SRX

Expand all | Collapse all

SRX Syslogging to TCP

  • 1.  SRX Syslogging to TCP

    Posted 05-14-2019 07:30

    Is there a way to send syslogs over TCP instead of UDP.

     

    I have the following configured but its not working

     

    show configuration system syslog
    archive size 100k files 3;
    user * {
        any emergency;
    }
    host 1.1.1.1 {
        port 514;
    }
    file messages {
        any critical;
        authorization info;
    }
    file interactive-commands {
        interactive-commands error;
    }
    
    show configuration security log
    utc-timestamp;
    mode stream;
    format sd-syslog;
    report;
    source-address 4.4.4.4;
    transport {
        protocol tcp;
    }
    stream External {
        category all;
        host {
            1.1.1.1;
            port 514;
        }
    }
    

    The syslog setup is all fine and working nicely on TCP as it currently handles other devices sending syslog over TCP to it.



  • 2.  RE: SRX Syslogging to TCP

    Posted 05-14-2019 13:11

    syslog on Junos can only be sent via udp - you are not the first one asking that question 🙂

     

    The security logs (logs generated by the flow module on SRX) can be sent via tcp but it is only logs related to security policies, vpn etc. which are sent this way. The ordinary syslog in regards to eg. user login, interface up/down etc. can only be exported via udp.

     

    I have not heard about any roadmap to change this.



  • 3.  RE: SRX Syslogging to TCP

    Posted 05-14-2019 21:49

    Ok, its the security logs I am after and even though I have specified them to be sent over TCP they still appear to be using UDP, is there a way to get the SRX to acknowledge the config and send the security logs over TCP?



  • 4.  RE: SRX Syslogging to TCP

    Posted 05-14-2019 23:36

    your configuration for stream logging looks correct. Have you tried enabling traceoptions (debug) to pinpoint potential issues?

     

    set security log traceoptions file stream-debug

    set security log traceoptions flag all

     

    Also remember that stream logs are sent by the PFE, not the RE - so the log collector has to be reachable via a revenue port. And source-address should also be on the PFE (not a management interface).

     

    I just tried creating a stream where the receiving host does not answer on port 514 which gives a clear error:

     

    user@fw> show log stream-debug | match SYN
    May 15 08:24:40 rtlogd: miscellaneous string(len=107)=Connection error flaf Error code: major 3 minor 1 code 110, description:TCP time out after SYN is sent out

     

    Let us know if this makes you able to get your tcp logging working as expected.



  • 5.  RE: SRX Syslogging to TCP

     
    Posted 05-16-2019 02:08

    Hi,

     

    Since this is processed by the PFE we have limited visibility into the traffic sent although there are a few commands you can run to check the rtlog status.

     

    Since this is TCP I would start by seeing the socket (netstat -an) on the server, if there are any open / half-open connections from the firewall source IP. Any intermediary devices will also help validate that the firewall is indeed sending the stream.

     

    Regards,

     

    Vikas



  • 6.  RE: SRX Syslogging to TCP

    Posted 05-16-2019 04:59

    Hi All

     

    I got the problem resovled and its sending security logs over TCP very nicely.

     

    The issue was the device did not have NTP configured and was 40 minutes ahead so the logging system was not sure what to do so dropped the connection.

     

    As soon as NTP was setup the logs started to come though properly.

     

    Thanks for you help on this