Security Log for Tenant Systems
Security logs for tenant systems include security events to control system’s data planes. Security logs are sent in binary format to an external server from a tenant system interface. Security logs are generated per tenant system.
Understanding of Security Log for Tenant Systems
Junos OS generates separate log messages to record events that occur on the system’s control and data planes. The data plane logs, also called security logs, primarily include security events that are handled inside the data plane. Security logs can be in text or binary format and they can be saved locally (event mode) or sent to an external server (stream mode). The binary format is required for stream mode and recommended to conserve log space in event mode.
If you configure security logs per tenant, then security logs are generated per tenant.
Security logs for a tenant system are sent from a tenant system interface. You can configure the assigned routing instances and the interfaces that belong to the routing tables within a tenant system.
A security profile should be defined with the number of maximum and reserved policies when you configure the stream number for a tenant system. The primary administrator can use the security profiles to specify resource allocation.
If a tenant system requires more of a resource than its reserved amount allows, it can utilize resources configured for the global maximum amount if they are available and not allocated to other tenant systems. The maximum allowed quota for stream number specifies the portion of the free global resources that the tenant system can use. The maximum allowed quota does not ensure that the amount specified for the resource in the security profile is available. A reserved quota ensures that the resource amount specified is always available to the tenant system. Table 1 shows the comparison of logging stream number capacity.
Platform |
Logging Stream Number Capacity for Tenant System + Logical System |
Reserved Logging Stream Number Quota for Tenant System |
Maximum Allowed Stream Number Quota for Tenant System |
Maximum Allowed Stream Number Quota for Global |
SRX5400, SRX5600, and SRX5800 |
64 |
0 |
8 |
64 |
SRX4600 |
300 |
0 |
8 |
600 |
SRX4100 and 4200 |
200 |
0 |
8 |
400 |
SRX1500 |
50 |
0 |
8 |
100 |
If a device is configured for a tenant system, security logs generated within the context have the _LS suffix in the log name, which is the same as the logical system. The following security log shows the attributes of the RT_FLOW_SESSION_CLOSE_LS log for a device that is configured for a tenant system:
<14>1 2018-03-12T22:50:09.596Z user RT_FLOW_SESSION_CLOSE_LS [junos@2636.1.1.1.2.137 logical-system-name="TSYS1" reason="Some reason" source-address="192.0.2.1" source-port="7000" destination-address="198.51.100.2" destination-port="32768" connection-tag="0" service-name="Fake service" nat-source-address="192.0.2.1" nat-source-port="7000" nat-destination-address="198.51.10 0.2" nat-destination-port="32768" nat-connection-tag="0" src-nat-rule-type="Fake src nat rule" src-nat-rule-name="Fake src nat rule" dst-nat-rule-type="Fake dst nat rule" dst-nat-rule-name="Fake dst nat rule" protocol-id="17" policy-name="Fake policy" source-zone-name="Fake src zone" destination-zone-name="Fake dst zone" session-id-32="1" packets-from-client="4294967295" bytes-from-client="4294967293" packets-from-server="4294967294" bytes-from-server="4294967292" elapsed-time="4294967291" application="Fake application" nested-application="Fake nested application" username="Fake username" roles="Fake UAC roles" packet-incoming-interface="Fake packet incoming if" encrypted="Fake info telling if the traffic is encrypted" application-category="Fake application category" application-sub-category="Fake application subcategory" application-risk="-1"]
In the above example, security log includes TSYS1 as the first attribute.
Starting in Junos OS Release 19.1R1, on-box reporting configurations
are supported for each tenant system and logs are handled based on
these configurations. Configure the set security log report and set security log mode stream commands to enable the
on-box reporting. The on-box reporting feature with stream mode is
also supported on tenant systems.
You can view Syslog messages in the System Log Explorer.
Example: Configure Security Log for Tenant Systems
This example shows how to configure security logs for a tenant system.
Requirements
This example uses the following hardware and software components:
An SRX Series Firewall.
Junos OS Release 18.3R1 and later releases.
Before you begin:
Understand how to configure a tenant system with security profiles for the primary logical system and two tenant systems. See Figure 1
Overview
SRX Series Firewalls have two types of log: system logs and security logs. System logs record control plane events, for example, admin login to the device. Security logs, also known as traffic logs, record data plane events regarding specific traffic handling, for example when a security policy denies certain traffic due to some violation of the policy.
The two types of logs can be collected and saved either on-box or off-box. The procedure below explains how to configure security logs in binary format for off-box (stream-mode) logging.
