I am trying to understand why some SRXs I have are showing RT_FLOW_SESSION_CREATE messages in the logs and some are not. Looking at the configuration they are all the same for logging to the file messages
set system syslog file messages any infoset system syslog file messages authorization info
all security policies contain a then log session-init and then log session-close
I can, for example, create a very specific match condition and it populates the file.
eg set system syslog file accepted-traffic any anyset system syslog file accepted-traffic match RT_FLOW.*ISP_X_SIP
Just can't understand why the output is different for show log messages on the different SRX boxes with the same configuration for a logging point of view,
it returns security logging disabled.
Model: srx1500Junos: 15.1X49-D80.4
SRX cluster SITEA shows no security flow logs in log messages
SRX cluster SITEB shows messages all security flow in log messages
root@srx#set security log mode event
Unfortunately, even after that command. it still shows show security log
Security logging is disabled
I also can see no RT_FLOW output in the log messages
can you show us the security log configurations on both devices.
set system syslog = control plane logging
set security log = dataplane logging. <==== which file are you logging to here? are they both set to log to messages?
What mode are you using? event mode will send it to the control plane infrastructure and stream will send it to remote syslog. The error about security logging not enabled is related to whether you enable cache for auditing. You can get rid of that error with "set security log cache", but I don't know the long term effect of this statement though.
Maybe you have to turn on traceoptions for security log to get more details about what is happening.