SRX

Expand all | Collapse all

How to log screen messages to file

Jump to Best Answer
  • 1.  How to log screen messages to file

    Posted 01-07-2016 06:04

    Hi all,

     

    I have two SRX3600 in an active/passive cluster configuration. I have enabled screen under security options and now I'm tryng to log the messages it generates to a file.

     

    I have configured the following per Juniper document

     

    syslog {
        archive size 128k files 50 world-readable;
        user * {
            any emergency;
        }
        file messages {
            any warning;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
        file interface_logs {
            any any;
            match UpDown;
        }
        file IDS_messages {
            any any;
            match RT_SCREEN;
        }
    }

     

    The trouble is I'm not seeing any logs being generated by the screen. I do see that the statistics for the screen on the active node are going up but I see no logs being generated.

     

    # run show security screen statistics zone outside node 1
    node1:
    --------------------------------------------------------------------------
    Screen statistics:

    IDS attack type                              Statistics
      ICMP flood                                 144761
      UDP flood                                  22615
      TCP winnuke                                0
      TCP port scan                              962
      ICMP address sweep                         0
      TCP sweep                                  301039
      UDP sweep                                  8336
      IP tear drop                               0
      TCP SYN flood                              392134
      IP spoofing                                2241630
      ICMP ping of death                         0
      IP source route option                     0
      TCP land attack                            0
      TCP SYN fragment                           0
      TCP no flag                                1335
      IP unknown protocol                        38
      IP bad options                             0
      IP record route option                     0
      IP timestamp option                        0
      IP security option                         0
      IP loose source route option               0
      IP strict source route option              0
      IP stream option                           0
      ICMP fragment                              0
      ICMP large packet                          105
      TCP SYN FIN                                0
      TCP FIN no ACK                             369687
      Source session limit                       0
      TCP SYN-ACK-ACK proxy                      0
      IP block fragment                          96640
      Destination session limit                  0

     

    Can anyone help me with configuring this?

     



  • 2.  RE: How to log screen messages to file

    Posted 01-07-2016 18:58

    Hi igor.hamzic81,

     

     

    In the default logging mode the SRX 3600 won't log traffic logs to a file, to enable that you have to apply the configuration :

     

     

    set security log mode event

    Only problem is that this increases the CPU utilization and as such isn't recommended. Optimal solution is to configure a syslog server and send the logs to it using the current mode of logging ( stream ).



  • 3.  RE: How to log screen messages to file
    Best Answer

     
    Posted 01-08-2016 03:17

    Event mode logging is also limited to 1000 events per second.  So on busy systems you may also be missing logs.



  • 4.  RE: How to log screen messages to file

    Posted 01-12-2016 06:19

    Thanks all for the answers. I will set up a log server as this seems like an optimal solution.



  • 5.  RE: How to log screen messages to file

    Posted 08-29-2018 17:33

    Hello,

     

    You need to actually configure the match criteria like this "RT_IDS".
    see the following configuration example:

    #set system syslog host 172.16.xx.10 any any
    #set system syslog host 172.16.xx.10 match "RT_IDP|RT_IDS"
    #set system syslog host 172.16.xx.10 source-address 172.16.xx.5
    #set system syslog host 172.16.xx.10 structured-data brief
    #set system syslog file messages any any

    Let me know if this works.