I have a customer who is receiving tons of logs from his SRX to the Syslog server. He requested only to send logs for the traffic which is dropped, he doesn't care about the permitted traffic. How can I configure this under the Syslog host?
thanks in advance.
If it is a branch SRX (log mode is event) you may try this:
set system syslog host <syslog server ip> any anyset system syslog host <syslog server ip> match "RT_FLOW_SESSION_DENY"
Thanks, Nellikka for your answer,
But if I'm planning to use stram mode, how can I configure to match the "RT_FLOW_SESSION_DENY"
There is no option to filter only deny logs in stream mode. Since you need only deny/dropped logs, one workaround is to enable logging only on deny security policies (log session-init) and remove/disable logging from other security policies (ie log session-init and log session close).
thanks for your support, i really appreciate it.