Juniper syslog to graylog

carsten.roenne · April 17, 2018, 8:57am

Hi GL,

I would like to receive both security and trafic logs from Juniper firewalls and switches but no luck so far.
I’ve created input for Syslog TCP and Raw/plainText TCP, opened up ports 5555 and 514 in firewalls and on graylog hst, anmd setup sending to syslog from the network devices. I can’t seem to find here i’m done it wrong? Am I missing something. Thanks.

jochen · April 17, 2018, 9:02am

Please post the complete configuration of the inputs you’re using and the syslog configuration of your Juniper devices.

Additionally, please check whether the network devices are sending any messages at all with Wireshark or tcpdump.

carsten.roenne · April 20, 2018, 8:22am

Hi Jochen,

Firewall are open at 514 udp, on fedora 192.168.37.82 and juniper 192.168.1.1 nat to fedora 192.168.37.82

Juniper srx-320, 192.168.1.1, syslog config - syslogs are coming in to my pc, 192.168.1.16, syslogwatcher: se attached data flow picture

Stream logs:

syslog {
    archive size 100k files 3;
    user * {
        any emergency;
    }
    host 192.168.1.16 {
        any any;
    }
    host 192.168.37.82 {
        any any;
    }
    file messages {
        any critical;
        authorization info;
    }
    file interactive-commands {
        interactive-commands info;
        match UI_CMDLINE_READ_LINE;
    }
    file traffic-log {
        any any;
        match RT_FLOW_SESSION;
    }
    file policy_session {
        user info;
        match RT_FLOW;
        archive size 1000k world-readable;
        structured-data;
    }
}

Security logs:

security {
log {
mode stream;
source-address 192.168.1.1;
stream Graylog {
format syslog;
host {
192.168.37.82;
port 514;
}
}
}

I tried there 3 inputs, and graylog-server service recycled

Graylog raw: udp 514

RAW Raw/Plaintext UDP 0 RUNNING

bind_address:
 0.0.0.0
override_source:
 <empty>
port:
 514
recv_buffer_size:
 262144

GELF udp: 514

bind_address:
 0.0.0.0
decompress_size_limit:
 8388608
override_source:
 <empty>
port:
 514
recv_buffer_size:
 262144

Syslog Udp : 514

allow_override_date:
 true
bind_address:
 0.0.0.0
expand_structured_data:
 false
force_rdns:
 false
override_source:
 <empty>
port:
 514
recv_buffer_size:
 262144

jochen · April 20, 2018, 9:10am

Have you checked if the network packets reach the machine running Graylog with Wireshark or tcpdump?

jochen · April 20, 2018, 10:19am

What input are you using right now?
Did it start correctly on port 514/udp?

carsten.roenne · April 20, 2018, 11:23am

syslog udp 514
no it’s not starting correctly up. It did yesterday, now i’ve tried to recycle services and host but it won’t start.

i ve only one input with udp 514. what to do?

carsten.roenne · April 20, 2018, 12:03pm

i’ve changed it to udp/5014 raw/text and it works.

jochen · April 20, 2018, 12:59pm

http://docs.graylog.org/en/2.4/pages/faq.html#how-can-i-start-an-input-on-a-port-below-1024

system · May 4, 2018, 12:59pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Juniper SRX firewall and routers Graylog Tech Challenges	3	1044	August 10, 2021
Syslog messages don’t arrive on graylog, but shown in tcpdump Graylog Central (peer support)	2	1749	November 26, 2020
Log Cisco Messages Graylog Central (peer support)	20	12371	December 13, 2019
Graylog inputs do not seem to be working Graylog Central (peer support)	5	2920	September 7, 2018
Juniper SRX345 and Gaylog not working Graylog Central (peer support)	8	351	July 28, 2023

Juniper syslog to graylog

Related topics