Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Log Messages for SRX Series Chassis Clusters

    Sessions and Packet Flows Overview

    You can obtain information about the sessions and packet flows active on your device, including detailed information about specific sessions. (The SRX Series device also displays information about failed sessions.) You can display this information to observe activity and for debugging purposes.

    For example, use the show security flow session command to:

    • Display a list of incoming and outgoing IP flows, including services.
    • Show the security attributes associated with a flow, for example, the policies that apply to traffic belonging to that flow.
    • Display the session timeout value, when the session became active, how long it has been active, and if there is active traffic on the session.

    For detailed information about this command, see the Junos OS CLI Reference.

    Session information can also be logged if a related policy configuration includes the logging option. Session logging infrastructure logs the session log messages when a session is created, closed, denied, or rejected. In the SRX3000 and SRX5000 lines, the log messages are streamed directly to an external syslog server/repository, bypassing the Routing Engine. The SRX Series devices support both traditional and structured syslog. The SRX3000 and SRX5000 lines support 1000 log messages per second, and the management station must be equipped to handle this volume. See the Junos OS Security Configuration Guide for configuration examples and details about these logs. The logs are available through the management interface of both the primary and secondary nodes. Ensure that the external server receiving these log messages is reachable by both nodes.

    The high-end SRX Series devices have a distributed processing architecture that processes traffic as well as generates log messages. In the SRX Series devices, the firewall processes the traffic sessions on each of the SPUs in the chassis. After each session is created, it is processed by the same SPU in the chassis, which is also the SPU that generates the log message.

    The standard method of generating log messages is to have each SPU generate the message as a UDP syslog message and send it directly out the data plane to the syslog server. The SRX Series devices can log extremely high rates of traffic. They can log up to 750 MB per second of log messages, which surpasses the limits of the control plane. Therefore, we do not recommended logging messages to the control plane, except under certain circumstances.

    For SRX Series branch devices running Junos OS Release 9.6 and later and high-end SRX Series devices running Junos OS Release 10.0 and later, the devices can log messages to the control plane at a limited maximum rate (1000 log messages per second) rather than logging to the data plane. If the log messages are sent through the data plane using syslog, a syslog collector—such as the Juniper Security Threat Response Manager (STRM)—must be used to collect the logs for viewing, reporting, and alerting. In SRX Series branch devices running Junos OS Release 9.6 and later and high-end SRX Series devices running Junos OS Release 10.0 and later, the devices can only send log messages to the data plane or the control plane, but not to both at the same time.

    Configuring High-End SRX Series Device Logging

    1. Configure the logging format.

      There are two supported formats for system log messages: structured and standard. Structured syslog is generally preferred because it prepends the fields with a title. For instance, the source-IP address field is source-address="10.102.110.52" rather than just the IP address 10.102.110.52. In the following command, the format sd-syslog option configures structured syslog, whereas the format syslog option configures standard syslog.

      user@host# set security log format sd-syslog

    2. Configure the syslog source address.

      The syslog source address can be any arbitrary IP address. It does not have to be an IP address that is assigned to the device. Rather, this IP address is used on the syslog collector to identify the syslog source. The best practice is to configure the source address as the IP address of the interface that the traffic is sent out on.

      user@host# set security log source-address ip-address

    3. Configure the system log stream.

      The system log stream identifies the destination IP address that the syslog messages are sent to. On the high-end SRX Series devices running Junos OS Release 9.5 and later, up to two syslog streams can be defined (all messages are sent to the syslog streams). Note that you must give a name to the stream. This name is arbitrary, but it is a best practice to use the name of the syslog collector for easy identification in the configuration.

      You can also define the UDP port to which the log messages are sent. By default, log messages are sent to UDP port 1514.

      To configure the system log server IP address:

      user@host# set security log stream name host ip-address

      To configure the system log server IP address and specify the UDP port number:

      user@host# set security log stream name host ip-address port port

    Configuring High-End SRX Series Device Data Plane Logging to the Control Plane

    If the management station cannot receive log messages from the data plane, then configure it to send messages through the management connection. If you log to the control plane, the SRX Series devices can also send these syslog messages out the fxp0 interface. If event logging is configured, all log messages from the data plane go to the control plane.

