This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.

Expand all | Collapse all

What is the difference between "set system syslog .. " and "set security log .. "?

  • 1.  What is the difference between "set system syslog .. " and "set security log .. "?

    Posted 05-30-2021 10:38
    what is the different between these two logging configurations without considering the source IP? 

    set system syslog source-address
    set system syslog host user info
    set system syslog host match-strings RT_FLOW

    set security log source-address
    set security log mode stream
    set security log stream 01 category flow
    set security log stream 01 severity info
    set security log stream syslog-server host

    I configured both of them in my vSRX, and the differences that I saw are three:

    1. in the second one I can't use the "match" option.

    2. in the first one I could choose the facility that I wanted (user) but in the second one I could not do the same, because I can choose only between different kind of categories (they are not the facilities that I saw in the juniper documentation)

    3. I tried to trig the syslog system  trough a flow, and in my Syslog server I saw an RT_FLOW log from but if try again without the second configuration, the server receives the same log from

    so, at the end I can reach the same result with both of the configurations, but, what is the best one? what are the differences? from my side, if I can't use the "match" option in the "set security log .." configuration (thinking about a big amount of useless log), the best choice is using the "set system syslog .." configuration. 

    what do you think?

  • 2.  RE: What is the difference between "set system syslog .. " and "set security log .. "?

    Posted 05-31-2021 11:19

    Hi Andrea 

    System Logging reflects RT (Firewall Security Session ) pretty much the same way as Security Logging, one difference is that the first one creates the logs from control plane (Routing Engine); while in the second one it is the forwarding plane processing elements are in charge of generating and sending the logs directly from a revenue port (other than the Out Of Band Management port –fxp0 ).

    A best practice for high-end SRX Series devices is to log no more than 1000 log messages per second to the control plane.

    In general if you expect large amounts of traffic logging, then the security logging approach is preferred : 
    "You can increase the number of data plane, or security, logs that are sent by modifying the manner in which they are sent. When the logging mode is set to
    stream, security logs generated in the data plane are streamed out a revenue traffic port directly to a remote server."  [1]

    Further information on the differences can be found here: 
    Configuring System Logging for a Security Device [SRX]

    // Hector Fuentes