Discussion:
[j-nsp] how to send SRX240 traffic/session logs to syslog server
Aaron Gould
2017-06-19 19:45:56 UTC
Permalink
I'm trying to send SRX240 traffic/session logs to a syslog server... i have
some system messages going to the syslog server, but not the session/traffic
logs. What do i need to do ?



....i'll show you some info from the syslog stanza....let me know if you
need to see anything else...



{primary:node0}

***@HQ_A> show configuration system syslog | display set

set system syslog host 10.51.16.9 any any

set system syslog file policy_session user info

set system syslog file policy_session match RT_FLOW

set system syslog file policy_session archive size 5120000

set system syslog file policy_session archive files 5

set system syslog file policy_session archive world-readable

set system syslog file policy_session structured-data

set system syslog file traffic-log any any

set system syslog file traffic-log match RT_FLOW_SESSION

set system syslog file traffic-log archive size 5120000

set system syslog file traffic-log archive files 5

set system syslog file traffic-log archive world-readable

set system syslog file traffic-log structured-data

set system syslog source-address 1.2.3.4



{primary:node0}



**** these messages are seen on the syslog server at 1.2.3.4



Jun 19 14:37:15 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17

Jun 19 14:37:15 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17

Jun 19 14:37:15 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17

Jun 19 14:37:20 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17

Jun 19 14:37:25 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17

Jun 19 14:37:25 HQ_A last message repeated 4 times

Jun 19 14:37:25 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17

Jun 19 14:37:29 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17

Jun 19 14:37:30 HQ_A mgd[9666]: UI_CMDLINE_READ_LINE: User 'aaron.gould',
command 'show configuration system syslog | display set '

Jun 19 14:37:30 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17

Jun 19 14:37:32 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17

Jun 19 14:37:38 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17

Jun 19 14:37:38 HQ_A last message repeated 4 times

Jun 19 14:37:41 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17

Jun 19 14:37:41 HQ_A last message repeated 4 times

Jun 19 14:37:48 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17

Jun 19 14:37:48 HQ_A last message repeated 2 times

Jun 19 14:37:48 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17

Jun 19 14:37:48 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17





***** these are the local flows seen in the SRX240 cli that I would like to
see on the syslog server....



{primary:node0}

***@HQ_A> show security flow session

node0:

--------------------------------------------------------------------------



Session ID: 216, Policy name: LAN_22bit_Browsing/9, State: Active, Timeout:
1794, Valid

In: 10.0.2.165/61141 --> 52.112.66.235/443;tcp, If: reth0.0, Pkts: 2666,
Bytes: 463076

Out: 52.112.66.235/443 --> 2.4.6.8/62085;tcp, If: reth1.0, Pkts: 2736,
Bytes: 1048146



Session ID: 248, Policy name: LAN_22bit_Browsing/9, State: Active, Timeout:
1772, Valid

In: 10.0.3.116/57591 --> 65.52.108.227/443;tcp, If: reth0.0, Pkts: 8177,
Bytes: 805754

Out: 65.52.108.227/443 --> 2.4.6.8/54704;tcp, If: reth1.0, Pkts: 4105,
Bytes: 775308



Session ID: 253, Policy name: LAN_22bit_Browsing/9, State: Active, Timeout:
1716, Valid

In: 10.0.2.165/51076 --> 216.58.194.78/443;tcp, If: reth0.0, Pkts: 13,
Bytes: 3632

Out: 216.58.194.78/443 --> 2.4.6.8/55637;tcp, If: reth1.0, Pkts: 14,
Bytes: 1489



Session ID: 303, Policy name: LAN_22bit_Browsing/9, State: Active, Timeout:
1784, Valid

In: 10.0.2.72/51189 --> 52.112.66.235/443;tcp, If: reth0.0, Pkts: 5040,
Bytes: 999840

Out: 52.112.66.235/443 --> 2.4.6.8/57607;tcp, If: reth1.0, Pkts: 5393,
Bytes: 2466530







_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Michael Gehrmann
2017-06-19 20:26:49 UTC
Permalink
I suggest stream logging: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-system-stream-security-log-revenue-port-setting.html

We use this on every SRX we have for traffic logging.

