Stream logging problems in SRX

There are two types of logging mechanism in SRX: event and stream. Event logging isn’t recommended
for sending traffic logs as it can cause high CPU in the routing engine. If you enable stream logging,
you should also pay attention to several things on branch SRX;

1)  Traffic log can’t be forwarded via fxp0 interface and local file logging stops.

2)  route of your syslog server has to be present in the master routing instance. If it doesn’t
you won’t see any traffic log on the syslog server.

3)  Make sure your syslog server doesn’t cause any trouble due to RPF (reverse path filtering)
In some setups, syslog server may not expect traffic coming from your SRX over that interface i.e
you may not have route to SRX source IP via that incoming interface and device may simply block
UDP segment.

I want to give an example to circumvent the issue I mentioned on problem 2.

There is a simple way to import syslog route from a vr e.g VR-A to the master routing instance.

1) Create a policy statement which tells junos what we want to import.
e.g our syslog route is 10.1.1.0/24

root@SRX# show policy-options
policy-statement syslog-policy {
    term 10 {
        from {
            instance VR-A;
            route-filter 10.1.1.0/24 exact;
        }
        then accept;
    }
    then reject;
}

2) Import the instance that contains syslog route

root@SRX# show routing-options

instance-import syslog-policy;

After the import, your syslog server route should be installed in inet.0

PS: These are based on the tests I have made so far. I am not saying that they are %100 correct
since sometimes I miss one configuration item and I get a different result after which I may
misinterpret my results.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading