Sending IDP and traffic logs to a syslog server in SRX

If you want to forward your IDP and traffic session logs to a syslog server, here is how we can do it;

1) First inside the security policy we should set that we want to log session initiations e.g;

{primary:node0}[edit]
root@srx210-1# top show security policies
from-zone downlink to-zone wan {
    policy net-access {
        match {
            source-address net_210;
            destination-address any;
            application any;
        }
        then {
            permit {
                application-services {
                    idp;
                }
            }
            log {
 session-init;
            }
        }
    }
}

2) Then syslog server configuration;

root@srx210-1# show system syslog
host 192.168.103.20 {
    any any;
    match "RT_IDP|RT_FLOW_SESSION";
    structured-data;
}

After this we should be able to log our traffic logs to the syslog server 192.168.103.20
As you might see there is RT_IDP regular expression string for IDP logs as well. If you set the following configuration under
IDP rule base, you will also log IDP notifications.

3) IDP notifications

{primary:node0}[edit]
root@srx210-1# show security idp idp-policy Recommended_1
rulebase-ips {
    rule 1 {
        match {
            source-address any;
            destination-address any;
            application default;
            attacks {
                predefined-attacks ICMP:INFO:ECHO-REQUEST;
            }
        }
        then {
            action {
                drop-packet;
            }
            notification {
                 log-attacks;
            }
        }
    }
}

About: rtoodtoo

Genco has worked for more than 10 years as a Network/Support Engineer. He is also interested in Python, Linux, Security and SD-WAN, currently lives in the Netherlands and works as a Network Support Engineer at Tesla Inc. // JNCIE-SEC #223 / RHCE / PCNSE


You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.