vMX

Expand all | Collapse all

Only send logs of dropped traffic from SRX to Syslog server

Jump to Best Answer
  • 1.  Only send logs of dropped traffic from SRX to Syslog server

    Posted 12-24-2019 07:10

    I have a customer who is receiving tons of logs from his SRX to the Syslog server. He requested only to send logs for the traffic which is dropped, he doesn't care about the permitted traffic. How can I configure this under the Syslog host?


    thanks in advance.


    #syslog
    #SRX


  • 2.  RE: Only send logs of dropped traffic from SRX to Syslog server
    Best Answer

    Posted 12-24-2019 08:32

    If it is a branch SRX (log mode is event) you may try this:

     

    set system syslog host <syslog server ip> any any
    set system syslog host <syslog server ip> match "RT_FLOW_SESSION_DENY"

     



  • 3.  RE: Only send logs of dropped traffic from SRX to Syslog server

    Posted 12-25-2019 06:12

    Thanks, Nellikka for your answer, 

    But if I'm planning to use stram mode, how can I configure to match the "RT_FLOW_SESSION_DENY"



  • 4.  RE: Only send logs of dropped traffic from SRX to Syslog server

    Posted 12-25-2019 18:33

    There is no option to filter only deny logs in stream mode. Since you need only deny/dropped  logs, one workaround is to enable logging only on deny security policies (log session-init) and remove/disable logging from other security policies (ie log session-init and log session close).

     

     

     

     



  • 5.  RE: Only send logs of dropped traffic from SRX to Syslog server

    Posted 12-25-2019 23:29

    thanks for your support, i really appreciate it.