Thanks.. yes I changed the format from sd-syslogs to Syslogs and now I am getting correct format
Original Message:
Sent: 7/16/2024 1:00:00 PM
From: Nikolay Semov
Subject: RE: SRX security data plane logs stream uses source interface IP as .log filename, not the hostname
The filename is determined by your Syslog server, not by the SRX. That being said, evidently the Syslog server uses the second field of the log message to determine the host name, and therefore the file name.
Barring a configuration change on your Syslog server, you can affect how the log message looks by playing with the log format option. Maybe try syslog instead of sd-syslog?
------------------------------
Nikolay Semov
------------------------------
Original Message:
Sent: 07-16-2024 02:12
From: taj
Subject: SRX security data plane logs stream uses source interface IP as .log filename, not the hostname
I configured the SRX control plane and data plane to forward syslogs. Now the data plane syslogs are forwarded to an agent and the file contains the hostname SRX-FW1.log on the agent.
SRX-FW1.log file output example
Jul 16 05:11:18 SRX-FW1 mgd[68987]: UI_DBASE_LOGOUT_EVENT: User 'test' exiting configuration mode
Jul 16 05:11:18 SRX-FW1 mgd[68987]: UI_LOGOUT_EVENT: User 'test' logout
Jul 16 05:13:24 SRX-FW1 phone-home[26797]: PHCD_CULR_EASY_PERFORM_ERR: curl_easy_perform() failed: Timeout was reached
[test@labtools01 network]$
SRX Control plane config
set system syslog archive size 1m
set system syslog archive files 10
set system syslog user * any emergency
set system syslog host 172.16.7.7 any info
set system syslog host 172.16.7.7 port 514
set system syslog source-address 172.16.27.101
set system syslog routing-instance VRF_SRX_NETMGMT
I configured a routing instance to forward the security logs, the data plane security logs are showing routing instance interface IP 172.16.27.101 as a file name 172.16.27.101.log on the agent since it is source IP for security logs. Please see below
172.16.27.101.log file output exampleJul 16 05:16:58
172.16.27.101 1 2024-07-16T05:16:58.686Z
SRX-FW1 RT_FLOW - RT_FLOW_SESSION_DENY [
junos@2636.1.1.1.2.137 source-address="172.16.17.15" source-port="58642" destination-address="56.14.
40.8" destination-port="80" connection-tag="0" service-name="junos-http" protocol-id="6" icmp-type="0" policy-name="DEFAULT_DENY(global)" source-zone-name="SRX_ADMIN" destination-zone-name="SRX_OUT" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ae0.72" encrypted="No" reason="Denied by policy" session-id="21495036518" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A" source-tenant="N/A" destination-service="N/A"]
[test@labtools01 network]$ set security log stream STREAM severity debug
set security log stream STREAM format sd-syslog
set security log stream STREAM category all
set security log stream STREAM host 172.16.7.7
set security log stream STREAM host port 514
set security log stream STREAM host routing-instance VRF_SRX_NETMGMT
set security log stream STREAM source-address 172.16.27.101
Our monitoring server will ingest the syslogs files from agent and we filter and pull the logs with device names, however, the security logs file name is 172.16.27.101.logs so it is difficult to filter without device name. Is there a way to make sure that the srx security data syslogs file is saved as hostname or I can assgin interface IP 172.16.27.101 a dns name, then file save with dns name.
Thanks in advance for any kind of help
------------------------------
tj singh
------------------------------