Regards
Mike
Post by Aaron Gould
I'm trying to send SRX240 traffic/session logs to a syslog server... i have
some system messages going to the syslog server, but not the session/traffic
logs. What do i need to do ?
....i'll show you some info from the syslog stanza....let me know if you
need to see anything else...
{primary:node0}
set system syslog host 10.51.16.9 any any
set system syslog file policy_session user info
set system syslog file policy_session match RT_FLOW
set system syslog file policy_session archive size 5120000
set system syslog file policy_session archive files 5
set system syslog file policy_session archive world-readable
set system syslog file policy_session structured-data
set system syslog file traffic-log any any
set system syslog file traffic-log match RT_FLOW_SESSION
set system syslog file traffic-log archive size 5120000
set system syslog file traffic-log archive files 5
set system syslog file traffic-log archive world-readable
set system syslog file traffic-log structured-data
set system syslog source-address 1.2.3.4
{primary:node0}
**** these messages are seen on the syslog server at 1.2.3.4
Jun 19 14:37:15 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
Jun 19 14:37:15 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
Jun 19 14:37:15 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
Jun 19 14:37:20 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
Jun 19 14:37:25 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
Jun 19 14:37:25 HQ_A last message repeated 4 times
Jun 19 14:37:25 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
Jun 19 14:37:29 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
Jun 19 14:37:30 HQ_A mgd[9666]: UI_CMDLINE_READ_LINE: User 'aaron.gould',
command 'show configuration system syslog | display set '
Jun 19 14:37:30 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
Jun 19 14:37:32 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
Jun 19 14:37:38 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
Jun 19 14:37:38 HQ_A last message repeated 4 times
Jun 19 14:37:41 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
Jun 19 14:37:41 HQ_A last message repeated 4 times
Jun 19 14:37:48 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
Jun 19 14:37:48 HQ_A last message repeated 2 times
Jun 19 14:37:48 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
Jun 19 14:37:48 HQ_A HQ_A nh_walk_chek_max_num_tag: unexpected NH type 17
***** these are the local flows seen in the SRX240 cli that I would like to
see on the syslog server....
{primary:node0}
--------------------------------------------------------------------------
1794, Valid
In: 10.0.2.165/61141 --> 52.112.66.235/443;tcp, If: reth0.0, Pkts: 2666,
Bytes: 463076
Out: 52.112.66.235/443 --> 2.4.6.8/62085;tcp, If: reth1.0, Pkts: 2736,
Bytes: 1048146
1772, Valid
In: 10.0.3.116/57591 --> 65.52.108.227/443;tcp, If: reth0.0, Pkts: 8177,
Bytes: 805754
Out: 65.52.108.227/443 --> 2.4.6.8/54704;tcp, If: reth1.0, Pkts: 4105,
Bytes: 775308
1716, Valid
In: 10.0.2.165/51076 --> 216.58.194.78/443;tcp, If: reth0.0, Pkts: 13,
Bytes: 3632
Out: 216.58.194.78/443 --> 2.4.6.8/55637;tcp, If: reth1.0, Pkts: 14,
Bytes: 1489
1784, Valid
In: 10.0.2.72/51189 --> 52.112.66.235/443;tcp, If: reth0.0, Pkts: 5040,
Bytes: 999840
Out: 52.112.66.235/443 --> 2.4.6.8/57607;tcp, If: reth1.0, Pkts: 5393,
Bytes: 2466530
_______________________________________________
https://urldefense.proofpoint.com/v2/url?u=https-3A__puck.nether.net_mailman_listinfo_juniper-2Dnsp&d=DwICAg&c=wBUwXtM9sKhff6UeHOQgvw&r=iCARHrCSMVMu5fNENyuQGdvoQJpwI5WIbiqe9jFEMFg&m=QQkoyObLu_PafLl0X_os-t1n10Kdpf7aDFA8iqsS4kg&s=Bh5Xu6_cNyroV2et5G7CnoOTBx6xRWe-DxgQBO8uZFw&e=
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Aaron Gould
2017-06-19 21:29:34 UTC
Permalink
Thanks Mike, Per the web link I tried the following but still don’t see session/flow logs from the SRX…



set security log stream log3 format welf category content-security host 10.51.16.9

set security log source-address 1.2.3.4



-Aaron



_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper
Jed Laundry
2017-06-20 00:25:33 UTC
Permalink
Hi Aaron,

Have you enabled logging on each policy you're interested in? I.e.:

then {
permit;
log {
session-init;
session-close;
}

Thanks,
Jed.

--
Post by Aaron Gould
Thanks Mike, Per the web link I tried the following but still don’t see
session/flow logs from the SRX…
set security log stream log3 format welf category content-security host 10.51.16.9
set security log source-address 1.2.3.4
-Aaron
_______________________________________________
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether
Aaron Gould
2017-06-22 14:29:10 UTC
Permalink
Oh my gosh, guess what….Syslog traps were arriving at the server all along….but were going into /var/log/daemon.log …and I was grepping on /var/log/syslog :|



Thanks for all your suggestions…



At this point using just 2 statements for “set system syslog host …. source-address …”… I see WEBFILTER logs hitting /var/log/daemon.log on the server….

Now I will go back and see what you all suggested about the logs for sending the cli output for “show security flow session….”



Thanks again

-Aaron Gould





_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/lis

Loading...