Verifying the Syslog Messages from an SRX Series Device
Before you begin, you need the following information:
Define the IP address and port of the JIMS syslog server listens to.
Configure the JIMS server to collect syslog data whenever it detects the occurrence of a logoff event, logon event, or a change in value from the remote server session.
SRX Series device
To verify that JIMS can receive the message from a remote syslog client over a UDP and TCP connection:
JIMS supports three types of syslog messages- logon, logoff and modify.
- Verify that the syslog message is parsed as logon message.
If the syslog message is parsed as a logon message, a logon entry
is sent to SRX Series device which is verified by checking the user
firewall authentication entry which is generated on SRX Series device:user@host> show services user-identification authentication-table ip-address 192.0.2.10
The SRX Series device displays an output similar to the following:
Logical System: root-logical-system Domain: win2012.test.com Source-ip: 192.0.2.10 Username: ad-user1 Groups:posture-healthy, users, domain users, ad-group1 State: Valid Source: JIMS - Active Directory Access start date: 2018-10-26 Access start time: 16:26:57 Last updated timestamp: 2018-10-26 08:21:29 Age time: 60
- If the syslog message is parsed as a logoff message, the correspondent authentication entry is deleted from the SRX series device.
- If the syslog message is parsed as a modify message, the authentication entry can be updated from the SRX Series device.