Security Management

  • 1.  Logging from SRX to security director

    Posted 05-11-2019 11:36
    Hi,

    I have some SRX devices (345 & 4100) managed by security director. Security director has a separate log collector installed and this is integrated to security director fine.

    My 4100 is managed via its fxp0 interface ... how can I configure this to send it’s logs to the security director? Do I need a rule to allow this traffic - the Junos log collector sits in a separate zone to the management interface of the SRX. Does that even matter?

    One of my other SRX devices sits after a firewall and this will need a rule to allow. What ports do I need from the SRX to the log collector.

    When it’s all working should I just see new events in security director?

    I ran a tcp dump on the collector and can see traffic coming from my 4100 fxp interface ... but nothing shows in security director.

    Bit of a long one - has anyone experienced this before?

    Thanks


  • 2.  RE: Logging from SRX to security director

    Posted 05-12-2019 05:01

    Since you have verified the logs arrive on log collector that means the SRX side of the configuration is complete and working.

     

    So the issue is going to be in the Space side configuration.

    Is the fxp0 address recognized inside Space for the SRX?

    Ideally as the address used to add the device to space.

     



  • 3.  RE: Logging from SRX to security director

    Posted 05-12-2019 05:22
    Yes it is using the management (fxp0) to connect to JUNOS.

    I’ve been reading that the log collector can be fussy if the logs aren’t ‘structured’? Is there a particular way the Juniper should be reporting to the JUNOS software? Ie. I can see the traffic coming in - but it’s not in the right format ...


  • 4.  RE: Logging from SRX to security director

     
    Posted 05-12-2019 20:57

    Hi oban3jimmy,

     

    yes, it has to be in a structured format which you can configure in SRX.

    • Event mode

    set system syslog host 10.0.0.2 any any
    set system syslog host 10.0.0.2 match "!RT_FLOW_SESSION"

    set security log mode event
    set security log format sd-syslog
    set security log source-address 10.0.0.1
    set security log stream securitylog format syslog
    set security log stream securitylog category all
    set security log stream securitylog host 10.0.0.2

    • Stream mode

    Not working with the following configuration:

    set system syslog host 10.0.0.2 any any

    set security log mode stream
    set security log format sd-syslog
    set security log source-address 10.0.0.1
    set security log stream securitylog format syslog
    set security log stream securitylog category all
    set security log stream securitylog host 10.0.0.2

     

    From SRX to Log Collector 514 port should be open.

     

    You can use SD to configure the same.

     

    SD > Devices > Right click on the device > Select Modify Configuration > Security Logging tab as mentioned in Screenshot.

    Picture1.png



  • 5.  RE: Logging from SRX to security director

    Posted 05-16-2019 14:11
    I’ve tried it in both modes and whatever I do; the log collector doesn’t receive it properly.

    I’ve run a command on log collector and it doesn’t view the feed as structured.

    Is it me or is logging to security director / log collector a pain?

    Thanks


  • 6.  RE: Logging from SRX to security director

     
    Posted 05-16-2019 20:47

    Hi,

     

    LC should work normally if required configurations are in place.

     

    Send us a output of below commands from LC CLI:

    /etc/init.d/elasticsearch status
    /etc/init.d/jingest status
    curl -XGET --insecure --tlsv1.2 https://127.0.0.1:9200/_cat/indices?v
    curl -XGET --insecure --tlsv1.2 https://127.0.0.1:9200/_cluster/health

    tcpdump -n -nn -vvvv port 514 and host <SRX_IP>

    From the SRX, send us the configuration for stream/event mode.

     

    -PL



  • 7.  RE: Logging from SRX to security director
    Best Answer

    Posted 05-20-2019 03:58
    Thanks all,

    It was the config on the SRX in the end;

    set security log mode stream
    set security log format sd-syslog
    set security log source-address x.x.x.x
    set security log stream securitylog format welf
    set security log stream securitylog host x.x.x.x
    set security log stream hostx.x.x.x format welf
    set security log stream hostx.x.x.x host x.x.x.x
    set security log stream logcollector format syslog
    set security log stream logcollector host x.x.x.x
    set security log stream logcollector format sd-syslog
    set security log stream logcollector host port 514
    set security log stream logcollector category all


  • 8.  RE: Logging from SRX to security director

     
    Posted 05-20-2019 04:53
    Can we configure the format? It should be sd-syslog only..

    set security log stream logcollector format syslog
    set security log stream logcollector host x.x.x.x
    set security log stream logcollector format sd-syslog

    Regards,
    Pravin


  • 9.  RE: Logging from SRX to security director

    Posted 05-20-2019 05:04
    I couldn’t seem to get it working with just those lines - strange really. The above is the only time I could get security director to be happy with the logs