    1. Configure event logging.

      user@host# set security log mode event

    2. Rate-limit the event log messages.

      It might be necessary to rate-limit the event log messages from the data plane to the control plane due to limited resources on the control plane to process high volumes of log messages. This is especially applicable if the control plane is busy processing dynamic routing protocols such as BGP or large-scale routing implementations. The following command rate-limits the log messages so that they do not overwhelm the control plane. Log messages that are rate-limited are discarded. A best practice for high-end SRX Series devices is to log no more than 1000 log messages per second to the control plane.

      user@host# set security log mode event event-rate logs per second

    Configuring SRX Series Branch Devices to Send Traffic Log Messages Through the Data Plane

    The SRX Series branch device traffic log messages can be sent through the data plane security logs in stream mode. Note that this is possible only using stream mode. The following is a sample configuration and log output.

    Configuration

    set security log mode stream
    set security log format sd-syslog
    set security log source-address 10.204.225.164
    set security log stream vmware-server severity debug
    set security log stream vmware-server host 10.204.225.218

    Sample Log Message Output

    Sep 06 16:54:22 10.204.225.164 1 2010-09-06T04:24:22.094 nsm-vidar-a RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.39 reason="TCP FIN" source-address="1.1.1.2" source-port="62736" destination-address="2.1.1.1" destination-port="23" service-name="junos-telnet" nat-source-address="1.1.1.2" nat-source-port="62736" nat-destination-address="2.1.1.1" nat-destination-port="23" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="trust-untrust" source-zone-name="trust" destination-zone-name="untrust" session-id-32="206" packets-from-client="64" bytes-from-client="3525" packets-from-server="55" bytes-from-server="3146" elapsed-time="21"]

    Sep 06 16:54:26 10.204.225.164 1 2010-09-06T04:24:26.095 nsm-vidar-a RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.39 source-address="1.1.1.2" source-port="49780" destination-address="2.1.1.1" destination-port="23" service-name="junos-telnet" nat-source-address="1.1.1.2" nat-source-port="49780" nat-destination-address="2.1.1.1" nat-destination-port="23" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="trust-untrust" source-zone-name="trust" destination-zone-name="untrust" session-id-32="208"]

    Sep 06 16:54:34 10.204.225.164 1 2010-09-06T04:24:34.098 nsm-vidar-a RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.39 reason="TCP FIN" source-address="1.1.1.2" source-port="49780" destination-address="2.1.1.1" destination-port="23" service-name="junos-telnet" nat-source-address="1.1.1.2" nat-source-port="49780" nat-destination-address="2.1.1.1" nat-destination-port="23" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="trust-untrust" source-zone-name="trust" destination-zone-name="untrust" session-id-32="208" packets-from-client="37" bytes-from-client="2094" packets-from-server="30" bytes-from-server="1822" elapsed-time="6"]

    In this case, the SRX Series device traffic log messages are sent to an external syslog server through the dataplane. This ensures that the Routing Engine is not a bottleneck for logging. It also ensures that the Routing Engine does not get impacted during excessive logging. In addition to traffic log messages, the control plane and the log messages sent to the Routing Engine are written to a file in flash memory. The following is a sample configuration to enable this type of logging.

    Configuration

    Syslog (self logs)—This configuration can be customized as per required self logging.

    set system syslog file messages any notice
    set system syslog file messages authorization info
    set system syslog file messages kernel info

    Traffic logs ( using dataplane)

    set security log mode stream
    set security log format sd-syslog
    set security log source-address 10.204.225.164
    set security log stream vmware-server severity debug
    set security log stream vmware-server host 10.204.225.218

    In this case both the traffic log messages and log messages sent to the Routing Engine are sent to a syslog server. The following is a sample configuration to enable this type of logging.

    Configuration

    Syslog (syslog server)

    set system syslog host 10.204.225.218 any notice
    set system syslog host 10.204.225.218 authorization info
    set system syslog host 10.204.225.218 kernel info

    Traffic logs

    set security log mode stream
    set security log format sd-syslog
    set security log source-address 10.204.225.164
    set security log stream vmware-server severity debug
    set security log stream vmware-server host 10.204.225.218

    Configuring Control Plane Logs

    The SRX Series device control plane is responsible for overall control of the SRX Series platform, along with running a number of software processes to perform tasks such as routing protocol operations, routing table calculations, managing administrators, managing SNMP, authentication, and many other mission-critical functions. There are a wide range of log messages that are generated on the control plane, and the control plane offers granular support for defining what log messages should be written to both files as well as sent to syslog servers. This topic provides an overview of how to configure various syslog options on the control plane. Only sending log messages through syslog services is covered in this section.

