I've configured syslog for configuration changes to be logged on a remote server. Below is my config:
set system syslog host 10.10.10.10 any criticalset system syslog host 10.10.10.10 authorization anyset system syslog host 10.10.10.10 user criticalset system syslog host 10.10.10.10 change-log anyset system syslog host 10.10.10.10 source-address 10.20.20.20set system syslog host 10.10.10.10 structured-data
I changed config on SRX and received following messages on Syslog server:
2017-05-18 15:03:59 Local6.Info 10.202.30.40 1 2017-05-18T15:03:59.506-06:00 SRXVPN01 mgd 93743 UI_CFG_AUDIT_OTHER [email@example.com username="admin_xxxxxxxx" action="set" pathname="[system services telnet\]" delimiter="" value=""] User 'admin_xxxxxxxx' set: [system services telnet]2017-05-18 15:04:51 Local6.Info 10.202.30.40 1 2017-05-18T15:04:51.648-06:00 SRXVPN01 mgd 93743 UI_CFG_AUDIT_OTHER [firstname.lastname@example.org username="admin_xxxxxxxx" action="delete" pathname="[system services telnet\]" delimiter="" value=""] User 'admin_xxxxxxxx' delete: [system services telnet]
The Syslog messages dont have the source address of machine that changes the config. 10.202.30.40 address is the managment address of the SRX.
Am i missing something in config ?
is the configured syslog source address defined on the SRX ?
if not I assume that this is the reson for the SRX to change to the loopback address.
Yes the source address isdefined in SRX. They are all in same VR.
The details of the syslog message are meintioned in the following link :-
This does not contain the IP address of the machine from where the changes are being made. It notes the username.
Please mark my response as Solution if it Helps, Kudos are Appreciated as well.