[j-nsp] how to send SRX240 traffic/session logs to syslog server

Michael Gehrmann mgehrmann at atlassian.com
Mon Jun 19 16:26:49 EDT 2017 

I suggest stream logging: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-system-stream-security-log-revenue-port-setting.html

We use this on every SRX we have for traffic logging.

Regards 
Mike

> On 19 Jun 2017, at 21:45, Aaron Gould <aaron1 at gvtc.com> wrote:
> 
> I'm trying to send SRX240 traffic/session logs to a syslog server... i have
> some system messages going to the syslog server, but not the session/traffic
> logs.  What do i need to do ?
> 
> 
> 
> ....i'll show you some info from the syslog stanza....let me know if you
> need to see anything else...
> 
> 
> 
> {primary:node0}
> 
> aaron.gould at HQ_A> show configuration system syslog | display set
> 
> set system syslog host 10.51.16.9 any any
> 
> set system syslog file policy_session user info
> 
> set system syslog file policy_session match RT_FLOW
> 
> set system syslog file policy_session archive size 5120000
> 
> set system syslog file policy_session archive files 5
> 
> set system syslog file policy_session archive world-readable
> 
> set system syslog file policy_session structured-data
> 
> set system syslog file traffic-log any any
> 
> set system syslog file traffic-log match RT_FLOW_SESSION
> 
> set system syslog file traffic-log archive size 5120000
> 
> set system syslog file traffic-log archive files 5
> 
> set system syslog file traffic-log archive world-readable
> 
> set system syslog file traffic-log structured-data
> 
> set system syslog source-address 1.2.3.4
> 
> 
> 
> {primary:node0}
> 
> 
> 
> **** these messages are seen on the syslog server at 1.2.3.4
> 
> 
> 
> Jun 19 14:37:15 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
> 
> Jun 19 14:37:15 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
> 
> Jun 19 14:37:15 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
> 
> Jun 19 14:37:20 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
> 
> Jun 19 14:37:25 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
> 
> Jun 19 14:37:25 HQ_A last message repeated 4 times
> 
> Jun 19 14:37:25 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
> 
> Jun 19 14:37:29 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
> 
> Jun 19 14:37:30 HQ_A mgd[9666]: UI_CMDLINE_READ_LINE: User 'aaron.gould',
> command 'show configuration system syslog | display set '
> 
> Jun 19 14:37:30 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
> 
> Jun 19 14:37:32 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
> 
> Jun 19 14:37:38 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
> 
> Jun 19 14:37:38 HQ_A last message repeated 4 times
> 
> Jun 19 14:37:41 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
> 
> Jun 19 14:37:41 HQ_A last message repeated 4 times
> 
> Jun 19 14:37:48 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
> 
> Jun 19 14:37:48 HQ_A last message repeated 2 times
> 
> Jun 19 14:37:48 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
> 
> Jun 19 14:37:48 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
> 
> 
> 
> 
> 
> ***** these are the local flows seen in the SRX240 cli that I would like to
> see on the syslog server....
> 
> 
> 
> {primary:node0}
> 
> aaron.gould at HQ_A> show security flow session
> 
> node0:
> 
> --------------------------------------------------------------------------
> 
> 
> 
> Session ID: 216, Policy name: LAN_22bit_Browsing/9, State: Active, Timeout:
> 1794, Valid
> 
>  In: 10.0.2.165/61141 --> 52.112.66.235/443;tcp, If: reth0.0, Pkts: 2666,
> Bytes: 463076
> 
>  Out: 52.112.66.235/443 --> 2.4.6.8/62085;tcp, If: reth1.0, Pkts: 2736,
> Bytes: 1048146
> 
> 
> 
> Session ID: 248, Policy name: LAN_22bit_Browsing/9, State: Active, Timeout:
> 1772, Valid
> 
>  In: 10.0.3.116/57591 --> 65.52.108.227/443;tcp, If: reth0.0, Pkts: 8177,
> Bytes: 805754
> 
>  Out: 65.52.108.227/443 --> 2.4.6.8/54704;tcp, If: reth1.0, Pkts: 4105,
> Bytes: 775308
> 
> 
> 
> Session ID: 253, Policy name: LAN_22bit_Browsing/9, State: Active, Timeout:
> 1716, Valid
> 
>  In: 10.0.2.165/51076 --> 216.58.194.78/443;tcp, If: reth0.0, Pkts: 13,
> Bytes: 3632
> 
>  Out: 216.58.194.78/443 --> 2.4.6.8/55637;tcp, If: reth1.0, Pkts: 14,
> Bytes: 1489
> 
> 
> 
> Session ID: 303, Policy name: LAN_22bit_Browsing/9, State: Active, Timeout:
> 1784, Valid
> 
>  In: 10.0.2.72/51189 --> 52.112.66.235/443;tcp, If: reth0.0, Pkts: 5040,
> Bytes: 999840
> 
>  Out: 52.112.66.235/443 --> 2.4.6.8/57607;tcp, If: reth1.0, Pkts: 5393,
> Bytes: 2466530
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_juniper-2Dnsp&d=DwICAg&c=wBUwXtM9sKhff6UeHOQgvw&r=iCARHrCSMVMu5fNENyuQGdvoQJpwI5WIbiqe9jFEMFg&m=QQkoyObLu_PafLl0X_os-t1n10Kdpf7aDFA8iqsS4kg&s=Bh5Xu6_cNyroV2et5G7CnoOTBx6xRWe-DxgQBO8uZFw&e=

More information about the juniper-nsp mailing list