    1. Configure the syslog server and selected log messages.

      To configure the syslog server to receive log messages from the SRX Series device, define which syslog hosts receive the streams along with which facilities and severities to send. Note that multiple facilities and priorities can be configured to send multiple log message types. To send all message types, specify the any option for the facility and severity.

      user@host# set system syslog host syslog server facility severity

    2. Configure the syslog source IP address.

      The source IP address of the syslog stream is needed because the SRX Series device can send the syslog message with any address. The same IP address should be used regardless of which interface is selected.

      user@host# set system syslog host syslog server source-address source-address

    3. (Optional) Configure regular expression matching.

      Sometimes an administrator might want to filter the log messages that are sent to the syslog server. Log filtering can be specified with the match statement. In this example, only logs defined in the match statement regular expression (IDP) are sent to the syslog server.

      user@host# set system syslog host syslog server facility severity match IDP

    Configuring SRX Series Branch Devices for Logging

    You can configure the SRX Series device to send only traffic logs to the syslog server using the control plane.

    In this configuration:

    • No security logs are configured.
    • No control plane logs are received.

    Use the match statement regular expression to send traffic log messages only. These log messages are sent directly to the syslog server without writing them to flash memory. This configuration does not send log messages normally sent to the Routing Engine to the syslog server. However, it is possible to create a separate file and write control plane log messages to a file on the Routing Engine as shown.

    Configuration

    set system syslog host 10.204.225.218 any any
    set system syslog host 10.204.225.218 match RT_FLOW_SESSION
    set system syslog file messages any any

    Sample log messages:

    Sep 06 15:22:29 10.204.225.164 Sep 6 02:52:30 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 1.1.1.2/54164->2.1.1.1/23 junos-telnet 1.1.1.2/54164->2.1.1.1/23 None None 6 trust-untrust trust untrust 192
    Sep 06 15:22:43 10.204.225.220 Sep 6 02:52:30 last message repeated 10 times
    Sep 06 15:23:49 10.204.225.164 Sep 6 02:53:49 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 1.1.1.2/54164->2.1.1.1/23 junos-telnet 1.1.1.2/54164->2.1.1.1/23 None None 6 trust-untrust trust untrust 192 60(3307) 46(2784) 79

    The following configuration sends both traffic and control log messages to the syslog server, but might overwhelm the syslog server and cause cluster instability. We do not recommend using this configuration.

    Configuration

    set system syslog host 10.204.225.218 any any
    set system syslog file messages any any

    Security log event mode is the default mode on SRX Series branch devices, and it is not advisable for these devices. We recommend changing the default behavior.

    Note: Extensive logging on local flash can have an undesired impact on the device such as instability on the control plane.

    Sending Data Plane Log Messages with an IP Address in the Same Subnet as the fxp0 Interface

    You might want to deploy fault management and performance management applications and systems such as Juniper Networks Security Threat Response Manager (STRM). STRM collects log messages through the management network and is connected through the fxp0 interface. The fault management and performance management applications manage the SRX Series device through the fxp0 interface, but the SRX Series device also needs to send the data plane log messages to STRM on the same network. For instance, if the rate of log messages is going to be greater than 1000 log messages per second, then logging to the control plane is not supported. The issue is that two interfaces in the same virtual router cannot be in the same subnet, and the fxp0 interface cannot be moved to any virtual router other than inet.0.

    To work around these issues, place a data plane interface in a virtual router other than the default virtual router inet.0, and place a route in the inet.0 routing table to route traffic to STRM through that virtual router. The following configuration example shows how to do this.

    In this example:

    • fxp0 has an IP address of 172.19.200.164/24.
    • Application A (AppA) has an IP address of 172.19.200.175.
    • STRM has an IP address of 172.19.200.176.
    • The ge-0/0/7 interface is a data plane interface, with an IP address of 172.19.200.177/24 (which is in the same subnet as the fxp0 interface).

    To configure this example, include the following statements:

    set interfaces fxp0 unit 0 family inet address 172.19.200.164/24set system syslog host 172.19.200.176 any anyset system syslog host 172.19.200.176 source-address 172.19.200.177set interface ge-0/0/7 unit 0 family inet address 172.19.200.177/24set security log format sd-syslogset security log source-address 172.19.200.177set security log stream Log host 172.19.200.176set routing-instances Logging instance-type virtual-routerset routing-instances Logging interface ge-0/0/7.0set routing-options static route 172.19.200.176/32 next-table Logging.inet.0

    Note: AppA is now able to manage the ge-0/0/7 interface since AppA manages the device using the fxp0 interface in the default routing instance. To do this, AppA must use the Logging@<snmp-community-string-name> message format to access the ge-0/0/7 interface data using SNMP.

    Modified: 2015-11-30