For off-box logging, security logs for a tenant system are
sent from a tenant system interface. If the tenant system interface
is already configured in a routing instance, then configure routing-instance routing-instance-name at edit tenants tenant-name security log stream log-stream-name host hierarchy. If the interface is not configured in routing
instance, then no routing instance should be configured at set
tenants tenant-name security log stream log-stream-name host hierarchy.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set tenants TSYS1 security log mode stream set tenants TSYS1 security log stream TN1_s format binary host 1.3.54.22 set tenants TSYS1 security log source-address 2.3.45.66 set tenants TSYS1 security log transport protocol tls set tenants TSYS1 routing-instances TN1_ri instance-type virtual-router set tenants TSYS1 routing-instances TN1_ri interface ge-0/0/3 set tenants TSYS1 security log stream TN1_s host routing-instance TN1_ri set system security-profile p1 security-log-stream-number reserved 1 set system security-profile p1 security-log-stream-number maximum 2 set system security-profile p1 tenant TSYS1
Procedure
Step-by-Step Procedure
The following procedure specifies how to configure security logs for a tenant system.
Specify the logging mode and the format for the log file. For off-box, stream-mode logging.
[edit ] user@host# set tenants TSYS1 security log mode stream user@host# set tenants TSYS1 security log stream TN1_s format binary host 1.3.54.22
-
For off-box security logging, specify the source address, which identifies the SRX Series Firewall that generated the log messages. The source address is required.
[edit ] user@host# set tenants TSYS1 security log source-address 2.3.45.66
Specify the routing instance and define the interface.
[edit ] user@host# set tenants TSYS1 routing-instances TN1_ri instance-type virtual-router user@host# set tenants TSYS1 routing-instances TN1_ri interface ge-0/0/3
Define routing instance for a tenant system. If the interface is already configured in routing instance, then configure
routing-instance routing-instance-nameatedit tenants tenant-name security log stream log-stream-name hosthierarchy. If the interface is not configured in routing instance, then no routing instance should be configured atset tenants tenant-name security log stream log-stream-name hosthierarchy.[edit ] user@host# set tenants TSYS1 security log stream TN1_s host routing-instance TN1_ri
Specify the security log transport protocol for the device.
[edit ] user@host# set tenants TSYS1 security log transport protocol tls
Procedure
Step-by-Step Procedure
The following procedure specifies how to configure a security profile for a tenant system.
Configure a security profile and specify the number of maximum and reserved policies.
[edit ] user@host# set system security-profile p1 security-log-stream-number reserved 1 user@host# set system security-profile p1 security-log-stream-number maximum 2
Assign the configured security profile to TSYS1.
[edit ] user@host# set system security-profile p1 tenant TSYS1
Results
From configuration mode, confirm your configuration
by entering the show system security-profile, show
tenants TSYS1 security log, and show tenants TSYS1 routing-instances commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show tenants TSYS1 security log
mode stream;
source-address 2.3.45.66;
transport {
protocol tls;
}
stream TN1_s {
format binary;
host {
1.3.54.22;
routing-instance TN1_ri;
}
}
[edit]
user@host# show tenants TSYS1 routing-instances
TN1_ri {
instance-type virtual-router;
interface ge-0/0/3.0;
}
[edit]
user@host# show system security-profile
p1 {
security-log-stream-number {
maximum 2;
reserved 1;
}
tenant TSYS1;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying Detailed Output for Security Log
Purpose
Verify that the output displays the resource information for all tenant systems.
Action
From operational mode, enter the show system security-profile
security-log-stream-number tenant all command.
logical-system tenant name security profile name usage reserved maximum root-logical-system Default-Profile 0 0 8 TSYS1 p1 1 1 2
Meaning
The output displays the resource information for tenant systems.
Understanding On-Box Reporting for Tenant Systems
Starting in Junos OS Release 19.1R1, on-box reporting configurations are supported for tenant systems and logs are handled based on these configurations.
Stream mode is a set of logging services that includes:
Off-box logging (SRX Series)
On-box logging and reporting (SRX1500, SRX4100, SRX4200, and SRX4600 Series)
Per tenant system configuration is supported for the off-box logging and logs are handled based on these configurations. The tenant system logs for off-box logging can only be generated from the tenant system interface.
On-box reporting mechanism is an enhancement to the existing logging functionality. The existing logging functionality is modified to collect system traffic logs, analyzes the logs, and generate reports of these logs. On-box reporting feature is intended to provide a simple and easy to use interface for viewing security logs.
Configure the set security log report and set
security log mode stream commands to enable the on-box reporting
feature on the device for tenant systems. The on-box reporting feature
with stream mode is also supported on tenant systems.
The on-box reporting feature supports:
Generating reports based on the requirements. For example: count or volume of the session, types of logs for activities such as IDP, Content Security, and IPsec VPN.
Capturing real-time events within a specified time range.
