SRX

 View Only
last person joined: 14 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

What is the difference between "set system syslog .. " and "set security log .. "?

  • 1.  What is the difference between "set system syslog .. " and "set security log .. "?

    Posted 05-30-2021 10:38
    Edited by ANDREA QUERCI 05-30-2021 10:44
    what is the different between these two logging configurations without considering the source IP? 

    set system syslog source-address 195.233.32.193
    set system syslog host 1.1.1.1 user info
    set system syslog host 195.233.32.195 match-strings RT_FLOW


    set security log source-address 172.16.0.6
    set security log mode stream
    set security log stream 01 category flow
    set security log stream 01 severity info
    set security log stream syslog-server host 1.1.1.1


    I configured both of them in my vSRX, and the differences that I saw are three:

    1. in the second one I can't use the "match" option.

    2. in the first one I could choose the facility that I wanted (user) but in the second one I could not do the same, because I can choose only between different kind of categories (they are not the facilities that I saw in the juniper documentation)

    3. I tried to trig the syslog system  trough a flow, and in my Syslog server I saw an RT_FLOW log from 172.16.0.6 but if try again without the second configuration, the server receives the same log from 195.233.32.193.


    so, at the end I can reach the same result with both of the configurations, but, what is the best one? what are the differences? from my side, if I can't use the "match" option in the "set security log .." configuration (thinking about a big amount of useless log), the best choice is using the "set system syslog .." configuration. 

    what do you think?



  • 2.  RE: What is the difference between "set system syslog .. " and "set security log .. "?

    Posted 05-31-2021 11:19
    Edited by Hector Fuentes 05-31-2021 11:26

    Hi Andrea 

    System Logging reflects RT (Firewall Security Session ) pretty much the same way as Security Logging, one difference is that the first one creates the logs from control plane (Routing Engine); while in the second one it is the forwarding plane processing elements are in charge of generating and sending the logs directly from a revenue port (other than the Out Of Band Management port –fxp0 ).

    A best practice for high-end SRX Series devices is to log no more than 1000 log messages per second to the control plane.

    In general if you expect large amounts of traffic logging, then the security logging approach is preferred : 
    "You can increase the number of data plane, or security, logs that are sent by modifying the manner in which they are sent. When the logging mode is set to
    stream, security logs generated in the data plane are streamed out a revenue traffic port directly to a remote server."  [1]

    Further information on the differences can be found here: 
    Configuring System Logging for a Security Device [SRX]

    ------------------------------
    // Hector Fuentes
    ------------------------------