Sending IDP and traffic logs to a syslog server in SRX

If you want to forward your IDP and traffic session logs to a syslog server, here is how we can do it;

1) First inside the security policy we should set that we want to log session initiations e.g;

{primary:node0}[edit]
root@srx210-1# top show security policies
from-zone downlink to-zone wan {
    policy net-access {
        match {
            source-address net_210;
            destination-address any;
            application any;
        }
        then {
            permit {
                application-services {
                    idp;
                }
            }
            log {
 session-init;
            }
        }
    }
}

2) Then syslog server configuration;

root@srx210-1# show system syslog
host 192.168.103.20 {
    any any;
    match "RT_IDP|RT_FLOW_SESSION";
    structured-data;
}

After this we should be able to log our traffic logs to the syslog server 192.168.103.20
As you might see there is RT_IDP regular expression string for IDP logs as well. If you set the following configuration under
IDP rule base, you will also log IDP notifications.

3) IDP notifications

{primary:node0}[edit]
root@srx210-1# show security idp idp-policy Recommended_1
rulebase-ips {
    rule 1 {
        match {
            source-address any;
            destination-address any;
            application default;
            attacks {
                predefined-attacks ICMP:INFO:ECHO-REQUEST;
            }
        }
        then {
            action {
                drop-packet;
            }
            notification {
                 log-attacks;
            }
        }
    }
}

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading