Security logging is disabled

If you configure logging on SRX as below

[edit]
user@srx100-1# show security log
mode stream;
format sd-syslog;
source-address 192.168.3.1;
stream syslogsrv1 {
    severity info;
    format sd-syslog;
    host {
        192.168.103.20;
        port 514;
    }
}

and issue the command

user@srx100-1> show security log
Security logging is disabled

Don’t panic! this command doesn’t tell you that your data plane logging is disabled or not. This is actually a different thing. For example once you enable the log cache via the command
set security log cache” and commit, “show security log” will show you something about audit log but not policy logging.

user@srx100-1> show security log
Event time               Message
2013-04-16 19:36:31 CEST UI_CMDLINE_READ_LINE: User 'user', command 'exit '
2013-04-16 19:36:33 CEST UI_CMDLINE_READ_LINE: User 'user', command 'show security log

I just wanted to share this as it seems there is a confusion about the output of this command.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


4 thoughts on “Security logging is disabled”

  1. Maybe it is not relevant for classic “Control plane” logging but it MUST be activated for “Data plane” logging. It helped me at least.

    Differences between both logging methosts:
    http://kb.juniper.net/InfoCenter/index?page=content&id=KB16224

    My setup for Data plane logging:
    before (not working):
    show configuration | display set | match “security log”
    set security log mode stream
    set security log format sd-syslog
    set security log source-address 10.1.1.1
    set security log stream securitylog_10.1.1.10 severity info
    set security log stream securitylog_10.1.1.10 format syslog
    set security log stream securitylog_10.1.1.10 category all
    set security log stream securitylog_10.1.1.10 host 10.1.1.10
    set security log stream securitylog_10.1.1.10 host port 514
    deactivate security log

    Then commiting: activate security log

    After commit (working, sending logs):
    show configuration | display set | match “security log”
    set security log mode stream
    set security log format sd-syslog
    set security log source-address 10.1.1.1
    set security log stream securitylog_10.1.1.10 severity info
    set security log stream securitylog_10.1.1.10 format syslog
    set security log stream securitylog_10.1.1.10 category all
    set security log stream securitylog_10.1.1.10 host 10.1.1.10
    set security log stream securitylog_10.1.1.10 host port 514

    ..and it is now sending logs. (Of course do not forget to enable logging on policy 🙂 )

    Tom

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading