SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series.
  • 1.  SRX4100 control plane logs to external syslog server

    Posted 09-07-2022 10:33
    Hi all. 

    I've read every documentation I could find to see if I could find the solution to this problem, but now I have give up. So I hope some of you guys might be able to shed some light on this for me. 

    The thing is quite simple; I want a couple of SRX4100s to forward control plane logs to an external syslog server. I've done this many times on SRX380, but somehow the same configuration syntax on SRX4100 does not generate any syslog entries on the remote server. Please note the IPs are just bogus and just to show my configuration:

    [edit system syslog]
    host 1.2.3.4 {
    any notice;
    authorization info;
    security any;
    firewall any;
    facility-override local4;
    explicit-priority;
    }

    As mentioned, this works well on SRX380. But when doing this on SRX4100 I can't see any traffic from the device on port 514 on the remote server (via tcpdump). I've checked all the possible firewall rules between the SRX and the syslog server. 

    I might also mention that I have data plane (firewall) logging configured on the SRX4100 to the same syslog server (under security log) and this works as intended.  The diffence is that the data plane logging is configured as stream logging (as it needs to be) and control plane logging is not. 

    I've checked on a SRX380 and see that it creates a flow session between itself and the syslog server that I can see when doing a "show security flow session destination-prefix <syslogserver> destination-port 514". I then see a flow session as self traffic between the SRX and the syslog server. But I can't see this on the SRX4100... so it seems that it does not even try to export the logs. 

    So... my question is this. Is there any difference in the way an SRX4100 and SRX380 handles and forwards control plane logs? Do you guys have any other tips for throubleshooting this?


    ------------------------------
    Vidar Stokke
    ------------------------------


  • 2.  RE: SRX4100 control plane logs to external syslog server

    Posted 09-08-2022 09:27
    Hi,

    SRX4100 by default is stream mode. U need to change use event mode even it not advisable.


    Thanks


  • 3.  RE: SRX4100 control plane logs to external syslog server

    Posted 09-13-2022 06:30
    Hi. 

    I'm sorry but I don't understand. 

    I know that the logging of data plane (security logs) defaults to stream mode, but as far as I can see logging of control plane (system syslog) is in event mode and not possible to do in stream mode. As I mentioned we are doing data plane logging of firewall hits with stream mode and this works, but control plane logs only works when logging to local files. 

    Best regards
    Vidar

    ------------------------------
    Vidar Stokke
    ------------------------------



  • 4.  RE: SRX4100 control plane logs to external syslog server

    Posted 09-14-2022 05:06

    Hi,

    In SRX4100, can you  add  "set system syslog source-address x.x.x.x" and make syslog "any" "any"?

    Also, can you share Junos version which is running on SRX4100  and SRX380? 


    Thanks,




  • 5.  RE: SRX4100 control plane logs to external syslog server

    Posted 09-15-2022 03:24
    Hey. 

    Thank you for your follow up. 

    Setting source-address and "any any" still does not create any messages. Both the SRX4100s and the SRX380s are running 20.4R3-S3.4. 

    My observation on the SRX380 is that I see a flow from the SRX it self towards the syslog server when running "show security flow session destination-port 514".

    Session ID: 195763, Policy name: self-traffic-policy/1, State: Active, Timeout: 48, Valid
    In: 10.10.10.10/514 --> 1.2.3.4/514;udp, Conn Tag: 0x0, If: .local..0, Pkts: 4, Bytes: 823,
    Out: 1.2.3.4/514 --> 10.10.10.10/514;udp, Conn Tag: 0x0, If: reth1.999, Pkts: 0, Bytes: 0,

    But this is totally absent on the SRX4100. It seems that the SRX4100 doesn't even try.

    ------------------------------
    Vidar Stokke
    ------------------------------



  • 6.  RE: SRX4100 control plane logs to external syslog server
    Best Answer

    Posted 09-15-2022 07:21
    Hi Vidar,

    Had seen similar issue of control plane log messages not sent from SRX4k series running 20.4R3-S1. Sharing the workaround followed:

    ------Working config--------
    set system syslog host <SYSLOG_IP> any any
    set system syslog source-address <SRC IP>
    set interfaces lo0 unit 0 family inet address <lo0  SRC IP>
    set system management-instance

    -----------Else you can try this if management-instance is enabled-----------

    #deactivate system management-instance >>>>> if enabled


    Thanks,
    Ram



  • 7.  RE: SRX4100 control plane logs to external syslog server

    Posted 10-18-2022 09:14
    Hi Ram. 

    Sorry for not getting back to you earlier. 

    I've now done some more testing and found a solution based on your input. 

    The solution was that I had tried to use "syslog source-address" under each "host" declaration and not directly under the "system syslog" level. When I moved the "syslog source-address" from each "host" to the "system syslog" level, everything started working as intended. 

    I honestly don't understand why this has to be like this, but at least I have a solution. 

    Thank you for pointing me in the right direction, Ram. 

    Best regards

    ------------------------------
    Vidar Stokke
    ------------------------------