Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Setting the System to Stream Security Logs

 

You can increase the number of data plane, or security, logs that are sent by modifying the manner in which they are sent. When the logging mode is set to stream, security logs generated in the data plane are streamed out a revenue traffic port directly to a remote server.

Note

If the route of the remote server exists in the forwarding table, then the logs are forwarded to next hop points, irrespective of a physical interface or a logical interface.

To use the stream mode, enter the following commands:

where source-address is the IP address of the source machine; syslog, sd-syslog (structured system logging messages) and welf are logging formats; all and content-security are the categories of logging; and ipaddr is the IP address of the server to which the logs will be streamed.

Note

WELF logs must be streamed through a revenue port because the eventd process does not recognize the WELF format. The category must be set to content-security. For example:

To send duplicate logs to a second remote server, repeat the command with a new ipaddr. If your deployment is an active/active chassis cluster, you can also configure security logging on the active node to be sent to separate remote servers to achieve logging redundancy.

When a connection to a server is unreachable, SRX Series device tries to restore the connection, and Junos OS saves the log in the buffer during this period.

Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, on SRX1500, SRX4100, and SRX4200 Series devices and vSRX instances, use the set security log stream stream_name command to configure the stream log file.On SRX300, SRX320, SRX340, and SRX345 Series devices, use the set security log stream stream_name host host_IP address command to configure the stream log file with the source address and source interface attributes configuration.

Example:

You can use the show security log command to verify the log configuration.

The following sample output provides the log configuration:

user@host# show security log

Starting from Junos OS Release 15.1X49-D120 and Junos OS Release 18.1R1 the maximum length of the syslog message in stream mode is increased from 1024 bytes to 1340 bytes.

Starting in Junos OS Release 17.4R2 and later, on SRX300, SRX320, SRX340, SRX345 Series devices and vSRX instances, when the device is configured in stream mode, you can configure maximum of eight system log hosts.

In Junos OS Release 17.4R2 and earlier releases, you can configure only three system log hosts in the stream mode. If you configure more than three system log hosts, then the following error message is displayed error: configuration check-out failed.

Release History Table
Release
Description
Starting in Junos OS Release 17.4R2 and later, on SRX300, SRX320, SRX340, SRX345 Series devices and vSRX instances, when the device is configured in stream mode, you can configure maximum of eight system log hosts.

In Junos OS Release 17.4R2 and earlier releases, you can configure only three system log hosts in the stream mode. If you configure more than three system log hosts, then the following error message is displayed error: configuration check-out failed.
Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, on SRX1500, SRX4100, and SRX4200 Series devices and vSRX instances, use the set security log stream stream_name command to configure the stream log file.On SRX300, SRX320, SRX340, and SRX345 Series devices, use the set security log stream stream_name host host_IP address command to configure the stream log file with the source address and source interface attributes configuration.
Starting from Junos OS Release 15.1X49-D120 and Junos OS Release 18.1R1 the maximum length of the syslog message in stream mode is increased from 1024 bytes to 1340 bytes.