Capturing all the network activities in a logical, organized, and easy-to-understand format based on various CLI specified conditions.
Configuring On-Box Reporting for Tenant Systems
SRX Series Firewalls supports different types of reports for tenant system users.
Reports are stored locally on the SRX Series Firewall and there is no requirement for separate devices or tools for logs and reports storage. The on-box reports provides a simple and easy-to-use interface for viewing the security logs.
Before you begin:
Understand how to configure security log for tenant systems. See Example: Configure Security Log for Tenant Systems.
To configure on-box reporting for tenant system:
By default the report option is disabled.
Understanding On-Box and Off-Box Logging for Tenant System
SRX Series devices have two types of log: system logs and security logs. System logs record control plane events, for example admin login to the device. Security logs, also known as traffic logs, record data plane events regarding specific traffic handling, for example when a security policy denies certain traffic due to some violation of the policy.
Starting in Junos OS Release 19.2R1, on-box logging configurations are supported for each tenant system and logs are handled based on these configurations.
The two types of log can be collected and saved either on-box or off-box.
Stream mode is a set of logging services that includes:
Off-box logging (SRX Series)
On-box logging (SRX1500, SRX4100, SRX4200, and SRX4600 Series)
Per tenant system configuration is supported for the off-box logging and logs are handled based on these configurations. The tenant system logs for off-box logging can only be generated from the tenant system interface.
Configure the security files in binary/syslog/sd-syslog/welf format for stream-mode and binary format for event-mode by using
the log statement at the [set tenants TSYS1 security] hierarchy
level.
You cannot configure the security log file path for Tenant System.
For on-box logging with stream mode with binary format log,
the set security log stream stream-name file command is configured per tenant system. The file name must be end
with .bin. For example TSYS1_f1.bin in tenant
system TSYS1. A new file TSYS1_f1.bin is created in the /var/traffic-log/tenant-systems/TSYS1 directory.
For on-box logging with stream mode with other format logs,
the set security log stream stream-name file command is configured per tenant system. For example tenant system
TSYS1. A new file with the name configured is created in the /var/traffic-log/tenant-systems/TSYS1 directory.
Configuring On-Box Binary Security Log Files for Tenant System
SRX Series devices support two types of log: system logs and security logs.
The two types of log are collected and saved either on-box or off-box. The following procedure explains how to configure security logs in binary format for on-box (event-mode and stream-mode) logging for tenant system.
The following procedure specifies binary format for event-mode security logging, and defines the log filename, path, and log file characteristics for tenant system.
Specify the logging mode and the format for the log file. For on-box, event-mode logging:
[edit] user@host# set tenants TSYS1 security log mode event user@host# set tenants TSYS1 security log format binary
(Optional) Specify a log filename.
[edit] user@host# set tenants TSYS1 security log file name security-binary-log
Note:Security log filename is not mandatory. If security log filename is not configured, by default the file bin_messages is created in the /var/log directory.
Confirm your configuration by entering the
show tenants TSYS1command.[edit] user@host# show tenants TSYS1 security { log { mode event; format binary; file { name security-binary-log; } } }
The following procedure specifies binary format for stream-mode security logging, and defines the log filename and log file characteristics for tenant system.
Specify the logging mode and the format for the log file. For on-box, stream-mode logging:
[edit] user@host# set tenants TSYS1 security log mode stream user@host# set tenants TSYS1 security log stream s1 format binary
(Optional) Specify a log filename.
[edit] user@host# set tenants TSYS1 security log stream s1 file name f1.bin
Confirm your configuration by entering the
show tenants TSYS1command.[edit] user@host# show tenants TSYS1 security { log { mode stream; stream s1 { format binary; file { name f1.bin; } } } }
Configuring Off-Box Binary Security Log Files for Tenant System
SRX Series devices support two types of log: system logs and security logs.
The two types of log can be collected and saved either on-box or off-box. The procedure below explains how to configure security logs in binary format for off-box (stream-mode) logging.
The following procedure specifies binary format for stream-mode security logging, and defines the logging mode, source address, and host name characteristics for tenant system.
Specify the logging mode and the format for the log file. For off-box, stream-mode logging:
[edit] user@host# set tenants TSYS1 security log mode stream s1 format binary
Specify the source address for off-box security logging.
[edit] user@host# set tenants TSYS1 security log source-address 100.0.0.1
Specify the host name.
[edit] user@host# set tenants TSYS1 security log stream s1 host 100.0.0.2
Confirm your configuration by entering the
show tenants TSYS1command.[edit] user@host# show tenants TSYS1 security { log { mode stream; source-address 100.0.0.1; stream s1 { format binary; host { 100.0.0.2; } } } }