Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Forwarding Syslogs

This section provides information on how to forward syslogs with packet logging (PCAP) from SRX to JSA. PCAPs are sent through UDP. In the example, port 5 is used. You can use any port but it must match in both the JSA and SRX configuration.

To forward syslogs with PCAP from SRX to JSA:

  1. To enable packet capture and logging on the IDP policy level, run the following commands:

    set security idp idp-policy Test rulebase-ips rule 1 then notification log-attacks

    set security idp idp-policy Test rulebase-ips rule 1 then notification packet-log pre-attack 10

    set security idp idp-policy Test rulebase-ips rule 1 then notification packet-log post-attack 3

    set security idp idp-policy Test rulebase-ips rule 1 then notification packet-log post-attack-timeout 60

    Note:

    You must configure match conditions and action.

  2. To enable packet capture on the IDP sensor level:

    set security idp sensor-configuration packet-log total-memory 5

    set security idp sensor-configuration packet-log max-sessions 15

    set security idp sensor-configuration packet-log source-address 10.0.0.1

    set security idp sensor-configuration packet-log host 10.0.0.2

    set security idp sensor-configuration packet-log host port 5

    Note:

    When the packet capture object is prepared, SRX transmits the packet captures from IP 10.0.0.1 to port 5 to device 10.0.0.2 (JSA). If the log source (SRX) IP is different from the source address configured here, JSA will not recognize the log source and will not display the log with PCAP in the WebUI. However, the PCAP is stored on JSA under the directory /store/pcap/.

    The IDP option must be enabled in the firewall policy to send the traffic to the IDP module.

  3. Add the log source in the JSA:
    1. Navigate to path: Admin > Data Source > Events > Log Sources.

    2. Select Log Source Type > Juniper SRX-series Services Gateway.

    3. Select Protocol Configuration > PCAP Syslog Combination.

    4. Select Incoming Port > 5 (Configured on SRX: set security idp sensor-configuration packet-log host port 5).

      Note:

      You must configure other information such as, log source name, IP, and so on.

  4. Verify the configuration on the SRX:
    • Run the following command to verify packet capture configuration on the IDP sensor level:

    • Run the following command to verify packet capture and logging configuration on the IDP policy level:

      Note:

      Other parameters such as attacks, source-address, and destination-address are for reference only.

  5. Verify the configuration on the JSA:
    1. Navigate to the path: Admin > Data Source > Events > Log Sources.

    2. Verify the information below:

      • Log Source Status > Success.

      • Protocol > PCAPSyslog.

      • Log Source Type > Juniper SRX-series Services Gateway.

      • Enabled > True.

  6. To display the PCAP data column on the JSA, see section Displaying the PCAP Data Column.