SRX

Hi everyone,

Below,  we have security plocy with log option:

set security policies from-zone ZO to-zone ZOP policy T1 match source-address any
set security policies from-zone ZO to-zone ZOP policy T1 match destination-address any
set security policies from-zone ZOto-zone ZOP  policy T1 match application any
set security policies from-zone ZO to-zone ZOP policy T1 then permit

 But when i tried to see the logs generated by Policy I see a lot of files, which file contain the logs generated by policy?

oot> show log ?
Possible completions:
<[Enter]> Execute this command
<filename> Name of log file
LEE Size: 44615, Last changed: Oct 21 19:23:33
__jsrpd_commit_check__ Size: 52, Last changed: Nov 13 01:03:58
appidd Size: 0, Last changed: Oct 07 22:40:46
authd_libstats Size: 0, Last changed: Oct 07 22:38:56
authd_profilelib Size: 0, Last changed: Oct 07 22:38:56
authd_sdb.log Size: 0, Last changed: Oct 07 22:38:56
authlib_jdhcpd_trace.log Size: 0, Last changed: Oct 17 01:42:54
autod Size: 1898, Last changed: Oct 07 22:45:40
chassisd Size: 819525, Last changed: Nov 13 01:04:15
cosd Size: 753165, Last changed: Nov 13 00:40:10
dcd Size: 417839, Last changed: Nov 13 01:04:15
dfwc Size: 0, Last changed: Oct 07 22:38:44
eccd Size: 7285, Last changed: Nov 13 01:03:47
ext/ Last changed: Oct 07 22:38:00
flowc/ Last changed: Oct 07 22:38:01
fwauthd_chk_only Size: 297, Last changed: Nov 13 00:38:26
ggsn/ Last changed: Oct 07 22:38:01
gres-tp Size: 29605, Last changed: Nov 13 00:40:10
httpd.log Size: 1568, Last changed: Nov 13 00:40:10
idpd Size: 0, Last changed: Oct 07 22:41:05
ifstraced Size: 435, Last changed: Nov 13 00:38:24
interactive-commands Size: 0, Last changed: Nov 13 01:04:04
inventory Size: 30000, Last changed: Nov 13 01:03:47
jdhcpd_era_discover.log Size: 0, Last changed: Oct 17 01:42:55
jdhcpd_era_discover.log.0 Size: 0, Last changed: Oct 17 01:42:55
jdhcpd_era_solicit.log Size: 0, Last changed: Oct 17 01:42:56
jdhcpd_era_solicit.log.0 Size: 0, Last changed: Oct 17 01:42:56
jdhcpd_profilelib Size: 0, Last changed: Oct 17 01:42:55
jdhcpd_sdb.log Size: 0, Last changed: Oct 17 01:42:55
jsrpd Size: 391247, Last changed: Nov 13 01:04:15
kmd Size: 20759, Last changed: Nov 13 01:04:13
license Size: 0, Last changed: Oct 07 22:40:39
license_subs_trace.log Size: 20223, Last changed: Nov 13 00:40:42
mastership Size: 55, Last changed: Nov 10 22:17:46
messages Size: 92167, Last changed: Nov 13 01:04:36
messages.0.gz Size: 10451, Last changed: Oct 29 01:30:01
messages.1.gz Size: 10696, Last changed: Oct 15 20:30:01
nsd_chk_only Size: 33476, Last changed: Nov 13 01:03:58
nstraced_chk_only Size: 243, Last changed: Nov 13 00:38:26

Thanks and have a good evening!!

Hi,

You may not be logging the message to a file yet. I suggest that you create a specific file for all the flow logs, see this kb here.

Tim

you need session-init /session-close option enabled on your policy to get policy logs.

set security policies from-zone ZO to-zone ZOP policy T1 then log session-init

set security policies from-zone ZO to-zone ZOP policy T1 then log session-close

then, if you are using high end devices, you need to set log-mode to event, by default its stream. If you are on branch devices you can ignore this as branch devices by defaylt use event mode

ref: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-mode-security-logging.html

In a nutshell

#set security log mode event
#set system syslog file traffic.log user info
#set system syslog file traffic.log match "RT_FLOW_SESSION"
#set security policies ... then log session-close
>show log traffic.log

It's handy to trimm timestamps sometimes to have a more clear view

>show log traffic.log | trim 27

To monitor logs in real time

>monitor start traffic.log
>monitor stop

Regards, Wojtek