Junos OS

Hi, 

Remote logging of security logs is not working on our srx5400 firewall.  we would like to send traffic logs to a syslog server. software version is 21.4R3-S7.9. 

system logs are being sent, but not security logs. SRX5400 being SRX high end, we made sure to source the traffic log stream from a data plane interface, not RE interface. 

here is the configuration: 

mode stream;
source-address <data-plane-interface-ip-address>;
stream security_logs {
    severity info;
    host {
        <syslog-server-ip-adress>;
    }
}

thanks for your help.

Are the security policies also configured to log on either session init or close?  

To enable logging for a security policy:

1. For the default-permit security policy, specify that traffic logs are generated when a session closes.
   user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-close
    
2. (Optional) Specify that traffic logs are generated when a session starts.
   user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-init

https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Traffic-Logs-or-Security-Policy-Logs-for-SRX-High-End-Devices?language=en_US

Hi, 

Remote logging of security logs is not working on our srx5400 firewall.  we would like to send traffic logs to a syslog server. software version is 21.4R3-S7.9. 

system logs are being sent, but not security logs. SRX5400 being SRX high end, we made sure to source the traffic log stream from a data plane interface, not RE interface. 

here is the configuration: 

mode stream;
source-address <data-plane-interface-ip-address>;
stream security_logs {
    severity info;
    host {
        <syslog-server-ip-adress>;
    }
}

thanks for your help.

Yes logging is enabled with "then log session-init" and "then log session-close" statements.

excerpt: 

set logical-systems <logical-system-name> security policies from-zone <source-zone-name> to-zone <destination-zone-name> policy <policy-name> then log session-init
set logical-systems <logical-system-name> security policies from-zone <source-zone-name> to-zone <destination-zone-name> policy <policy-name> then log session-close

Are the security policies also configured to log on either session init or close?  

To enable logging for a security policy:

1. For the default-permit security policy, specify that traffic logs are generated when a session closes.
   user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-close
    
2. (Optional) Specify that traffic logs are generated when a session starts.
   user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-init

https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Traffic-Logs-or-Security-Policy-Logs-for-SRX-High-End-Devices?language=en_US

Hi, 

Remote logging of security logs is not working on our srx5400 firewall.  we would like to send traffic logs to a syslog server. software version is 21.4R3-S7.9. 

system logs are being sent, but not security logs. SRX5400 being SRX high end, we made sure to source the traffic log stream from a data plane interface, not RE interface. 

here is the configuration: 

mode stream;
source-address <data-plane-interface-ip-address>;
stream security_logs {
    severity info;
    host {
        <syslog-server-ip-adress>;
    }
}

thanks for your help.

The configuration then looks complete.  Can you confirm the source ip address is also in the inet.0 root routing instance and not a virtual router?

Yes logging is enabled with "then log session-init" and "then log session-close" statements.

excerpt: 

set logical-systems <logical-system-name> security policies from-zone <source-zone-name> to-zone <destination-zone-name> policy <policy-name> then log session-init
set logical-systems <logical-system-name> security policies from-zone <source-zone-name> to-zone <destination-zone-name> policy <policy-name> then log session-close

Are the security policies also configured to log on either session init or close?  

To enable logging for a security policy:

1. For the default-permit security policy, specify that traffic logs are generated when a session closes.
   user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-close
    
2. (Optional) Specify that traffic logs are generated when a session starts.
   user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-init

https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Traffic-Logs-or-Security-Policy-Logs-for-SRX-High-End-Devices?language=en_US

Hi, 

Remote logging of security logs is not working on our srx5400 firewall.  we would like to send traffic logs to a syslog server. software version is 21.4R3-S7.9. 

system logs are being sent, but not security logs. SRX5400 being SRX high end, we made sure to source the traffic log stream from a data plane interface, not RE interface. 

here is the configuration: 

mode stream;
source-address <data-plane-interface-ip-address>;
stream security_logs {
    severity info;
    host {
        <syslog-server-ip-adress>;
    }
}

thanks for your help.

The configuration then looks complete.  Can you confirm the source ip address is also in the inet.0 root routing instance and not a virtual router?

Yes logging is enabled with "then log session-init" and "then log session-close" statements.

excerpt: 

set logical-systems <logical-system-name> security policies from-zone <source-zone-name> to-zone <destination-zone-name> policy <policy-name> then log session-init
set logical-systems <logical-system-name> security policies from-zone <source-zone-name> to-zone <destination-zone-name> policy <policy-name> then log session-close

Are the security policies also configured to log on either session init or close?  

