Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Security Log for Tenant Systems

Security logs for tenant systems include security events to control system’s data planes. Security logs are sent in binary format to an external server from a tenant system interface. Security logs are generated per tenant system.

Understanding of Security Log for Tenant Systems

Junos OS generates separate log messages to record events that occur on the system’s control and data planes. The data plane logs, also called security logs, primarily include security events that are handled inside the data plane. Security logs can be in text or binary format and they can be saved locally (event mode) or sent to an external server (stream mode). The binary format is required for stream mode and recommended to conserve log space in event mode.

If you configure security logs per tenant, then security logs are generated per tenant.

Security logs for a tenant system are sent from a tenant system interface. You can configure the assigned routing instances and the interfaces that belong to the routing tables within a tenant system.

A security profile should be defined with the number of maximum and reserved policies when you configure the stream number for a tenant system. The primary administrator can use the security profiles to specify resource allocation.

If a tenant system requires more of a resource than its reserved amount allows, it can utilize resources configured for the global maximum amount if they are available and not allocated to other tenant systems. The maximum allowed quota for stream number specifies the portion of the free global resources that the tenant system can use. The maximum allowed quota does not ensure that the amount specified for the resource in the security profile is available. A reserved quota ensures that the resource amount specified is always available to the tenant system. Table 1 shows the comparison of logging stream number capacity.

Table 1: Comparison of Logging Stream Number

Platform

Logging Stream Number Capacity for Tenant System + Logical System

Reserved Logging Stream Number Quota for Tenant System

Maximum Allowed Stream Number Quota for Tenant System

Maximum Allowed Stream Number Quota for Global

SRX5400, SRX5600, and SRX5800

64

0

8

64

SRX4600

300

0

8

600

SRX4100 and 4200

200

0

8

400

SRX1500

50

0

8

100

If a device is configured for a tenant system, security logs generated within the context have the _LS suffix in the log name, which is the same as the logical system. The following security log shows the attributes of the RT_FLOW_SESSION_CLOSE_LS log for a device that is configured for a tenant system:

In the above example, security log includes TSYS1 as the first attribute.

Starting in Junos OS Release 19.1R1, on-box reporting configurations are supported for each tenant system and logs are handled based on these configurations. Configure the set security log report and set security log mode stream commands to enable the on-box reporting. The on-box reporting feature with stream mode is also supported on tenant systems.

You can view Syslog messages in the System Log Explorer.

Example: Configure Security Log for Tenant Systems

This example shows how to configure security logs for a tenant system.

Requirements

This example uses the following hardware and software components:

  • An SRX Series device.

  • Junos OS Release 18.3R1 and later releases.

Before you begin:

Overview

SRX Series devices have two types of log: system logs and security logs. System logs record control plane events, for example, admin login to the device. Security logs, also known as traffic logs, record data plane events regarding specific traffic handling, for example when a security policy denies certain traffic due to some violation of the policy.

The two types of logs can be collected and saved either on-box or off-box. The procedure below explains how to configure security logs in binary format for off-box (stream-mode) logging.

For off-box logging, security logs for a tenant system are sent from a tenant system interface. If the tenant system interface is already configured in a routing instance, then configure routing-instance routing-instance-name at edit tenants tenant-name security log stream log-stream-name host hierarchy. If the interface is not configured in routing instance, then no routing instance should be configured at set tenants tenant-name security log stream log-stream-name host hierarchy.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Procedure

Step-by-Step Procedure

The following procedure specifies how to configure security logs for a tenant system.

  1. Specify the logging mode and the format for the log file. For off-box, stream-mode logging.

  2. For off-box security logging, specify the source address, which identifies the SRX Series device that generated the log messages. The source address is required.

  3. Specify the routing instance and define the interface.

  4. Define routing instance for a tenant system. If the interface is already configured in routing instance, then configure routing-instance routing-instance-name at edit tenants tenant-name security log stream log-stream-name host hierarchy. If the interface is not configured in routing instance, then no routing instance should be configured at set tenants tenant-name security log stream log-stream-name host hierarchy.

  5. Specify the security log transport protocol for the device.

Procedure

Step-by-Step Procedure

The following procedure specifies how to configure a security profile for a tenant system.

  1. Configure a security profile and specify the number of maximum and reserved policies.

  2. Assign the configured security profile to TSYS1.

Results

From configuration mode, confirm your configuration by entering the show system security-profile, show tenants TSYS1 security log, and show tenants TSYS1 routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Detailed Output for Security Log

Purpose

Verify that the output displays the resource information for all tenant systems.

Action

From operational mode, enter the show system security-profile security-log-stream-number tenant all command.

Meaning

The output displays the resource information for tenant systems.

Understanding On-Box Reporting for Tenant Systems

Starting in Junos OS Release 19.1R1, on-box reporting configurations are supported for tenant systems and logs are handled based on these configurations.

