SRX

Hello. I'm trying to configure our SRX3600 cluster to send syslog messages to the remote syslog/SIEM server. I have the following configured on the cluster.

syslog {
    archive size 128k files 50 world-readable;
    user * {
        any emergency;
    }
    host 10.64.20.50 {
        any any;
        authorization any;
        firewall any;
        source-address 192.168.246.1;
        explicit-priority;
        structured-data {
            brief;
        }
    }
    file messages {
        any notice;
        authorization info;
    }
    file interactive-commands {
        interactive-commands any;
    }
    file interface_logs {
        any any;
        match UpDown;
    }
    source-address 192.168.246.1;
}

The routing for the cluster:

routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop 192.168.170.1;
            retain;
        }
         route 10.64.20.50/32 next-table internet.inet.0;
    }
}

routing-instances {
    internet {
        instance-type virtual-router;

#interface commands excluded for brevity

        routing-options {
            static {
                route 0.0.0.0/0 {
                    next-hop 193.25.220.1;
                    retain;
                }
                route 10.0.0.0/8 {
                    next-hop 192.168.246.254;
                    retain;
                }
                route 192.168.254.0/24 {
                    next-hop 192.168.246.254;
                    retain;
                }
                route 192.168.0.0/16 {
                    next-hop 192.168.246.254;
                    retain;
                }
                route 192.168.234.0/24 {
                    next-hop 192.168.246.254;
                    retain;
                }
                route 192.168.90.0/23 {
                    next-hop 192.168.246.254;
                    retain;
                }
                route 192.168.55.0/24 {
                    next-hop 192.168.246.254;
                    retain;
                }
            }
        }
    }
}

When configured like this I'm not seeing anything being sent to remote server.

The funny thing is that I'm sending screen messages to the same server and they are coming through without a problem with the following configuration:

security {
    log {
        mode stream;
        format sd-syslog;
        source-address 192.168.246.1;
        stream SIEM_log {
            category all;
            host {
                10.64.20.50;
                port 514;
            }
        }
    }

Any help on what I'm missing here would be great.

Do your security policies also include the log option in them?

The security logs are only generated for policies that have the log parameter set.

And any deny policy must log on session intiation not close.

Hi, Igor

Can you change the source address for system syslog to an address of an interface part of inet.0 (default routing-instance):

syslog {
    archive size 128k files 50 world-readable;
    user * {
        any emergency;
    }
    host 10.64.20.50 {
        any any;
        authorization any;
        firewall any;
        source-address 192.168.246.1;
        explicit-priority;
        structured-data {
            brief;
        }
    }

I think that 192.168.246.1 is configured on an interface in internet virtual-router and becuase the System logs are sent from the inet.0 instance there is a problem.

Please let us know.

Hi.

@ epaniagua

That's the thing. All of my interfaces are in the internet routing instance. As far as I can see there are no interfaces assigned to inet.0. Here is some output:

# run show route

inet.0: 9 destinations, 9 routes (8 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 14w6d 08:27:24
                    > to 192.168.170.1 via fxp0.0
10.64.8.96/32      *[Static/5] 14w6d 08:27:25
                      to table internet.inet.0
10.64.8.202/32     *[Static/5] 14w6d 08:27:25
                      to table internet.inet.0
10.64.20.50/32     *[Static/5] 14w6d 08:27:25
                      to table internet.inet.0
161.53.123.5/32    *[Static/5] 14w6d 08:27:25
                      to table internet.inet.0
161.53.160.5/32    *[Static/5] 14w6d 08:27:25
                      to table internet.inet.0
192.168.170.0/24   *[Direct/0] 14w6d 08:27:25
                    > via fxp0.0
192.168.170.253/32 *[Local/0] 14w6d 08:27:25

I see that there is interfaxe fxp0.0 in inet.0 but I don't have it configured anywhere in the configuration.

@spuluka

First I want to try to get who is trying to log in/out of the device and then I can try to do the other stuff. Baby steps 🙂

You can just configure an ip on a loopback interface (lo0) in the default instance (inet.0) and then either forward the traffic via a firewall filter as described in https://forums.juniper.net/t5/SRX-Services-Gateway/SYSLOG-Help-with-SRX/td-p/313444 - or by doing route-leakning between the Internet routing-instance and inet.0... can be done via eg. rib groups.

Igor,

Because you already have the routing in place, you could just configure an IP address on the loopback interface, that by default is in the master routing-instance, and source the packets from there. This will be the same solution of the NTP issue you are having as well.

Hi thanks for the reply. I will try this in a few days as I'm in the middle of network upgrades which I have to finish first.

Just one question before I try this. Can I use on the loopback interface an IP address from the range that is in the virtual routing table or must the IP address on the loopback be from a seperate range?

Hi, Igor

I will advise to use a different subnet, maybe one that you could use as the "management subnet". Still I believe you could also use an IP address from the range of the virtual router because the default-instance uses a separate routing-table (inet.zero) and anyway the syslog traffic is always undirectional, from SRX to syslog server.

Give it a try a let us know.

Hi, Igor

Were you able to fix the problem?

Sorry for the late reply everyone but other work just took over and I didn't go near this until today. Anyway I added a new network to the loopback interface and it worked as a charm. I can now see logs form the SRX with the IP I configured on the lo0 interface as source and destination IP in the syslog.

It somehow feels strange that I have to use loopback for this to work but that could just be my primarily Cisco background 🙂

Thank you everyone for the help.

I am having a similar issue.  Can you advise?

syslog {
archive size 100k files 3;
user * {
any emergency;
}
host 172.16.253.253 {
any any;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file kmd-logs {
daemon info;
match KMD;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
source-address 2.2.2.2;

I can ping 2.2.2.2 from the 172.16.253.0/24 subnet

T.inet.0: 20 destinations, 20 routes (20 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 22w5d 19:15:14
to table ISP-V300.inet.0
1.1.1.1/32 *[Direct/0] 22w5d 19:15:19
> via lo0.0
2.2.2.2/32 *[OSPF/10] 22w5d 19:14:54, metric 1
> to 192.168.151.254 via ge-5/0/4.151
to 192.168.150.254 via ge-0/0/4.150
10.10.0.0/24 *[Static/5] 22w5d 19:15:14
to table HOSTED-DR.inet.0
10.11.0.0/24 *[Static/5] 22w5d 19:15:14
to table HOSTED-DR.inet.0
to 192.168.150.254 via ge-0/0/4.150
172.16.101.0/24 *[OSPF/10] 22w5d 19:14:54, metric 2
to 192.168.151.254 via ge-5/0/4.151
> to 192.168.150.254 via ge-0/0/4.150
172.16.253.0/24 *[OSPF/10] 22w5d 19:14:54, metric 2
> to 192.168.151.254 via ge-5/0/4.151
to 192.168.150.254 via ge-0/0/4.150

Thanks

Todd

Hi, I would advise to open a new thread for this.

is the source interface 2.2.2.2 on the interface ge-5/0/4.151

can you ping on the SRX from this source to the syslog

ping 172.16.253.253 source 2.2.2.2