Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Monitoring Security Events by Policy

 

Purpose

Monitor security events by policy and display logged event details with the J-Web user interface.

Action

To monitor security events by policy:

  1. Select one of the following in the J-Web user interface:
    • If you are using SRX5400, SRX5600, or SRX5800 platforms, select Monitor>Events and Alarms>Security Events.

    • Select Monitor>Alarms>Policy Log.

    The View Policy Log pane appears. Table 1 describes the content of this pane.

    Table 1: View Policy Log Fields

    Field

    Value

    Log file name

    Name of the event log files to search.

    Policy name

    Name of the policy of the events to be retrieved.

    Source address

    Source address of the traffic that triggered the event.

    Destination address

    Destination address of the traffic that triggered the event.

    Event type

    Type of event that was triggered by the traffic.

    Application

    Application of the traffic that triggered the event.

    Source port

    Source port of the traffic that triggered the event.

    Destination port

    Destination port of the traffic that triggered the event.

    Source zone

    Source zone of the traffic that triggered the event.

    Destination zone

    Destination zone of the traffic that triggered the event.

    Source NAT rule

    Source NAT rule of the traffic that triggered the event.

    Destination NAT rule

    Destination NAT rule of the traffic that triggered the event.

    Is global policy

    Specifies that the policy is a global policy.

    If your device is not configured to store session log files locally, the Create log configuration button is displayed in the lower-right portion of the View Policy Log pane.

    • To store session log files locally, click Create log configuration.

    If session logs are being sent to an external log collector (stream mode has been configured for log files), a message appears indicating that event mode must be configured to view policy logs.

    Note

    Reverting to event mode will discontinue event logging to the external log collector.

    • To reset the mode option to event, enter the set security log command.

  2. Enter one or more search fields in the View Policy Log pane and click Search to display events matching your criteria.

    For example, enter the event type Session Close and the policy pol1 to display event details from all Session Close logs that contain the specified policy. To reduce search results further, add more criteria about the particular event or group of events that you want displayed.

    The Policy Events Detail pane displays information from each matching session log. Table 2 describes the contents of this pane.

Table 2: Policy Events Detail Fields

Field

Value

Timestamp

Time when the event occurred.

Policy name

Policy that triggered the event.

Record type

Type of event log providing the data.

Source IP/Port

Source address (and port, if applicable) of the event traffic.

Destination IP/Port

Destination address (and port, if applicable) of the event traffic.

Service name

Service name of the event traffic.

NAT source IP/Port

NAT source address (and port, if applicable) of the event traffic.

NAT destination IP/Port

NAT destination address (and port, if applicable) of the event traffic.