I've configured syslog for configuration changes to be logged on a remote server. Below is my config:
set system syslog host 10.10.10.10 any critical
set system syslog host 10.10.10.10 authorization any
set system syslog host 10.10.10.10 user critical
set system syslog host 10.10.10.10 change-log any
set system syslog host 10.10.10.10 source-address 10.20.20.20
set system syslog host 10.10.10.10 structured-data
I changed config on SRX and received following messages on Syslog server:
2017-05-18 15:03:59 Local6.Info 10.202.30.40 1 2017-05-18T15:03:59.506-06:00 SRXVPN01 mgd 93743 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.39 username="admin_xxxxxxxx" action="set" pathname="[system services telnet\]" delimiter="" value=""] User 'admin_xxxxxxxx' set: [system services telnet]
2017-05-18 15:04:51 Local6.Info 10.202.30.40 1 2017-05-18T15:04:51.648-06:00 SRXVPN01 mgd 93743 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.2.39 username="admin_xxxxxxxx" action="delete" pathname="[system services telnet\]" delimiter="" value=""] User 'admin_xxxxxxxx' delete: [system services telnet]
The Syslog messages dont have the source address of machine that changes the config. 10.202.30.40 address is the managment address of the SRX.
Am i missing something in config ?
#SRX#syslog