Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Modifying the Security Logging Configuration for Security Devices

 

You can use the Security Logging section on the Modify Configuration page to view and modify the parameters related to security logging on the device.

Note

Refer to the Junos OS documentation (available at http://www.juniper.net/documentation/en_US/release-independent/junos/information-products/pathway-pages/junos/product/) for a particular release and device. There you can find detailed information on the configuration parameters for that device.

To modify the security logging parameters:

  1. Select Devices > Security Devices.

    The Security Devices page appears.

  2. Select the devices whose configuration you want to modify.
  3. From the More or right-click menu, select Configuration > Modify Configuration.

    The Modify Configuration page appears.

  4. Click the Security Logging link in the left-navigation menu.

    The Security Logging section on the Modify Configuration page is displayed.

  5. Modify the configuration according to the guidelines provided in Table 1.
  6. After modifying the configuration, you can cancel the changes, save the changes, preview the changes, or save the changes and deploy the configuration on the device. See Modifying the Configuration of Security Devices.

Table 1: Security Logging Settings

Setting

Guideline

General Settings

Mode

Select how security logs are processed and exported:

  • Stream—Specify that security logs are processed directly in the forwarding plane.

  • Event—Specify that security logs are processed directly in the control plane.

Source Type

Select the source type as Address or Interface.

Source Address/Source Interface

If the Source Type is Address, specify the IPv4 or IPv6 address to be used as the source address when exporting security logs.

If the Source Type is Interface, specify the interface to be used as the source interface when exporting security logs.

Format

Specify the security log format for the device:

  • Syslog—Unstructured Junos OS system logs.

  • Sd-syslog—Structured Junos OS system logs.

  • Binary—Non-ASCII (binary) Junos OS system logs.

Disable Logging

Select this check box to disable security logging for the device. This check box is cleared by default.

UTC Timestamp

Select this check box to include the UTC timestamp in the security logs. This check box is cleared by default.

Event Rate

For the event mode, specify the rate (in logs per second) at which event logs are processed by the control plane.

Range: 1 through 1500.

Stream

 

The existing stream configuration entries are displayed in a table. You can do the following:

  • Create a stream configuration–Click the + icon to create a stream configuration.

    The Create Stream Configuration page appears. Complete the configuration according to the guidelines provided in Table 2 and click OK.

    The stream configuration is created and you are returned to the Security Logging page.

  • Modify a stream configuration–Select a stream configuration and click the pencil icon

    The Edit Stream configuration page appears, showing the same fields that are presented when you create a stream configuration. You can modify some of the fields on this page. Refer to Table 2 for an explanation of the fields.

    After you have modified the stream configuration, click OK. The changes are saved and you are returned to the Security Logging page.

  • Delete stream configurations–Select one or more stream configurations and click the X icon to delete the stream configurations.

    The Warning page appears. Click Yes to confirm the deletion. The selected stream configurations are deleted.

File

File Name

Specify the filename for the binary log file.

File Path

Specify the file path for the binary log file.

File Size

Specify the maximum size (in MB) of the binary log file.

Range: 1 through 10.

Maximum No. of Files

Specify the maximum number of binary log files.

Range: 2 through 10.

Cache

Limit

Specify the maximum number of security log entries to keep in memory. The range is 1 through 4,294,967,295 and the default is 1000.

Exclude

The existing exclude configuration entries are displayed in a table. An exclude configuration is a list of auditable events that can be excluded from the audit log. You can do the following:

  • Create an exclude configuration–Click the + icon to create an exclude configuration.

    The Create Exclude Configuration page appears. Complete the configuration according to the guidelines provided in Table 3 and click OK.

    The exclude configuration is created and you are returned to the Security Logging page.

  • Modify an exclude configuration–Select an exclude configuration and click the pencil icon.

    The Edit Exclude Configuration page appears, showing the same fields that are presented when you create an exclude configuration. You can modify some of the fields on this page. Refer to Table 3 for an explanation of the fields.

    After you have modified the exclude configuration, click OK.

    The changes are saved and you are returned to the Security Logging page.

  • Delete exclude configurations–Select one or more exclude configurations and click the X icon to delete the exclude configurations.

    The Warning page appears. Click Yes to confirm the deletion. The selected exclude configurations are deleted.

Table 2: Create Stream Configuration Settings

Setting

Guideline

Name

Enter the name of the security log stream, which should be a string containing alphanumeric characters and some special characters (_ .).

Host

Specify the IPv4 or IPv6 address of the server to which the security logs will be streamed.

Port

Enter the port number for the system log listening port.

The range is 0 through 65,535 and the default is 514.

Severity

Select the severity threshold for security logs.

Only the logs with the specified severity threshold are logged.

Category

Select the category of events to be logged.

Format

Specify the format of the security log for the device:

  • Syslog–Unstructured Junos OS system logs.

  • Sd-syslog–Structured Junos OS system logs.

  • welf–Web Trends Extended Log Format.

Table 3: Create Exclude Configuration Settings

Setting

Guideline

Name

Specify the name of the exclude configuration.

Destination Filters

IP Address

Specify the destination IPv4 or IPv6 address from which security alarms are not included in the audit log.

Port

Specify the destination port number from which security alarms are not included in the audit log.

The range is 0 through 4,294,967,295.

Source Filters

IP Address

Specify the source IPv4 or IPv6 address from which security alarms are not included in the audit log.

Port

Specify the source port number from which security alarms are not included in the audit log.

The range is 0 through 4,294,967,295.

Other Filters

Event ID

Enter the event ID of the security event.

The audit log does not include security alarms for the specified event ID.

Failure

Select this check box to restrict the logging only to failed events. By default, this check box is cleared, which means failed and successful events are logged.

Interface

Enter the name of the interface from which security alarms are not included in the security log.

Policy Name

Enter the name of the security policy for which security alarms are not included in the security log.

Process

Enter the name of the process (that is generating the events) for which security alarms are not included in the security log.

Protocol

Enter the name of the protocol for which security alarms are not included in the security log.

Success

Select this check box to restrict the logging only to successful events. By default, this check box is cleared, which means failed and successful events are logged.

Username

Enter the username of the authenticated user for which security alarms that are enabled by the user are not included in the security log.

After you’ve configured the security logs on the SRX Series devices, Security Director can receive those logs.

For adding Log Collector as a special node using Security Director Log Collector, click here.

For adding Log Collector as a special node using JSA Log Collector, click here.