On SRX we have Control plane logs and Data plane logs (Security logs)
Are data plane logs considered as SYSLOG? The reason I said that for security logs we can use streammode, and send Security logs to SYSLOG Server which means data plane logs are also SYSLOG.
The data plane supports two different ways to log.
Here is good article on SRX CP/DP:
And our official docs:
Also note that in event mode you are limited to 1000 events per second for local logging. So if you are running a high end srx with lots of events you will generally NOT get all logs if you choose event mode due to this limitation.
Hi again sarahr202
Regarding your question (Are data plane logs considered as SYSLOG?), the answer is yes.
Note that SYSLOG is just a standard for message logging so either controlplane or dataplane log messages are sent using this standard and format. Note that SYSLOG allows for the separation of the software that generates messages (Junos in this case), the system that stores them (your syslog server), and the software that reports and analyzes them (any reporting/management tool, if present, that uses this syslog information to present statistics or alarms in your network).
Being said this, it is still important to understand the difference between controlplane logs and dataplane logs.
Controlplane messages are related to events on your box (a user that just login to the device or a high temperature alarm) and are configured under the [edit system syslog] hierarchy:
Note that these logs can be stored locally in the SRX or sent to an external host as explained in the above KB article.
Dataplane messages, known as security-logs or traffic-logs, are messages related to the traffic that is being forwarded by your SRX. These logs are related to sessions and are configured under [edit security log] hierarchy:
Note that these messages can be sent to an external host (highly suggested) by using the "stream" mode, and they will be sent directly from the dataplane of the device hence not affecting your Routing-Engine.
Also they can be stored locally in the SRX, using the "event" mode but this will make the SRX to send the logs from the dataplane to the controlplane and depending on the rate of the logging this can affect your Routing-Engine (which is the component in charge of the controlplane of any junos device).
I hope this info is helpful.
Thanks everyone for the response.
"Note that these messages can be sent to an external host (highly suggested) by using the "stream" mode, and they will be sent directly from the dataplane of the device hence not affecting your Routing-Engine
Is it possible to do both i.e send all dataplane logs to external server in stream mode and also store them locally in the file at the same time.?
Yes you can, however you will need to use mode "event" under [edit security log] and remember that this could cause high CPU utilization at the controlplane level if the rate of the logging is high.
This will make that the dataplane logs will be sent, internally, to the Routing-Engine (control plane). Then at [edit system syslog] hierarchy you will have to create a file to match these kind of logs and also configure a remote host for them to be sent to. See section 1.1 and 1.2 in this article:
But it will cause data plane logs via event mode , o so basically we can not send Data plane logs in stream mode to external server and at the same time also store data plane logs in local file.
Just to reiteriate, while you can configure syslog with event mode, this is NOT the same as have stream mode enabled.
In MOST cases you will NOT get all log messages. Event mode is limited to 1000 events per second and when you have a high end SRX the chances are very high your peak traffic periods will generate more than that in events.
This is why stream mode was created for these devices, to prevent blinds spots in logging and to avoid stressing the control plane as outlined above.
So while you CAN configure syslog along with event mode. Juniper's strong recomendation is that you use stream mode and learn how to use you syslog tool search instead.