Configuring On-Box Binary Security Log Files
SRX Series devices use two types of logs—system logs and security logs—to record system events. System logs record control plane events—for example, when an admin user logs in. Security logs, also known as traffic logs, record data plane events regarding specific traffic handling. For example, Junos OS generates a security log if a security policy denies certain traffic because of a policy violation. For more about system logs, see Junos OS System Log Overview. For more information about security logs, see Understanding System Logging for Security Devices.
You can collect and save both system and security logs in binary format either on-box (that is, stored locally on the SRX Series device) or off-box (streamed to a remote device). Using binary format ensures that log files are efficiently stored, which in turn improves CPU utilization.
You can configure security files in binary format using the log statement at the [security] hierarchy level.
On-box logging is also known as event-mode logging. For stream-mode, off-box security logging, see Configuring Off-Box Binary Security Log Files. When you configure security logs in binary format for event-mode logging, you can optionally define the log filename, file path, and other characteristics, as detailed in the following procedure:
- Specify the logging mode and format for on-box logging::[edit security]user@host# set log mode eventuser@host# set log format binary
If you configure system logging to send system logs to an external destination (that is, off-box or stream-mode), security logs are also sent to that destination even if you are using event-mode security logging. For more information about sending system logs to an external destination, see Examples: Configuring System Logging.
Off-box and on-box security logging modes cannot be enabled simultaneously.
- (Optional) Define a name and path for the log file.
By default, the bin_messages file is created in the /var/log directory.[edit security]user@host# set log file name security-binary-loguser@host# set log file path security/log-folder
- (Optional) Change the maximum size of the log file and
the maximum number of log files that can be archived.
By default, the maximum size of the log file is 3 MB, and a total of three log files can be archived.
In the following sample commands, you set a value of 5 MB and 5 archived files, respectively:
- (Optional) Configure the hpl flag to enable diagnostic
traces for the binary security log files. The smf_hpl prefix identifies
all binary logging traces.[edit security]user@host# set log traceoptions flag hpl
- For the default-permit security policy, traffic logs for RT_FLOW are generated when a session ends.[edit security]user@host# set policies from-zone trust to-zone untrust policy default-permit then log session-close
- (Optional) Traffic logs for RT_FlOW are generated
when a session starts. [edit security]user@host# set policies from-zone trust to-zone untrust policy default-permit then log session-init
View the content of the event-mode log file stored on the device using show security log file command and use clear security log file command to clear the content of the binary event-mode security log file.
The show security log command displays event-mode security log messages if they are in a text-based format and the show security log file command displays event-mode security log messages if they are in binary format (on-box). Off-box binary logging is read by Juniper Secure Analytics (JSA).