SRX

Expand all | Collapse all

Configuring_Security_Logs_on SRX_220_320_With_External_Syslog_Server

Jump to Best Answer
  • 1.  Configuring_Security_Logs_on SRX_220_320_With_External_Syslog_Server

    Posted 08-04-2019 07:27

    Hello All ,

     

    Just need your inputs here with configuring SRX 220 , 320 to send the Security (traffic) & system logs to External Syslog Server .

     

    I tried couple of ways but dont seem to be getting through , kindly help with the same 

     

    Regards

    shaan


    #Syslog_security_logging_configuration_with_External_syslog_SErver


  • 2.  RE: Configuring_Security_Logs_on SRX_220_320_With_External_Syslog_Server

     
    Posted 08-04-2019 08:03

    I assume you are following an example like this one.

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/syslog-single-chassis-system-configuring.html

     

    Can you share the config details and whether or not the logs show up in a local file configuration ?

     



  • 3.  RE: Configuring_Security_Logs_on SRX_220_320_With_External_Syslog_Server

    Posted 08-04-2019 09:16
      |   view attached

    Hello Spuluka , 

     

    I dont have configuration on the devices as of now as its a live or production site so i was testing with commit confirmed to be on safer side as i am not sure about the size of the log file that would be created 

     

    Just to explain the scenario 

     

    I have a pair of SRX 320 or SRX 220 in HA Setup and in simpler terms i have untrust & trust zones and trust zone is were i have syslog server connected in and both the FW is able to reach the syslog server on trust network , i am attaching a diagram just for your reference .

     

    Regards

    shaan



  • 4.  RE: Configuring_Security_Logs_on SRX_220_320_With_External_Syslog_Server

    Posted 08-04-2019 09:11

    Hey Shaan,

     

    Please follow the KB articles for sending the System logs and Traffic logs to the External Server.

     

    SRX Getting Started - Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices: 

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509

     

    SRX Getting Started - Configure System Logging:

    https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502

     

    Let me know if you face any difficulties.



  • 5.  RE: Configuring_Security_Logs_on SRX_220_320_With_External_Syslog_Server

    Posted 08-04-2019 09:18

    Hello Noobmaster ,

     

    I did follow this for SRX 220 but then it didnt work

     

    Regards

    shaan



  • 6.  RE: Configuring_Security_Logs_on SRX_220_320_With_External_Syslog_Server

    Posted 08-04-2019 09:27

    Shaan,

     

    Are you facing issues for both system logs and traffic logs?

     

    If so, please send me the configuration which you've implemented.

     

    user@host> show configuration system syslog | display set

    user@host> show configuration security log | display set

    user@host> show configuration security policies | display set

    user@host> show chassis routing-engine

    user@host> show system storage



  • 7.  RE: Configuring_Security_Logs_on SRX_220_320_With_External_Syslog_Server
    Best Answer

    Posted 08-04-2019 10:16

    Hi Shaan,

     

    In your Syslog configuration, you didn't specify the external server to which the logs need to be sent. Rather you've configured it to save the Syslog locally onto the SRX.

     

    You need to include the below line to send the system logs to the external server.

     

    Syntax:

    user@host# set system syslog host <IP address> <facility> <severity>

    user@host# commit

     

    Example:

    user@host# set system syslog host 192.168.11.1 any any

    user@host# commit

     

    NOTE: 192.168.11.1 is the IP address of my External Syslog server where I would like to receive the logs.

    Second, I reviewed your traffic logging configuration as well and you've missed a line. Please include the following line and let me know the behavior.

     

    Example:

    user@host# set security log stream FI_Syslog category all

     

    Please initiate the traffic for the appropriate policy where the session-init and session-close are configured. So, that we can verify the traffic logs.

     

    Let me know if you've any queries.



  • 8.  RE: Configuring_Security_Logs_on SRX_220_320_With_External_Syslog_Server

    Posted 09-18-2019 00:15

    thank you noobmaster & all of you for your valuable inputs

     

    Regards

    Shaan