Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

System Logging of Events Generated for the Firewall Facility

System log messages generated for firewall filter actions belong to the firewall facility. Just as you can for any other Junos OS system logging facility, you can direct firewall facility syslog messages to one or more specific destinations: to a specified file, to the terminal session of one or more logged in users (or to all users), to the router (or switch) console, or to a remote host or the other Routing Engine on the router (or switch).

When you configure a syslog message destination for firewall facility syslog messages, you include a statement at the [edit system syslog] hierarchy level, and you specify the firewall facility name together with a severity level. Messages from the firewall that are rated at the specified level or more severe are logged to the destination.

System log messages with the DFWD_ prefix are generated by the firewall process (dfwd), which manages compilation and downloading of Junos OS firewall filters. System log messages with the PFE_FW_ prefix are messages about firewall filters, generated by the Packet Forwarding Engine controller, which manages packet forwarding functions. For more information, see the System Log Explorer.

Table 1 lists the system log destinations you can configure for the firewall facility.

Table 1: Syslog Message Destinations for the Firewall Facility

Destination

Description

Configuration Statements Under [edit system syslog]

File

Configuring this option keeps the firewall syslog messages out of the main system log file.

To include priority and facility with messages written to the file, include the explicit-priority statement.

To override the default standard message format, which is based on a UNIX system log format, include the structured-data statement. When the structured-data statement is included, other statements that specify the format for messages written to the file are ignored (the explicit-priority statement at the [edit system syslog file filename] hierarchy level and the time-format statement at the [edit system syslog] hierarchy level).

file filename {
    firewall severity;
    allow-duplicates;
    archive archive-options;
    explicit-priority;
    structured-data;
}
allow-duplicates;
archive archive-options;
time-format (option);
Terminal session

Configuring this option causes a copy of the firewall syslog messages to be written to the specified terminal sessions. Specify one or more user names, or specify * for all logged in users.

user (username | *) {
    firewall severity;
}
time-format (option);
Router (or switch) console

Configuring this option causes a copy of the firewall syslog messages to be written to the router (or switch) console.

console {
    firewall severity;
}
time-format (option);
Remote host or the other Routing Engine

Configuring this option causes a copy of the firewall syslog messages to be written to the specified remote host or to the other Routing Engine.

To override the default alternative facility for forwarding firewall syslog messages to a remote machine (local3), include the facility-override  firewall statement.

To include priority and facility with messages written to the file, include the explicit-priority statement.

host (hostname | other-routing-engine) {
    firewall severity;
    allow-duplicates;
    archive archive-options;
    facility-override firewall;
    explicit-priority;
}
allow-duplicates; # All destinations
archive archive-options;
time-format (option);

By default, the timestamp recorded in a standard-format system log message specifies the month, date, hour, minute, and second when the message was logged, as in the example:

To include the year, the millisecond, or both in the timestamp for all system logging messages, regardless of the facility, include one of the following statement at the [edit system syslog] hierarchy level:

  • time-format year;

  • time-format millisecond;

  • time-format year millisecond;

The following example illustrates the format for a timestamp that includes both the millisecond (401) and the year (2010):