I have setup the Juniper SRX as below but logs showing are only these ones, it is not showing any other kind of logs.
set system syslog host 103.x.x.x any any
set system syslog host 103.x.x.x structured-data
set system syslog host 103.x.x.x port 1513
set security log mode stream
set security log source-address 172.16.1.1
set security log transport protocol tcp
set security log stream External_Server format sd-syslog
set security log stream External_Server category all
set security log stream External_Server host 103.x.x.x
set security log stream External_Server host port 1513
Normally firewalls are syslog TCP/UDP. I’m curious if you tried Raw/Plaintext input.
EDIT: I went through Juniper SRX documentation manual. it states…
SRX devices can generate two types of logs; control plane and data plane.
Control plane: These are the logs generated by user processes, interactive commands and system.
Data plane: These are the traffic-logs that include session, IDP, UTM.
These two logs are generated based upon the security log mode configured.
There are two different security modes:
Stream: The default mode; used to send data plane logs to a syslog server. Data plane logs are not saved to the local file in the device. Control plane logs can be stored in a local file and/or sent to a syslog server. When this mode is set, logs cannot be viewed in the GUI.
Event: With this mode on, control and data plane logs are stored in a local file and/or forwarded to a syslog server. In this mode, logs can also be viewed in the GUI.
So I’m not sure how you set up your device and/or what you sending, I guess it would depend on what your sending.
I don’t think so, since you are already getting logs from SRX as shown above.
I think your sending Data plan logs.
Data plane: These are the traffic-logs that include session, IDP, UTM.
The reason I say this, is because in that screenshot it shows “detected packet”.
I’m not sure what logs your looking for on your Juniper device. Have you compared SRX logs on the Web UI, from the ones ingested by Graylog? what is actually missing from those two end point?
We don’t enable Web UI of our SRX but we want these types of logs as below. I have enabled local logging and want to see this in Graylog too especially the user login logs:
I run show log traffic-log(local logging setup on my SRX)
I configured my source address from the IP address of interface ge-0/0/0.0 (my internet interface) maybe this could be the issue?
The source address should be the router IP right?
Here is my current config for control plane logs:
archive size 100k files 3;
user * {
any emergency;
}
host 103.x.x.x {
any any;
authorization any;
security any;
user any;
change-log any;
interactive-commands any;
match UI_LOGIN_EVENT;
port 1513;
source-address 172.16.1.1;
transport tcp;
structured-data {
brief;
}
}
file interactive-commands {
interactive-commands any;
}
file local-log {
authorization any;
user any;
change-log any;
interactive-commands info;
structured-data;
}
file messages {
any notice;
authorization info;
}
Since you stated you don’t have a Web UI. I found this in the doc’s
Sending Logs to a Remote Syslog Server
In the following configuration example, log messages are sent to a remote syslog server ( 192.30.80.76 ):
user@host# set system syslog host 192.30.80.76 any any
Not sure I can be any help with your SRX configuration, but I do know since your getting logs to Graylog I don’t see a issue there. I think its what you sending could be the problem, perhaps the SRX configurations.
I think I found the correct config on the Juniper.
I added source address on the system syslog, not on the host. I can see active now connections in the Graylog input but there are no messages.
It might be I have the wrong Graylog input config now.
