SRX

I've configured syslog for configuration changes to be logged on a remote server. Below is my config:

set system syslog host 10.10.10.10 any critical
set system syslog host 10.10.10.10 authorization any
set system syslog host 10.10.10.10 user critical
set system syslog host 10.10.10.10 change-log any
set system syslog host 10.10.10.10 source-address 10.20.20.20
set system syslog host 10.10.10.10 structured-data

I changed config on SRX and received following messages on Syslog server:

2017-05-18 15:03:59 Local6.Info 10.202.30.40 1 2017-05-18T15:03:59.506-06:00 SRXVPN01 mgd 93743 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.39 username="admin_xxxxxxxx" action="set" pathname="[system services telnet\]" delimiter="" value=""] User 'admin_xxxxxxxx' set: [system services telnet]
2017-05-18 15:04:51 Local6.Info 10.202.30.40 1 2017-05-18T15:04:51.648-06:00 SRXVPN01 mgd 93743 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.39 username="admin_xxxxxxxx" action="delete" pathname="[system services telnet\]" delimiter="" value=""] User 'admin_xxxxxxxx' delete: [system services telnet] 

The Syslog messages dont have the source address of machine that changes the config. 10.202.30.40 address is the managment address of the SRX. 

Am i missing something in config ?

is the configured syslog source address defined on the SRX ?

if not I assume that this is the reson for the SRX to change to the loopback address.

regards

alexander

Yes the source address isdefined in SRX. They are all in same VR.

Hi,

The details of the syslog message are meintioned in the following link :-

https://apps.juniper.net/syslog-explorer/#message=UI_CFG_AUDIT_OTHER&product=Junos%20OS&release=17.1

This does not contain the IP address of the machine from where the changes are being made. It notes the username.

HTH!

Regards,

Sahil Sharma

Please mark my response as Solution if it Helps, Kudos are Appreciated as well.