Configuring Off-Box Binary Security Log Files
SRX Series devices have two types of log: system logs and security logs. System logs record control plane events, for example admin login to the device. For more about system logs, please see Junos OS System Log Overview. Security logs, also known as traffic logs, record data plane events regarding specific traffic handling, for example when a security policy denies certain traffic due to some violation of the policy. For more information about security logs, please see Understanding System Logging for Security Devices.
The two types of log can be collected and saved either on-box or off-box. The procedure below explains how to configure security logs in binary format for off-box (stream-mode) logging.
You can configure security files in binary format using the log statement at the [security] hierarchy level.
The following procedure specifies binary format for stream-mode security logging, and defines the log filename, path, and log file characteristics. For event-mode, on-box security logging, please see Configuring On-Box Binary Security Log Files.
- Specify the logging mode and the format for the log file.
For off-box, stream-mode logging: set security log mode streamset security log stream test-stream format binary host 18.104.22.168
Off-box and on-box security logging modes cannot be enabled simultaneously.
- For off-box security logging, specify the source address,
which identifies the SRX Series device that generated the log messages.
The source address is required.set security log source-address 22.214.171.124
- Optionally, define a log filename and a path. By default,
the file bin_messages is created in the /var/log directory.set security log file name security-binary-logset security log file path security/log-folder
- Optionally, change the maximum size of the log file and the maximum number of log files that can be archived. By default the maximum size of the log file is 3 MB, and a total of three log files can be archived.
- Optionally, select the hpl flag to enable diagnostic traces
for binary logging. The prefix smf_hpl identifies all binary logging
traces.set security log traceoptions flag hpl
- View the content of the event-mode log file stored on the device using either Juniper Secure Analytics (JSA) or Security Threat Response Manager (STRM).