[j-nsp] Traffic Logging

Diogo Montagner diogo.montagner at gmail.com
Tue Dec 2 18:42:18 EST 2008


You can use the firewall filters with the count option applied to the
interfaces. After you commit you can issue show firewall filter
name_of_filter and find for the counter information on the output.

Reference (find for count action):
http://www.juniper.net/techpubs/software/junos/junos90/swconfig-policy/configuring-a-filter-action-statement.html#id-10871215

Regards,
./diogo -montagner


On Tue, Dec 2, 2008 at 9:19 PM, a. rahman isnaini rst / netsoft <
risnaini at netsoft.net.id> wrote:

>
> Hi Danny,
>
> I'm logging a small traffic for test purpose before redirecting the real
> one to syslog server.
> Here the output of showing firewall log detail with filter name
> logging-traffic.
> As you can see there are no others traffic logged, but point to point IP
> which BGP session only. (192.168.3.16/30) between two routers.
> While suppose to be another traffic passign through...
>
> Time of Log: 2008-12-03 05:50:44 JAVT, Filter: logging-traffic, Filter
> action: accept, Name of interface: local
> Name of protocol: TCP, Packet Length: 0, Source address: 192.168.3.17:179,
> Destination address: 192.168.3.18:2693
> Time of Log: 2008-12-03 05:50:44 JAVT, Filter: pfe, Filter action: accept,
> Name of interface: ge-1/3/0.115
> Name of protocol: TCP, Packet Length: 52, Source address:
> 192.168.3.18:2693, Destination address: 192.168.3.17:179
> Time of Log: 2008-12-03 05:50:21 JAVT, Filter: logging-traffic, Filter
> action: accept, Name of interface: local
> Name of protocol: TCP, Packet Length: 51266, Source address:
> 192.168.3.17:179, Destination address: 192.168.3.18:2693
> Time of Log: 2008-12-03 05:50:21 JAVT, Filter: pfe, Filter action: accept,
> Name of interface: ge-1/3/0.115
> Name of protocol: TCP, Packet Length: 71, Source address:
> 192.168.3.18:2693, Destination address: 192.168.3.17:179
> Time of Log: 2008-12-03 05:50:14 JAVT, Filter: pfe, Filter action: accept,
> Name of interface: ge-1/3/0.115
> Name of protocol: TCP, Packet Length: 52, Source address:
> 192.168.3.18:2693, Destination address: 192.168.3.17:179
> Time of Log: 2008-12-03 05:50:13 JAVT, Filter: logging-traffic, Filter
> action: accept, Name of interface: local
> Name of protocol: TCP, Packet Length: 50661, Source address:
> 192.168.3.17:179, Destination address: 192.168.3.18:2693
> Time of Log: 2008-12-03 05:49:56 JAVT, Filter: logging-traffic, Filter
> action: accept, Name of interface: local
> Name of protocol: TCP, Packet Length: 51266, Source address:
> 192.168.3.17:179, Destination address: 192.168.3.18:2693
> Time of Log: 2008-12-03 05:49:56 JAVT, Filter: pfe, Filter action: accept,
> Name of interface: ge-1/3/0.115
> Name of protocol: TCP, Packet Length: 71, Source address:
> 192.168.3.18:2693, Destination address: 192.168.3.17:179
> Time of Log: 2008-12-03 05:49:44 JAVT, Filter: pfe, Filter action: accept,
> Name of interface: ge-1/3/0.115
> Name of protocol: TCP, Packet Length: 52, Source address:
> 192.168.3.18:2693, Destination address: 192.168.3.17:179
> Time of Log: 2008-12-03 05:49:43 JAVT, Filter: logging-traffic, Filter
> action: accept, Name of interface: local
> Name of protocol: TCP, Packet Length: 0, Source address: 192.168.3.17:179,
> Destination address: 192.168.3.18:2693
> Time of Log: 2008-12-03 05:49:29 JAVT, Filter: logging-traffic, Filter
> action: accept, Name of interface: local
> Name of protocol: TCP, Packet Length: 51266, Source address:
> 192.168.3.17:179, Destination address: 192.168.3.18:2693
> Time of Log: 2008-12-03 05:49:29 JAVT, Filter: pfe, Filter action: accept,
> Name of interface: ge-1/3/0.115
>
> Expecting :
>
> 29w1d: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.10.100.32.81(25) ->
> 172.16.5.250(30705), 1 packet
> 29w1d: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.10.100.32.57(3306) ->
> 172.16.5.250(30716), 1 packet
> 29w1d: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.10.100.32.57(3306) ->
> 172.16.5.250(30719), 1 packet
> 29w1d: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.10.100.32.57(3306) ->
> 172.16.5.250(30721), 1 packet
> 29w1d: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.10.100.3.220(3306) ->
> 172.16.5.250(30722), 1 packet
> 29w1d: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 10.10.100.32.57(3306) ->
> 172.16.5.250(30723), 1 packet
>
> a. r. isnaini rangkayo sutan
>
>
> Danny Vernals wrote:
>
>> The "then log" option only logs to the PFE buffer which is rather
>> limited in size and also is only exposed in the "sh firewall log"
>> command you mention, it's not sent to the syslog daemon.  However if
>> you expect to be logging at a high pps it has the benefit of not
>> adding excess load to the RE. To see more detailed output you can use
>> "show firewall log detail".
>>
>> If you would like to send the logging to messages or any other file
>> you specifiy in the syslog config you need to use "then syslog"
>> instead.
>>
>> I'm not sure what you mean by "it match the log but only shows Point
>> to Point session"
>>
>>
>>
>> On Mon, Dec 1, 2008 at 10:46 PM, a. rahman isnaini rst / netsoft
>> <risnaini at netsoft.net.id> wrote:
>>
>>> Hi,
>>>
>>>
>>> To generate log like cisco "sh logging" using access-list, i have
>>> configured
>>> :
>>> - Firewall>Family Inet>Filter "log">Match all then log
>>> - Interface>Unit x> Family Inet> input filter "log"
>>> - System>Services>Syslog>all facilities [any]
>>>
>>> All I've seen by "show log messages" is just simply standard log
>>> (somebody
>>> is login, etc..).
>>> And as well, "show firewall log", it match the "log" but only shows Point
>>> to
>>> Point session.
>>>
>>> Any simple way to have log such cisco did ? please kindly advice.
>>>
>>> rgs
>>> a. r.isnaini rangkayo sutan
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>>
>>
>>
>>  _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list