SRX

Expand all | Collapse all

SRX Syslog

Jump to Best Answer
  • 1.  SRX Syslog

    Posted 09-10-2018 17:49

    Hi  everone,

     

    On SRX  we have   Control plane logs and  Data plane logs  (Security logs)

    Are  data plane logs   considered as SYSLOG?  The reason  I said  that  for  security logs  we can use  streammode,  and  send  Security logs  to  SYSLOG  Server which means data plane  logs  are also SYSLOG.

     

     

    Thanks.

     

     

     

     

     

     

     

     

     

     



  • 2.  RE: SRX Syslog

     
    Posted 09-10-2018 19:23

    Hi,

     

    The data plane supports two different ways to log.

     

    • The first is Event mode, in which all log messages are logged to the control plane through the internal SRX infrastructure.
    • The other mode, Stream mode. This logs messages directly from the data plane to an external source.
    • NOTE: You can ONLY log in Stream or Event mode at one time on the SRX so be very careful while changing the mode.

     

    Here is good article on SRX CP/DP:

     

    And our official docs:

     

     

     

     



  • 3.  RE: SRX Syslog

     
    Posted 09-11-2018 02:59

    Also note that in event mode you are limited to 1000 events per second for local logging.  So if you are running a high end srx with lots of events you will generally NOT get all logs if you choose event mode due to this limitation.

     



  • 4.  RE: SRX Syslog
    Best Answer

    Posted 09-11-2018 23:51

    Hi again sarahr202

     

    Regarding your question (Are  data plane logs   considered as SYSLOG?), the answer is yes.

     

    Note that SYSLOG is just a standard for message logging so either controlplane or dataplane log messages are sent using this standard and format. Note that SYSLOG allows for the separation of the software that generates messages (Junos in this case), the system that stores them (your syslog server), and the software that reports and analyzes them (any reporting/management tool, if present, that uses this syslog information to present statistics or alarms in your network).

     

    Being said this, it is still important to understand the difference between controlplane logs and dataplane logs.

     

    Controlplane messages are related to events on your box (a user that just login to the device or a high temperature alarm) and are configured under the [edit system syslog] hierarchy:

     

              https://kb.juniper.net/KB16502

     

    Note that these logs can be stored locally in the SRX or sent to an external host as explained in the above KB article.

     

    Dataplane messages, known as security-logs or traffic-logs, are messages related to the traffic that is being forwarded by your SRX. These logs are related to sessions and are configured under [edit security log] hierarchy:

     

           https://kb.juniper.net/KB16509

     

    Note that these messages can be sent to an external host (highly suggested) by using the "stream" mode, and they will be sent directly from the dataplane of the device hence not affecting your Routing-Engine.

     

    Also they can be stored locally in the SRX, using the "event" mode but this will make the SRX to send the logs from the dataplane to the controlplane and depending on the rate of the logging this can affect your Routing-Engine (which is the component in charge of the controlplane of any junos device).

     

    I hope this info is helpful.

     



  • 5.  RE: SRX Syslog

    Posted 09-12-2018 19:57

    Thanks  everyone  for the response.

     

    "Note that these messages can be sent to an external host (highly suggested) by using the "stream" mode, and they will be sent directly from the dataplane of the device hence not affecting your Routing-Engine

     

    Is it possible to  do both   i.e  send  all dataplane  logs  to external server in stream mode and also store them  locally  in the file at the same time.?



  • 6.  RE: SRX Syslog

    Posted 09-12-2018 21:33

    Yes you can, however you will need to use mode "event" under [edit security log] and remember that this could cause high CPU utilization at the controlplane level if the rate of the logging is high.

     

    This will make that the dataplane logs will be sent, internally, to the Routing-Engine (control plane). Then at [edit system syslog] hierarchy you will have to create a file to match these kind of logs and also configure a remote host for them to be sent to. See section 1.1 and 1.2 in this article:

     

    https://kb.juniper.net/KB16509

     

     



  • 7.  RE: SRX Syslog

    Posted 09-13-2018 17:45

     

    Yes you can, however you will need to use mode "event" under [edit security log] and remember that this could cause high CPU utilization at the controlplane level if the rate of the logging is high.

     

    But  it will cause data plane logs  via  event mode , o  so basically  we can not send  Data plane  logs in   stream mode  to external server and  at the same time also store  data plane logs in  local file.



  • 8.  RE: SRX Syslog

     
    Posted 09-14-2018 02:24

    Just to reiteriate, while you can configure syslog with event mode, this is NOT the same as have stream mode enabled. 

     

    In MOST cases you will NOT get all log messages.  Event mode is limited to 1000 events per second and when you have a high end SRX the chances are very high your peak traffic periods will generate more than that in events. 

     

    This is why stream mode was created for these devices, to prevent blinds spots in logging and to avoid stressing the control plane as outlined above.

     

    So while you CAN configure syslog along with event mode.  Juniper's strong recomendation is that you use stream mode and learn how to use you syslog tool search instead.

     



  • 9.  RE: SRX Syslog

     
    Posted 09-12-2018 22:31
    Not possible, you can either have stream mode or event mode.