Forwarding Syslogs
This section provides information on how to forward syslogs with packet logging (PCAP) from SRX to JSA. PCAPs are sent through UDP. In the example, port 5 is used. You can use any port but it must match in both the JSA and SRX configuration.
To forward syslogs with PCAP from SRX to JSA:
- To enable packet capture and logging on the IDP policy
level, run the following commands:
set security idp idp-policy Test rulebase-ips rule 1 then notification log-attacksset security idp idp-policy Test rulebase-ips rule 1 then notification packet-log pre-attack 10set security idp idp-policy Test rulebase-ips rule 1 then notification packet-log post-attack 3set security idp idp-policy Test rulebase-ips rule 1 then notification packet-log post-attack-timeout 60Note:You must configure match conditions and action.
- To enable packet capture on the IDP sensor level:
set security idp sensor-configuration packet-log total-memory 5set security idp sensor-configuration packet-log max-sessions 15set security idp sensor-configuration packet-log source-address 10.0.0.1set security idp sensor-configuration packet-log host 10.0.0.2set security idp sensor-configuration packet-log host port 5Note:When the packet capture object is prepared, SRX transmits the packet captures from IP 10.0.0.1 to port 5 to device 10.0.0.2 (JSA). If the log source (SRX) IP is different from the source address configured here, JSA will not recognize the log source and will not display the log with PCAP in the WebUI. However, the PCAP is stored on JSA under the directory /store/pcap/.
The IDP option must be enabled in the firewall policy to send the traffic to the IDP module.
- Add the log source in the JSA:
Navigate to path: Admin > Data Source > Events > Log Sources.
Select Log Source Type > Juniper SRX-series Services Gateway.
Select Protocol Configuration > PCAP Syslog Combination.
Select Incoming Port > 5 (Configured on SRX: set security idp sensor-configuration packet-log host port 5).
Note:You must configure other information such as, log source name, IP, and so on.
- Verify the configuration on the SRX:
Run the following command to verify packet capture configuration on the IDP sensor level:
root@SRX# show security idp sensor-configurationpacket-log { total-memory 5; max-sessions 15; source-address 10.0.0.1; host { 10.0.0.2; port 5; } }Run the following command to verify packet capture and logging configuration on the IDP policy level:
root@SRX# show security idp idp-policy LAB_Testrulebase-ips { rule 1 { match { source-address any; destination-address any; application default; attacks { predefined-attacks [ ICMP:INFO:ECHO-REQUEST ICMP:INFO:ECHO-REPLY ]; } } then { action { no-action; } notification { log-attacks; packet-log { pre-attack 10; post-attack 3; post-attack-timeout 60; } } } } }Note:Other parameters such as attacks, source-address, and destination-address are for reference only.
- Verify the configuration on the JSA:
Navigate to the path: Admin > Data Source > Events > Log Sources.
Verify the information below:
Log Source Status > Success.
Protocol > PCAPSyslog.
Log Source Type > Juniper SRX-series Services Gateway.
Enabled > True.
- To display the PCAP data column on the JSA, see section Displaying the PCAP Data Column.