaini rst / netsoft
> <risnaini at netsoft.net.id> wrote:
>> Hi,
>>
>>
>> To generate log like cisco "sh logging" using access-list, i have configured
>> :
>> - Firewall>Family Inet>Filter "log">Match all then log
>> - Interface>Unit x> Family Inet> input filter "log"
>> - System>Services>Syslog>all facilities [any]
>>
>> All I've seen by "show log messages" is just simply standard log (somebody
>> is login, etc..).
>> And as well, "show firewall log", it match the "log" but only shows Point to
>> Point session.
>>
>> Any simple way to have log such cisco did ? please kindly advice.
>>
>> rgs
>> a. r.isnaini rangkayo sutan
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> 
> 
>

More information about the juniper-nsp mailing list