Sending IDP and traffic logs to a syslog server in SRX
If you want to forward your IDP and traffic session logs to a syslog server, here is how we can do it;
1) First inside the security policy we should set that we want to log session initiations e.g;
{primary:node0}[edit] root@srx210-1# top show security policies from-zone downlink to-zone wan { policy net-access { match { source-address net_210; destination-address any; application any; } then { permit { application-services { idp; } } log { session-init; } } } }
2) Then syslog server configuration;
root@srx210-1# show system syslog host 192.168.103.20 { any any; match "RT_IDP|RT_FLOW_SESSION"; structured-data; }
After this we should be able to log our traffic logs to the syslog server 192.168.103.20
As you might see there is RT_IDP regular expression string for IDP logs as well. If you set the following configuration under
IDP rule base, you will also log IDP notifications.
3) IDP notifications
{primary:node0}[edit] root@srx210-1# show security idp idp-policy Recommended_1 rulebase-ips { rule 1 { match { source-address any; destination-address any; application default; attacks { predefined-attacks ICMP:INFO:ECHO-REQUEST; } } then { action { drop-packet; } notification { log-attacks; } } } }