Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring On-Box Binary Security Log Files

 

SRX Series devices use two types of logs—system logs and security logs—to record system events. System logs record control plane events—for example, when an admin user logs in. Security logs, also known as traffic logs, record data plane events regarding specific traffic handling. For example, Junos OS generates a security log if a security policy denies certain traffic because of a policy violation. For more about system logs, see Junos OS System Log Overview. For more information about security logs, see Understanding System Logging for Security Devices.

You can collect and save both system and security logs in binary format either on-box (that is, stored locally on the SRX Series device) or off-box (streamed to a remote device). Using binary format ensures that log files are efficiently stored, which in turn improves CPU utilization.

You can configure security files in binary format using the log statement at the [security] hierarchy level.

On-box logging is also known as event-mode logging. For stream-mode, off-box security logging, see Configuring Off-Box Binary Security Log Files. When you configure security logs in binary format for event-mode logging, you can optionally define the log filename, file path, and other characteristics, as detailed in the following procedure:

  1. Specify the logging mode and format for on-box logging::
    Note

    If you configure system logging to send system logs to an external destination (that is, off-box or stream-mode), security logs are also sent to that destination even if you are using event-mode security logging. For more information about sending system logs to an external destination, see Examples: Configuring System Logging.

    Note

    Off-box and on-box security logging modes cannot be enabled simultaneously.

  2. (Optional) Define a name and path for the log file. Note

    By default, the bin_messages file is created in the /var/log directory.

  3. (Optional) Change the maximum size of the log file and the maximum number of log files that can be archived. Note

    By default, the maximum size of the log file is 3 MB, and a total of three log files can be archived.

    In the following sample commands, you set a value of 5 MB and 5 archived files, respectively:

  4. (Optional) Configure the hpl flag to enable diagnostic traces for the binary security log files. The smf_hpl prefix identifies all binary logging traces.
  5. For the default-permit security policy, traffic logs for RT_FLOW are generated when a session ends.
  6. (Optional) Traffic logs for RT_FlOW are generated when a session starts.

View the content of the event-mode log file stored on the device using show security log file command and use clear security log file command to clear the content of the binary event-mode security log file.

Note

The show security log command displays event-mode security log messages if they are in a text-based format and the show security log file command displays event-mode security log messages if they are in binary format (on-box). Off-box binary logging is read by Juniper Secure Analytics (JSA).