SRX

Expand all | Collapse all

Filter logging

Jump to Best Answer
  • 1.  Filter logging

    Posted 09-13-2018 17:52

    Hi  Everyone,

     

    Please  consider the following example:

    H1-199.199.199.1--199.199.199.10 F1 SRX--Rest of the network.

     

    We want to  use filter   to log  traffic,just the first 100 bytes of  each IP PACKET , for extended  period of time say  1 hr.

    My issue is  when I used  filter with log,  It  can  only  hold traffic  for 2 minutes.  It is heavy traffic environmnet.

    Below  is my config:

    set firewall filter  family  inet  GREAT  term T1  from source-address 199.199.199.1

    set firewall filter  family  inet  GREAT  term T1  then log

    set firewall filter  family  inet  GREAT  term T1  then accept

    set firewall filter  family  inet  GREAT  term T2  then accept

    set  interface  f1/1 unit0 family inet filter input  GREAT.

     

    I want  my  to log  atleast 2 M of  logs using above filter.  How can I do that?

     

     

    Thanks

     

     



  • 2.  RE: Filter logging

    Posted 09-13-2018 18:33

    Hi, here is two options, 

    1) try to comfigure then syslog , with this all info will be copied to system syslog , but in heavy traffic environmnet, ddos protection and other limitation will prevent from logging too much messages

    2) better options will use jflow/netflow and send packet statistics to external server 



  • 3.  RE: Filter logging
    Best Answer

    Posted 09-13-2018 23:33

    Hello,

     


    @sarahr202 wrote:

     

     

    We want to  use filter   to log  traffic,just the first 100 bytes of  each IP PACKET , for extended  period of time say  1 hr.

    My issue is  when I used  filter with log,  It  can  only  hold traffic  for 2 minutes.  It is heavy traffic environmnet.

     

     

      


     

    SRX logs only IP header + partially L4 header (udp ports, tcp ports + flags, icmp type+code) . You won't be able to log anything beyond L4 header, sorry.

     


    @sarahr202 wrote:

    first 100 bytes of  each IP PACKET , for extended  period of time say  1 hr.

     

      


    Leaving aside the fact that SRX is not able to syslog payload beyond L4 header, let's do some simple math, shall we? Let's say this is SRX100 with 100Mbps of 512-Byte packets. That's 24Kpps.

    So, for 1 hour (3600 secs) it will generate 69GBytes of logging. Then You'd need:

    1/ since ANY SRX won't be able to store it locally, You need an external syslog server capable of writing 24Kpps of syslog messages per SRX

    2/ this syslog server must have an appropriately sized disk 

     

    Inference:

    1/ You need to look elsewhere/beyond SRX logging capabilities to meet Your requirement

    2/ if You still wnat to pursue that with SRX, configure packet replication on SRX itself (by means of anaylzer/port-mirroring or simply have a VLAN with mac-learning disabled) and funnel the replicated packets to a Linux server of Your choice with Wireshark running on it. Of course, don't forget the server disk requirements.

     HTH

    Thx
    Alex