SRX

Expand all | Collapse all

Capturing security flow messages (RT_FLOW)

  • 1.  Capturing security flow messages (RT_FLOW)

    Posted 08-09-2017 06:26

    Hi, 

     

    I am trying to understand why some SRXs I have are showing RT_FLOW_SESSION_CREATE messages in the logs and some are not.  Looking at the configuration they are all the same for logging to the file messages 

     

    set system syslog file messages any info
    set system syslog file messages authorization info

     

    all security policies contain a then log session-init and then log session-close  

     

    I can, for example, create a very specific match condition and it populates the file. 

     

    eg set system syslog file accepted-traffic any any
    set system syslog file accepted-traffic match RT_FLOW.*ISP_X_SIP

     

    Just can't understand why the output is different for show log messages on the different SRX boxes with the same configuration for a logging point of view, 

     

    thanks



  • 2.  RE: Capturing security flow messages (RT_FLOW)

    Posted 08-09-2017 10:04
    Hello,
    Which SRX models are you use?
    Can you copy "show security log" command output?


  • 3.  RE: Capturing security flow messages (RT_FLOW)

    Posted 08-10-2017 03:23

    Hi Amnesiac

     

    it returns security logging disabled.  

     

    Model: srx1500
    Junos: 15.1X49-D80.4   

     

    SRX cluster SITEA shows no security flow logs in log messages 

    SRX cluster SITEB shows  messages all security flow in log messages 

     

    thanks

     



  • 4.  RE: Capturing security flow messages (RT_FLOW)

     
    Posted 08-10-2017 03:30

    Try

    root@srx#set security log mode event
    root@srx#commit

    Regards, Wojtek



  • 5.  RE: Capturing security flow messages (RT_FLOW)

    Posted 08-22-2017 07:28

    Hi Wojtek

     

    Unfortunately, even after that command.  it still shows  show security log

    Security logging is disabled

     

    I also can see no RT_FLOW output in the log messages



  • 6.  RE: Capturing security flow messages (RT_FLOW)

    Posted 08-22-2017 20:15

    can you show us the security log configurations on both devices.

    set system syslog = control plane logging

    set security log = dataplane logging. <==== which file are you logging to here? are they both set to log to messages?

    What mode are you using? event mode will send it to the control plane infrastructure and stream will send it to remote syslog. The error about security logging not enabled is related to whether you enable cache for auditing. You can get rid of that error with "set security log cache", but I don't know the long term effect of this statement though.



  • 7.  RE: Capturing security flow messages (RT_FLOW)

    Posted 08-22-2017 20:18

    Maybe you have to turn on traceoptions for security log to get more details about what is happening.