SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

SRX 5800 NAT logging - too much info

  • 1.  SRX 5800 NAT logging - too much info

    Posted 01-07-2011 05:46

    We have a SRX 5800 (HA cluster) running and doing private-to-public NAT for our students, and most staff/faculty.  The issue is on the Cisco's we had we could tweak the logging settings to log just the NAT create and the NAT release.  However, in the Juniper SRX world, it's logging the NAT create, the destination IP, etc. for every FLOW. This is overwhelming out logging server for one, and for two we do NOT want to log the destination IP (bad idea on a university campus).

     

    mode stream;
    format sd-syslog;
    source-address 172.16.191.1;
    stream securitylog {
        severity info;
        host {
            X.X.X.X;
        }
    }

     

     

    Is there a way to tweak the settings to only log only the translations of private IP to public IP?

     



  • 2.  RE: SRX 5800 NAT logging - too much info

    Posted 01-07-2011 06:19

    Jan  7 08:16:14 efw4 1 2011-01-07T08:18:23.525 srx0 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.50 reason="TCP RST" source-address="10.79.35.48" source-port="49293" destination-address="X.X.X.X" destination-port="80" service-name="junos-http" nat-source-address="X.X.X.X" nat-source-port="49293" nat-destination-address="X.X.X.X" nat-destination-port="80" src-nat-rule-name="POOL" dst-nat-rule-name="None" protocol-id="6" policy-name="ALLOW-TO-INET" source-zone-name="ZONE" destination-zone-name="untrust" session-id-32="440051213" packets-from-client="6" bytes-from-client="681" packets-from-server="5" bytes-from-server="1084" elapsed-time="2152000"]

     

    This is an example of the log.  We do not want to log the destination IP, nor the destination PORT.  For STRM, sure, send the info there, but this particular logging server is used to identify DMCA/RIAA violators, and we only want to log the source-address= and the nat-source-address= on the NAT create, and the NAT release. 


    #NAT
    #SRX
    #log


  • 3.  RE: SRX 5800 NAT logging - too much info

    Posted 01-07-2011 18:58

    Hi,

     

    I'm not aware of a method to restrict the fields for the session create and session close SYSLOG messages. If your SYSLOG servers is overextended by the amount of messages per second, you could configure a rate limit.

     

    The rate limit feature was introduced to allow session logs being redirected to the control plane and there be stored in a file. This is important for NSM that doesn't has a SYSLOG receiver in the moment (but will get one very soon luckily).

     

    You can make enable the rate limit by issuing these commands:

     

     

    # set security log mode event
    # set security log event-rate x
    
    # set security log event-rate ?
    Possible completions:
      <event-rate>         Control plane event rate limit of logs per (0..1500 secs)

     

     

    Then the ordinary SYSLOG configuration applies to you:

     

     

    set system syslog file FW-LOGS user info
    set system syslog file FW-LOGS match RT_FLOW
    set system syslog file FW-LOGS archive size 1m
    set system syslog file FW-LOGS archive files 3
    set system syslog file FW-LOGS structured-data brief

     

     

    You could eventually include a more specific regexp in the match clause to restrict the lines a little bit more.

     

    Please be aware that handling session logs is not a good idea in general and can cause high CPU utilization and other negative impacts on your SRX. This is true in particular as you operate the big iron, SRX 5800. So be careful! But it is the only idea I have to reduce the amount of SYSLOG messages per second to unload your SYSLOG server a bit. Again, due to my knowledge, there is no option to restrict the columns of the SYSLOG lines.

     

    As your use-case make sense, you could submit a request for feature enhancement to your Juniper sales engineer.

     

    Regards,

    Dominik



  • 4.  RE: SRX 5800 NAT logging - too much info

    Posted 01-10-2011 05:30

    Dominik,

     

       Thanks for the reply.  It's a bit disconcerting that Juniper didn't think the NAT create/NAT release data is important enough to log somewhere.  A subroutine in the NAT section sending it to syslog would be sufficient, and for coders I'd think it fairly easy to implement without taking up the CPU cycles and/or data-space the session-init and session-close log entries does.

     

       I've talked to our account mgr and SE, and put in a request with them already, absolutely.  Just like I said, very surprising that logging this data is so easy on other vendors, but either impossible, or near, on the Juniper's.  I'll keep looking, though!



  • 5.  RE: SRX 5800 NAT logging - too much info

    Posted 01-10-2011 05:37
    Hi,

    Of cousre NAT translations are included in the SYSLOG messages but you can't configure NAT logging only.

    Regards,
    Dominik


  • 6.  RE: SRX 5800 NAT logging - too much info

    Posted 01-10-2011 05:40

    NAT translations are included as part of the flow process and I don't believe that there is a way to separate them out.  You could log normal syslog messages (instead of sd-syslog), which would reduce the message size, but would break compatibility with STRM if that is your logging solution.

     

    mawr



  • 7.  RE: SRX 5800 NAT logging - too much info

    Posted 01-10-2011 06:50

    So, in STRM if I'm given a date/time stamp, and a public IP, how do I determine who (by private IP) was NAT'ed to it?



  • 8.  RE: SRX 5800 NAT logging - too much info

    Posted 01-10-2011 06:54

    There are separate fields. One for the natted IP, one for the original one. I will grab an example asap.



  • 9.  RE: SRX 5800 NAT logging - too much info

    Posted 01-10-2011 07:03

    So, that's what a typical entry for session close would look like:

     

     

    <14>1 2011-01-08T23:17:32.653+01:00 fw_lab01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.36 reason="unset" source-address="192.168.12.104" source-port="55896" destination-address="193.170.112.230" destination-port="80" service-name="junos-http" nat-source-address="62.178.XXX.XXX" nat-source-port="5074" nat-destination-address="193.170.112.230" nat-destination-port="80" src-nat-rule-name="RULE1" dst-nat-rule-name="None" protocol-id="6" policy-name="1" source-zone-name="trust" destination-zone-name="untrust" session-id-32="10412" packets-from-client="19" bytes-from-client="1416" packets-from-server="23" bytes-from-server="29278" elapsed-time="0"] session closed unset: 192.168.12.104/55896->193.170.112.230/80 junos-http 62.178.XXX.XXX/5074->193.170.112.230/80 RULE1 None 6 1 trust untrust 10412 19(1416) 23(29278) 0

     

     

    Regards,

    Dominik



  • 10.  RE: SRX 5800 NAT logging - too much info

    Posted 01-10-2011 07:24

    Yes, that is on my syslog server, and the flat file is approximately 30 GB for a 24 hour period.  I can just grep the public IP out, cat it to a separate file, etc.

     

    However, is it possible to coordinate that data with STRM?



  • 11.  RE: SRX 5800 NAT logging - too much info
    Best Answer

    Posted 01-10-2011 12:37

    It LOOKS like we can do this with STRM.  It's just taken a bit of tweaking to get the right settings.