To enable logging for a security policy:

1. For the default-permit security policy, specify that traffic logs are generated when a session closes.
   user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-close
    
2. (Optional) Specify that traffic logs are generated when a session starts.
   user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-init

https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Traffic-Logs-or-Security-Policy-Logs-for-SRX-High-End-Devices?language=en_US

Hi, 

Remote logging of security logs is not working on our srx5400 firewall.  we would like to send traffic logs to a syslog server. software version is 21.4R3-S7.9. 

system logs are being sent, but not security logs. SRX5400 being SRX high end, we made sure to source the traffic log stream from a data plane interface, not RE interface. 

here is the configuration: 

mode stream;
source-address <data-plane-interface-ip-address>;
stream security_logs {
    severity info;
    host {
        <syslog-server-ip-adress>;
    }
}

thanks for your help.

The configuration then looks complete.  Can you confirm the source ip address is also in the inet.0 root routing instance and not a virtual router?

Yes logging is enabled with "then log session-init" and "then log session-close" statements.

excerpt: 

set logical-systems <logical-system-name> security policies from-zone <source-zone-name> to-zone <destination-zone-name> policy <policy-name> then log session-init
set logical-systems <logical-system-name> security policies from-zone <source-zone-name> to-zone <destination-zone-name> policy <policy-name> then log session-close

Are the security policies also configured to log on either session init or close?  

To enable logging for a security policy:

1. For the default-permit security policy, specify that traffic logs are generated when a session closes.
   user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-close
    
2. (Optional) Specify that traffic logs are generated when a session starts.
   user@host# set security policies from-zone trust to-zone untrust policy default-permit then log session-init

https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Traffic-Logs-or-Security-Policy-Logs-for-SRX-High-End-Devices?language=en_US

Hi, 

Remote logging of security logs is not working on our srx5400 firewall.  we would like to send traffic logs to a syslog server. software version is 21.4R3-S7.9. 

system logs are being sent, but not security logs. SRX5400 being SRX high end, we made sure to source the traffic log stream from a data plane interface, not RE interface. 

here is the configuration: 

mode stream;
source-address <data-plane-interface-ip-address>;
stream security_logs {
    severity info;
    host {
        <syslog-server-ip-adress>;
    }
}

thanks for your help.

Hi, 

Remote logging of security logs is not working on our srx5400 firewall.  we would like to send traffic logs to a syslog server. software version is 21.4R3-S7.9. 

system logs are being sent, but not security logs. SRX5400 being SRX high end, we made sure to source the traffic log stream from a data plane interface, not RE interface. 

here is the configuration: 

mode stream;
source-address <data-plane-interface-ip-address>;
stream security_logs {
    severity info;
    host {
        <syslog-server-ip-adress>;
    }
}

thanks for your help.

set security log stream security_logs category flow

Hi, 

Remote logging of security logs is not working on our srx5400 firewall.  we would like to send traffic logs to a syslog server. software version is 21.4R3-S7.9. 

system logs are being sent, but not security logs. SRX5400 being SRX high end, we made sure to source the traffic log stream from a data plane interface, not RE interface. 

here is the configuration: 

mode stream;
source-address <data-plane-interface-ip-address>;
stream security_logs {
    severity info;
    host {
        <syslog-server-ip-adress>;
    }
}

thanks for your help.

Hi, 

tried it but still not working. even tried "category all" 

set security log stream security_logs category flow

Hi, 

Remote logging of security logs is not working on our srx5400 firewall.  we would like to send traffic logs to a syslog server. software version is 21.4R3-S7.9. 

system logs are being sent, but not security logs. SRX5400 being SRX high end, we made sure to source the traffic log stream from a data plane interface, not RE interface. 

here is the configuration: 

mode stream;
source-address <data-plane-interface-ip-address>;
stream security_logs {
    severity info;
    host {
        <syslog-server-ip-adress>;
    }
}

thanks for your help.

Hi,

If u use logical-system, as i remember u need to use vpls switch config to send traffic-log from logical-system.

Thanks

Original Message:
Sent: 02-07-2025 05:58
From: ADMIN ARS
Subject: SRX 5400 - security log not working

Hi, 

tried it but still not working. even tried "category all" 

------------------------------
ADMIN ARS

Original Message:
Sent: 02-05-2025 07:58
From: Purple Packet Surfer
Subject: SRX 5400 - security log not working

set security log stream security_logs category flow

------------------------------
ANDREY LEO

Original Message:
Sent: 02-03-2025 03:16
From: ADMIN ARS
Subject: SRX 5400 - security log not working

Hi, 

Remote logging of security logs is not working on our srx5400 firewall.  we would like to send traffic logs to a syslog server. software version is 21.4R3-S7.9. 

system logs are being sent, but not security logs. SRX5400 being SRX high end, we made sure to source the traffic log stream from a data plane interface, not RE interface. 

here is the configuration: 

mode stream;
source-address <data-plane-interface-ip-address>;
stream security_logs {
    severity info;
    host {
        <syslog-server-ip-adress>;
    }
}

thanks for your help.

------------------------------
ADMIN ARS
------------------------------