set security log source-address 172.16.0.6set security log mode streamset security log stream 01 category flowset security log stream 01 severity infoset security log stream syslog-server host 126.96.36.199I configured both of them in my vSRX, and the differences that I saw are three:1. in the second one I can't use the "match" option.2. in the first one I could choose the facility that I wanted (user) but in the second one I could not do the same, because I can choose only between different kind of categories (they are not the facilities that I saw in the juniper documentation)3. I tried to trig the syslog system trough a flow, and in my Syslog server I saw an RT_FLOW log from 172.16.0.6 but if try again without the second configuration, the server receives the same log from 188.8.131.52.so, at the end I can reach the same result with both of the configurations, but, what is the best one? what are the differences? from my side, if I can't use the "match" option in the "set security log .." configuration (thinking about a big amount of useless log), the best choice is using the "set system syslog .." configuration. what do you think?
Hi Andrea System Logging reflects RT (Firewall Security Session ) pretty much the same way as Security Logging, one difference is that the first one creates the logs from control plane (Routing Engine); while in the second one it is the forwarding plane processing elements are in charge of generating and sending the logs directly from a revenue port (other than the Out Of Band Management port –fxp0 ).A best practice for high-end SRX Series devices is to log no more than 1000 log messages per second to the control plane.In general if you expect large amounts of traffic logging, then the security logging approach is preferred : "You can increase the number of data plane, or security, logs that are sent by modifying the manner in which they are sent. When the logging mode is set to stream, security logs generated in the data plane are streamed out a revenue traffic port directly to a remote server." . Further information on the differences can be found here: Configuring System Logging for a Security Device [SRX]