Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

IDP Event Logging

 

The basic Junos OS system logging continues to function after Intrusion Detection and Prevention (IDP) is enabled.

For more information, see the following topics:

Understanding IDP Logging

An IDP-enabled device continues to record events that occur because of routine operations, such as a user login into the configuration database. It records failure and error conditions, such as failure to access a configuration file. You can configure files to log system messages and also assign attributes, such as severity levels, to messages. In addition to the regular system log messages, IDP generates event logs for attacks.

IDP generates event logs when an event matches an IDP policy rule in which logging is enabled. When you configure a rule for logging, the device creates a log entry for each event that matches that rule. You can use the CLI or J-Web to configure the policy rules to generate event logs.

Note

In the IDP attack detection event log message (IDP_ATTACK_LOG_EVENT_LS), the time-elapsed, inbytes, outbytes, inpackets, and outpackets fields are not populated.

Because IDP event logs are generated during an attack, log generation happens in bursts, generating a much larger volume of messages during an attack. In comparison to other event messages, the message size is also much larger for attack generated messages. The log volume and message size are important concerns for log management. To better manage the volume of log messages, IDP supports log suppression.

By configuring log suppression you can suppress multiple instances of the same log occurring from the same or similar sessions over the same period of time. Enabling log suppression ensures that minimal numbers of logs are generated for the same event or attack that occurs multiple times.

Understanding IDP Log Suppression Attributes

Log suppression ensures that minimal numbers of logs are generated for the same event or attack that occurs multiple times. Log suppression is enabled by default. You can configure certain log suppression attributes to suppress logs according to your needs. When configuring log suppression, keep in mind that log suppression can negatively impact sensor performance if you set the reporting interval too high.

You can configure the following log suppression attributes:

  • Include destination addresses while performing log suppression—You can choose to combine log records for events with a matching source address. By default, the IDP sensor does not consider destination when matching events for log suppression.

  • Number of log occurrences after which log suppression begins—You can specify the number of instances that a specific event must occur before log suppression begins. By default, log suppression begins after the first occurrence.

  • Maximum number of logs that log suppression can operate on—When log suppression is enabled, Intrusion Detection and Prevention (IDP) must cache log records so that it can identify when multiple occurrences of the same event occur. You can specify how many log records are tracked simultaneously by IDP. By default, the maximum number of log records that IDP can operate on is 16,384.

  • Time after which suppressed logs are reported—When log suppression is enabled, IDP maintains a count of occurrences of the same event. After the specified number of seconds have passed, IDP writes a single log entry containing the count of occurrences. By default, IDP reports suppressed logs after 5 seconds.

Configuring IDP Log Suppression Attributes

Log suppression ensures that minimal numbers of logs are generated for the same event or attack that occurs multiple times. Log suppression is enabled by default. You can configure certain log suppression attributes to suppress logs according to your needs.

Before you begin:

To configure log suppression attributes:

  1. Specify the log number after which you want to start log suppression.
  2. Specify the maximum time after which suppressed logs are reported.
  3. If you are done configuring the device, commit the configuration.

To verify log statistics, enter the show security idp counters log command.

Understanding IDP Log Information Usage on the IC Series UAC Appliance

The IC Series UAC Appliance for the Unified Access Control (UAC) appliance can use Intrusion Detection and Prevention (IDP) attack log information sent from the Juniper Networks device to apply access policies for traffic in which IDP logs indicate an attack has been detected. Using a secure channel of communication, these IDP logs are sent to the IC Series appliance directly and securely. IDP attack logs are sent to the IC Series appliance through the JUEP communication channel.

This topic contains the following sections:

Message Filtering to the IC Series UAC Appliance

When you configure the IC Series UAC Appliance to receive IDP log messages, you set certain filtering parameters on the IC Series appliance. Without this filtering, the IC Series appliance could potentially receive too many log messages. The filtering parameters could include the following:

  • The IC Series appliance should only receive communications from IDP for sessions it has authenticated. See the Unified Access Control Administration Guide for details.

  • You can create IC Series appliance filters for receiving IDP logs files based on the their severity. For example, if on the IC Series appliance the severity is set to high, then IDP only sends logs which have a severity greater than or equal to high. See the Unified Access Control Administration Guide for details.

  • From the IC Series appliance, you can disable the receiving of all IDP logs. See the Unified Access Control Administration Guide for details.

Configuring IC Series UAC Appliance Logging

All the configuration for receiving and filtering IDP logs is done on the IC Series UAC Appliance. You should refer to the Unified Access Control Administration Guide for configuration information for receiving IDP logs and details on the JUEP communication channel.

IDP Alarms and Auditing

By default, IDP logs the occurrence of an event without raising an alarm to the administrator. When the system is configured to log an event and the potential-violation option is set, IDP logs on the Packet Forwarding Engine are forwarded to Routing Engine. The Routing Engine then parses the IDP attack logs and raises IDP alarms as necessary.

  • To enable an IDP alarm, use the set security alarms potential-violation idp command.

  • To verify that the configuration is working properly, use the show security alarms command.

Note

In releases before Junos OS Release 11.2, IDP attack logs contain information about an attack event but do not raise alarms to the administrator.