Stream mode is a set of logging services that includes:

  • Off-box logging (SRX Series)

  • On-box logging and reporting (SRX1500, SRX4100, SRX4200, and SRX4600 Series)

Per tenant system configuration is supported for the off-box logging and logs are handled based on these configurations. The tenant system logs for off-box logging can only be generated from the tenant system interface.

On-box reporting mechanism is an enhancement to the existing logging functionality. The existing logging functionality is modified to collect system traffic logs, analyzes the logs, and generate reports of these logs. On-box reporting feature is intended to provide a simple and easy to use interface for viewing security logs.

Configure the set security log report and set security log mode stream commands to enable the on-box reporting feature on the device for tenant systems. The on-box reporting feature with stream mode is also supported on tenant systems.

The on-box reporting feature supports:

  • Generating reports based on the requirements. For example: count or volume of the session, types of logs for activities such as IDP, UTM, and IPsec VPN.

  • Capturing real-time events within a specified time range.

  • Capturing all the network activities in a logical, organized, and easy-to-understand format based on various CLI specified conditions.

Configuring On-Box Reporting for Tenant Systems

SRX Series devices supports different types of reports for tenant system users.

Reports are stored locally on the SRX Series device and there is no requirement for separate devices or tools for logs and reports storage. The on-box reports provides a simple and easy-to-use interface for viewing the security logs.

Before you begin:

  • Understand how to configure security log for tenant systems. See Example: Configure Security Log for Tenant Systems.

To configure on-box reporting for tenant system:

  1. Define the tenant system name as TSYS1.
  2. Create report within security log per tenant system.
  3. Confirm your configuration by entering the show tenants TSYS1 command.
Note:

By default the report option is disabled.

Understanding On-Box and Off-Box Logging for Tenant System

SRX Series devices have two types of log: system logs and security logs. System logs record control plane events, for example admin login to the device. Security logs, also known as traffic logs, record data plane events regarding specific traffic handling, for example when a security policy denies certain traffic due to some violation of the policy.

Starting in Junos OS Release 19.2R1, on-box logging configurations are supported for each tenant system and logs are handled based on these configurations.

The two types of log can be collected and saved either on-box or off-box.

Stream mode is a set of logging services that includes:

  • Off-box logging (SRX Series)

  • On-box logging (SRX1500, SRX4100, SRX4200, and SRX4600 Series)

Per tenant system configuration is supported for the off-box logging and logs are handled based on these configurations. The tenant system logs for off-box logging can only be generated from the tenant system interface.

Configure the security files in binary/syslog/sd-syslog/welf format for stream-mode and binary format for event-mode by using the log statement at the [set tenants TSYS1 security] hierarchy level.

Note:

You cannot configure the security log file path for Tenant System.

For on-box logging with stream mode with binary format log, the set security log stream stream-name file command is configured per tenant system. The file name must be end with .bin. For example TSYS1_f1.bin in tenant system TSYS1. A new file TSYS1_f1.bin is created in the /var/traffic-log/tenant-systems/TSYS1 directory.

For on-box logging with stream mode with other format logs, the set security log stream stream-name file command is configured per tenant system. For example tenant system TSYS1. A new file with the name configured is created in the /var/traffic-log/tenant-systems/TSYS1 directory.

Configuring On-Box Binary Security Log Files for Tenant System

SRX Series devices support two types of log: system logs and security logs.

The two types of log are collected and saved either on-box or off-box. The following procedure explains how to configure security logs in binary format for on-box (event-mode and stream-mode) logging for tenant system.

The following procedure specifies binary format for event-mode security logging, and defines the log filename, path, and log file characteristics for tenant system.

  1. Specify the logging mode and the format for the log file. For on-box, event-mode logging:

  2. (Optional) Specify a log filename.

    Note:

    Security log filename is not mandatory. If security log filename is not configured, by default the file bin_messages is created in the /var/log directory.

  3. Confirm your configuration by entering the show tenants TSYS1 command.

The following procedure specifies binary format for stream-mode security logging, and defines the log filename and log file characteristics for tenant system.

  1. Specify the logging mode and the format for the log file. For on-box, stream-mode logging:

  2. (Optional) Specify a log filename.

  3. Confirm your configuration by entering the show tenants TSYS1 command.

Configuring Off-Box Binary Security Log Files for Tenant System

SRX Series devices support two types of log: system logs and security logs.

The two types of log can be collected and saved either on-box or off-box. The procedure below explains how to configure security logs in binary format for off-box (stream-mode) logging.

The following procedure specifies binary format for stream-mode security logging, and defines the logging mode, source address, and host name characteristics for tenant system.

  1. Specify the logging mode and the format for the log file. For off-box, stream-mode logging:

  2. Specify the source address for off-box security logging.

  3. Specify the host name.

  4. Confirm your configuration by entering the show tenants TSYS1 command.

Release History Table
Release
Description
19.2R1
Starting in Junos OS Release 19.2R1, on-box logging configurations are supported for each tenant system and logs are handled based on these configurations