[j-nsp] how to send SRX240 traffic/session logs to syslog server
Michael Gehrmann
mgehrmann at atlassian.com
Mon Jun 19 16:26:49 EDT 2017
I suggest stream logging: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-system-stream-security-log-revenue-port-setting.html
We use this on every SRX we have for traffic logging.
Regards
Mike
> On 19 Jun 2017, at 21:45, Aaron Gould <aaron1 at gvtc.com> wrote:
>
> I'm trying to send SRX240 traffic/session logs to a syslog server... i have
> some system messages going to the syslog server, but not the session/traffic
> logs. What do i need to do ?
>
>
>
> ....i'll show you some info from the syslog stanza....let me know if you
> need to see anything else...
>
>
>
> {primary:node0}
>
> aaron.gould at HQ_A> show configuration system syslog | display set
>
> set system syslog host 10.51.16.9 any any
>
> set system syslog file policy_session user info
>
> set system syslog file policy_session match RT_FLOW
>
> set system syslog file policy_session archive size 5120000
>
> set system syslog file policy_session archive files 5
>
> set system syslog file policy_session archive world-readable
>
> set system syslog file policy_session structured-data
>
> set system syslog file traffic-log any any
>
> set system syslog file traffic-log match RT_FLOW_SESSION
>
> set system syslog file traffic-log archive size 5120000
>
> set system syslog file traffic-log archive files 5
>
> set system syslog file traffic-log archive world-readable
>
> set system syslog file traffic-log structured-data
>
> set system syslog source-address 1.2.3.4
>
>
>
> {primary:node0}
>
>
>
> **** these messages are seen on the syslog server at 1.2.3.4
>
>
>
> Jun 19 14:37:15 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
>
> Jun 19 14:37:15 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
>
> Jun 19 14:37:15 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
>
> Jun 19 14:37:20 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
>
> Jun 19 14:37:25 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
>
> Jun 19 14:37:25 HQ_A last message repeated 4 times
>
> Jun 19 14:37:25 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
>
> Jun 19 14:37:29 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
>
> Jun 19 14:37:30 HQ_A mgd[9666]: UI_CMDLINE_READ_LINE: User 'aaron.gould',
> command 'show configuration system syslog | display set '
>
> Jun 19 14:37:30 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
>
> Jun 19 14:37:32 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
>
> Jun 19 14:37:38 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
>
> Jun 19 14:37:38 HQ_A last message repeated 4 times
>
> Jun 19 14:37:41 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
>
> Jun 19 14:37:41 HQ_A last message repeated 4 times
>
> Jun 19 14:37:48 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
>
> Jun 19 14:37:48 HQ_A last message repeated 2 times
>
> Jun 19 14:37:48 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
>
> Jun 19 14:37:48 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
>
>
>
>
>
> ***** these are the local flows seen in the SRX240 cli that I would like to
> see on the syslog server....
>
>
>
> {primary:node0}
>
> aaron.gould at HQ_A> show security flow session
>
> node0:
>
> --------------------------------------------------------------------------
>
>
>
> Session ID: 216, Policy name: LAN_22bit_Browsing/9, State: Active, Timeout:
> 1794, Valid
>
> In: 10.0.2.165/61141 --> 52.112.66.235/443;tcp, If: reth0.0, Pkts: 2666,
> Bytes: 463076
>
> Out: 52.112.66.235/443 --> 2.4.6.8/62085;tcp, If: reth1.0, Pkts: 2736,
> Bytes: 1048146
>
>
>
> Session ID: 248, Policy name: LAN_22bit_Browsing/9, State: Active, Timeout:
> 1772, Valid
>
> In: 10.0.3.116/57591 --> 65.52.108.227/443;tcp, If: reth0.0, Pkts: 8177,
> Bytes: 805754
>
> Out: 65.52.108.227/443 --> 2.4.6.8/54704;tcp, If: reth1.0, Pkts: 4105,
> Bytes: 775308
>
>
>
> Session ID: 253, Policy name: LAN_22bit_Browsing/9, State: Active, Timeout:
> 1716, Valid
>
> In: 10.0.2.165/51076 --> 216.58.194.78/443;tcp, If: reth0.0, Pkts: 13,
> Bytes: 3632
>
> Out: 216.58.194.78/443 --> 2.4.6.8/55637;tcp, If: reth1.0, Pkts: 14,
> Bytes: 1489
>
>
>
> Session ID: 303, Policy name: LAN_22bit_Browsing/9, State: Active, Timeout:
> 1784, Valid
>
> In: 10.0.2.72/51189 --> 52.112.66.235/443;tcp, If: reth0.0, Pkts: 5040,
> Bytes: 999840
>
> Out: 52.112.66.235/443 --> 2.4.6.8/57607;tcp, If: reth1.0, Pkts: 5393,
> Bytes: 2466530
>
>
>
>
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_juniper-2Dnsp&d=DwICAg&c=wBUwXtM9sKhff6UeHOQgvw&r=iCARHrCSMVMu5fNENyuQGdvoQJpwI5WIbiqe9jFEMFg&m=QQkoyObLu_PafLl0X_os-t1n10Kdpf7aDFA8iqsS4kg&s=Bh5Xu6_cNyroV2et5G7CnoOTBx6xRWe-DxgQBO8uZFw&e=
More information about the juniper-nsp
mailing list