SRX standard and structured syslogging

SRX can send the logs in two formats standard and structured. If you haven’t made any extra config, what you see in the traffic logs is usually standard one. However structured one is easier to read and parse. Look, it is in the format field_name = field_value, so you can parse it or more friendly.

RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address="10.1.1.1" source-port="57970" destination-address="10.2.2.2" destination-port="443"

but you don’t get this by default. I have put a sample config which can help you log syslog in structured format.
Apparently sd-syslog isn’t sufficient alone but stream is also needed.

[edit security log]
root@srx# show
mode stream;     <--- THIS IS NEEDED
format sd-syslog; <--- THIS IS NEEDED
source-address 10.8.8.1;
stream securitylog-splunk {
    category all;
    host {
        10.9.9.1;
        port 4044;
    }
}

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


One thought on “SRX standard and structured syslogging”

  1. Indeed – srx log format can be also defined differently per each stream. On the other hand I would advise not to use another possibility – binary format (I used it on srx high end devices for sending logs to qradar but since it has slightly changed after srx upgrade to latest jtac recommended version it gave me a lot of headaches and I switches back to plain old syslog…

    Thanks Rok

Leave a Reply to rk8Cancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading