SRX

Expand all | Collapse all

syslogs not being saved on srx340 local storage

Jump to Best Answer
  • 1.  syslogs not being saved on srx340 local storage

    Posted 02-10-2020 19:03

    Hi guys,

     

    just noticed that syslogs were being saved locally (messages file) on our srx340. below is the cofigured syslog on the device. firmware version is 18.2R3.4. your help is well appreciated thanks

     

    security {
    log {
    utc-timestamp;
    mode event;
    format syslog;
    report;
    source-address 10.x.219.z;
    stream C300_CCSensor {
    format syslog;
    host {
    10.z.215.x;
    }
    }
    stream AVOGADRO {
    format syslog;
    host {
    10.x.214.z;
    }
    }
    }



  • 2.  RE: syslogs not being saved on srx340 local storage

    Posted 02-10-2020 19:26

    Hello K1mffrey,

     

    Are you trying to save the logs locally on the device? 

    Default Syslog Settings

     

    By default, only critical messages are logged to a local file known as messages on the SRX Series device. The following configuration shows the default log settings:

     

    system {
    syslog {
    user * {
    any emergency;
    }
    file messages {
    any critical;
    authorization info;
    }
    file interactive-commands {
    interactive-commands error;
    }
    }
    }

     

    Now if you want to send the logs to a local file, you can use 
    user@host#set system syslog file messages any ?   <<<<<< Check if you have this configured to see if log messages are captured locally to the file

     

    Sending Logs to a Remote Syslog Server (192.30.80.76) << which I believe that you have already configured
    user@host# set system syslog host 192.30.80.76 any any

     

    Thanks,

    Vishaal

     

    If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.



  • 3.  RE: syslogs not being saved on srx340 local storage

    Posted 02-11-2020 01:14

    Hi,

     

    is there a way to send syslog to a remote syslog server and save it locally on srx340? 



  • 4.  RE: syslogs not being saved on srx340 local storage
    Best Answer

    Posted 02-11-2020 10:43

    Hi K1mffrey, 

     

    Yes you can do that, you can use this config to store and send files to your syslog server

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16502

     

    set system syslog host <syslog-server-ip> any any

    set system syslog file <test-file> any any

     

    If this solves your problem, please mark this post as "Accepted Solution".

    If you think that my answer was helpful, please spend some Kudos.

     

    Thank you, 
    Franky



  • 5.  RE: syslogs not being saved on srx340 local storage

    Posted 02-12-2020 06:53

    Hi, K1mffrey

     

    It is important to understand the two major type of logs that can be saved by the SRX: data-plane logs vs control-plane logs

     

    Control-plane messages are related to events on your box (a user that just loged in to the device or a high temperature alarm) and are configured under the [edit system syslog] hierarchy:

     

              https://kb.juniper.net/KB16502

     

    Note that these logs can be stored locally in the SRX or sent to an external host as explained in the above KB article.

     

    Data-plane messages, also known as security-logs or traffic-logs, are messages related to the traffic that is being forwarded by your SRX. These logs are related to sessions and are configured under [edit security log] hierarchy:

     

           https://kb.juniper.net/KB16509

     

    Note that these messages can be sent to an external host (highly suggested) by using the "stream" mode, and they will be sent directly from the dataplane of the device hence not affecting your Routing-Engine. 

     

    Also they can be stored locally in the SRX, using the "event" mode but this will make the SRX to send the logs from the data-plane to the control-plane and depending on the rate of the logging this can affect your Routing-Engine (which is the component in charge of the control-plane of any junos device).  Any of the mentioned modes are configured under [edit security log] hierarchy.