Switching

Expand all | Collapse all

Syslog to remote server over TCP

  • 1.  Syslog to remote server over TCP

    Posted 11-13-2018 12:11

    Hello,

    Is it possible to syslog from an EX switch to a remote syslog server over a TCP connection? I couldn't find the commands to setting up that. This is what my current config is:

    user@EX9200> show configuration system syslog host 10.10.x.x
    any info;
    
    user@EX9200>
    

    This send syslog over UDP 514



  • 2.  RE: Syslog to remote server over TCP

    Posted 11-13-2018 15:02

    You can only syslog via udp on the EX platform.

     

    There are more possibilities on the SRX platforms where security logs can be send via tcp or tls (set security log transport protocol udp|tcp|tls). Non-security logs will (to my knowledge) still be ordinary udp/514 from the device.

     



  • 3.  RE: Syslog to remote server over TCP

    Posted 11-13-2018 15:48

    Oops...that's terrible.



  • 4.  RE: Syslog to remote server over TCP

    Posted 11-14-2018 14:48

    I have this config running in a SRX345, but still the security logs are not in the monitoring tool(Splunk). I have verified that the Splunk has a listener configured on TCP 9514.

     

    user@SRX345> show configuration security log
    cache;
    mode event;
    report;
    source-address 10.10.x.1;
    transport {
        protocol tcp;
    }
    stream LOGS {
        host {
            10.10.x.x;
            port 9514;
        }
    }
    
    {primary:node0}
    
    

    Can you please tell me if these configs are good?



  • 5.  RE: Syslog to remote server over TCP

    Posted 11-15-2018 01:46

    I did a bit of testing and the tcp sessions only shows up when you have security logging in stream mode. So try changing this and revert with the result.