SRX

I am not seeing traffic logs coming into my syslog server from my SRX240. I am seeing occasional hits from the firewall with CMDLINE_READ_LINE and CFG_AUDIT_SET messages but no actual traffic logs. There should be a significant amount of traffic coming from this device and it was working at one point. Does anyone have any ideas short of rebooting the box? This unit is set to be retired for a newer SRX model but I need it working until we are ready to upgrade. I am running 12.1X46-D86

host 10.x.x.52 {
any any;
match RT_FLOW_SESSION;
}

policy 0846_01222019 {
description "Default trust-untrust outbound traffic. Ticket# 6261";
match {
source-address LANS-WM;
destination-address any;
application [ junos-icmp-ping junos-http junos-https junos-ntp junos-dns-udp ];
}
then {
permit {
inactive: application-services {
utm-policy wm-websense;
}
}
log {
session-init;
}
}
}

Hi,

Please check under hierarchy [edit security log]; "mode event" has to be set.

This is because the logs generated by the security-policies are data-plane logs and with the "mode event"  they will be sent to the Routing-Engine of the SRX (control-plane level) and at that point these logs will be matched by the syslog file you have configured under [edit system syslog].

If the amount of logs is high it could affect your Routing-Engine hence it is recommended to set "mode stream" and have the data-plane logs being sent from the data-plane itself to an external server.

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-system-stream-security-log-revenue-port-setting.html

Thank you much! During a POC of Firemon we set our log to stream vs event and I forgot to check there.

You are very welcome, Im glad to hear it is working as expected.