Documentation Search
Related Documentation
- Developing a Logging Strategy
- Developing a Log Storage Strategy
- Example: Using NSM Log Viewer Features
- Example: Packet Logging Workflow
- Understanding IDP Rulebase Notification Options
- Understanding Backdoor Rulebase Notification Options
- Understanding SYN Protector Rulebase Notification Options
- Understanding Traffic Anomalies Rulebase Notification Options
- Understanding Network Honeypot Rulebase Notification Options
- IP Spoof Attack Prevention Overview
- IDP Series Logs and Reports in NSM Task Summary
- SNMP Statistic Reporting and Traps Task Summary
IDP Logs Overview
The IDP system generates logs for device events and security events.
Device event logs are related to the operation of the IDP Series device. IDP OS Release 5.1 supports extensive system resource instrumentation, so you can use SNMP utilities to monitor device health and load.
Security event logs are related to traffic that matches security policy rules or IP spoof attack settings.
Table 1 summarizes options for viewing and managing logs.
Table 1: IDP Logging Options
Option | Description |
|---|---|
Network and Security Manager (NSM) | IDP Series devices automatically send device event logs to NSM. IDP Series devices send security event logs when traffic matches security policy rules for which logging has been enabled. You can use the NSM log viewer to sort through and analyze logs. If you enable packet logging for a security policy rule, you can use the NSM packet viewer to display packet data. For details on using NSM log utilities, see the Network and Security Manager Administration Guide. |
Syslog | You can configure IDP Series devices to forward logs to a syslog server, a commonly used method for storing logs for troubleshooting or record-keeping. For details on configuring syslog collection, see the IDP Series Administration Guide. |
SNMP | SNMP reporting is enabled by default. You can use SNMP methods to track the following metrics:
For details on configuring SNMP reporting, see the IDP Series Administration Guide. |
Log suppression | You can configure log suppression to reduce the volume of logs. The log suppression feature eliminates multiple log entries for events with the same properties. Instead, in NSM Log Viewer, a single entry appears along with a count of all such matching events. For details on configuring log suppression, see the IDP Series Administration Guide. |
 | Note: To avoid issues with reports, we highly recommend that you synchronize the network clocks for all devices to the same NTP server. For example, the network clocks for all IDP Series devices and NSM clients should be synchronized to the NTP server specified in the NSM configuration. |
Table 2 describes the fields that appear in log entries.
Table 2: NSM Log Viewer: Log Columns
Column | Description |
|---|---|
Log ID | Unique ID for the log entry, derived by combining the date and log number. |
Time Received | Date and time that the management system received the log entry. |
Alert | NSM-defined alert for this type of log entry. Configure alerts in policy rules. |
User Flag | To set a flag, right-click the log row, select Flag, and then select one of the following flags:
|
Src Addr | Source IP address of the packet that generated the log entry. |
Dst Addr | Destination IP address of the packet that generated the log entry. |
Action | Action the security device performed on the packet/connection that generated this log entry:
Note: Beginning in IDP OS Release 5.1, IDP logs show the action that was taken, rather than the action that was specified in the rule. For TCP events, these are the same. Close actions are not possible for UDP or ICMP packets. For UDP and ICMP events, the IDP logs show the action take—drop—instead of a close client, close server, or close client and server actions that might have been configured for the rule. |
Protocol | Protocol that the packet that generated the log entry used. |
Dst Port | Destination port of the packet that generated the log entry. |
Rule # | Security policy rule that generated the log entry. |
Nat Src Addr | NAT source address of the packet that generated the log entry. |
Nat Dst Addr | NAT destination address of the packet that generated the log entry. |
Details | Miscellaneous string associated with log entry. |
Category | Type of log entry:
|
Subcategory | Category-specific type of log entry (examples are "Reboot" or message ID). |
Severity | Severity rating associated (if any) with this type of log entry:
|
Device | Device that generated this log entry. |
Comment | User-defined comment about the log entry. |
Application Name | Application associated with the current log. |
Bytes In | For sessions, specifies the number of inbound bytes. |
Bytes Out | For sessions, specifies the number of outbound bytes. |
Bytes Total | For sessions, specifies the combined number of inbound and outbound bytes. |
Dev Domain Ver | Domain version that generated this log entry. |
Device Domain | Domain for the device that generated this log entry. |
Device family | Family of the device that generated this log entry. |
Dst Intf | Name of the outbound interface of the packet that generated this log entry. |
Dst Zone | Destination zone associated with a traffic log entry. |
Elapsed Secs | For sessions, specifies how long the session lasted. |
Has Packet Data | Indicates whether the log entry has associated packet data. |
NAT Dst Port | The NAT destination port of the packet that generated the log entry. |
NAT Src Port | The NAT source port of the packet that generated the log entry. |
Packets In | For sessions, specifies the number of inbound packets. |
Packets Out | For sessions, specifies the number of outbound packets. |
Packets Total | For sessions, specifies the combined number of inbound and outbound packets. |
Policy | Security policy that generated the log entry. |
Roles | Role group associated with this log entry. |
Rule Domain | The domain of the rule that generated the log entry. |
Rule Domain Ver | The domain version of the rule that generated the log entry. |
Rulebase | Security policy rulebase that generated the log entry. |
Src Intf | Name of the inbound interface of the packet that generated this log entry. |
Src Port | Source port of the packet that generated the log entry. |
Src Zone | Source zone associated with a traffic log entry. |
Time Generated | Date and time the device generated the log entry. |
User | User associated with this log entry. |
The following example shows a syslog message record:
[syslog@juniper.net dayId="20061012" recordId="0" timeRecv="2006/10/12 21:52:21" timeGen="2006/10/12 21:52:21"
domain="" devDomVer2="0" device_ip="10.209.83.4" cat="Predefined" attack="TROJAN:SUBSEVEN:SCAN"
srcZn="NULL" srcIntf="NULL" srcAddr="192.168.170.20" srcPort="63396" natSrcAddr="NULL" natSrcPort="0"
dstZn="NULL" dstIntf="NULL" dstAddr="192.168.170.10" dstPort="27374" natDstAddr="NULL" natDstPort="0" protocol="TCP"
ruleDomain="" ruleVer="5" policy="Policy2" rulebase="IDS" ruleNo="4" action="NONE" severity="LOW" alert="no"
elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no"
varEnum="31" misc="<017>'interface=eth2" user="NULL" app="NULL" uri="NULL"]
Related Documentation
- Developing a Logging Strategy
- Developing a Log Storage Strategy
- Example: Using NSM Log Viewer Features
- Example: Packet Logging Workflow
- Understanding IDP Rulebase Notification Options
- Understanding Backdoor Rulebase Notification Options
- Understanding SYN Protector Rulebase Notification Options
- Understanding Traffic Anomalies Rulebase Notification Options
- Understanding Network Honeypot Rulebase Notification Options
- IP Spoof Attack Prevention Overview
- IDP Series Logs and Reports in NSM Task Summary
- SNMP Statistic Reporting and Traps Task Summary
