Understanding System Logging for Security Devices
Junos OS supports configuring and monitoring of system log messages (also called syslog messages). You can configure files to log system messages and also assign attributes, such as severity levels, to messages. Reboot requests are recorded to the system log files, which you can view with the show log command.
This section contains the following topics:
Control Plane and Data Plane Logs
Junos OS generates separate log messages to record events that occur on the system’s control and data planes.
The control plane logs, also called system logs, include events that occur on the routing platform. The system sends control plane events to the eventd process on the Routing Engine, which then handles the events by using Junos OS policies, by generating system log messages, or both. You can choose to send control plane logs to a file, user terminal, routing platform console, or remote machine. To generate control plane logs, use the syslog statement at the [system] hierarchy level.
The data plane logs, also called security logs, primarily include security events that are handled inside the data plane. Security logs can be in text or binary format, and they can be saved locally (event mode) or sent to an external server (stream mode). Binary format is required for stream mode and recommended to conserve log space in event mode.
Note the following:
Security logs can be saved locally (on box) or externally (off box), but not both.
SRX1400, SRX1500, SRX3400, SRX3600, SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, and SRX5800 devices default to stream mode. To specify binary format and an external server, see Configuring Off-Box Binary Security Log Files.
Logs might be dropped if you configure event mode logging on these devices.
Starting with Junos OS Release 15.1X49-D100, the default mode for SRX1500 device is stream mode. Prior to Junos OS Release 15.1X49-D100, the default mode for SRX1500 device was event mode.
Starting in Junos OS Release 19.3R1, SRX300, SRX320, SRX340, SRX345, SRX550, and SRX550M devices default to stream mode. Data plane events are written to system log files in a similar manner to control plane events. To specify binary format for the security logs, see Configuring Off-Box Binary Security Log Files.
Redundant System Log Server
Security system logging traffic intended for remote servers is sent through the network interface ports, which support two simultaneous system log destinations. Each system logging destination must be configured separately. When two system log destination addresses are configured, identical logs are sent to both destinations. While two destinations can be configured on any device that supports the feature, adding a second destination is primarily useful as a redundant backup for standalone and active/backup configured chassis cluster deployments.
The following redundant server information is available:
Description: cron scheduling process
Severity Level (from highest to lowest severity): debug
Description: Software debugging messages