Configuring a Juniper JunOS device to Send Syslogs

SecureChange Requester This topic is intended for TOS Administrators.

Overview

Syslog traffic must be configured to arrive to the TOS Aurora cluster that monitors the device - see Sending Additional Information via Syslog.

Syslog proxy is supported for specific devices. For more information on syslog proxy support for supported devices, see Configuring Devices to Send Logs.

Only rules that are marked for logging in the device are included in the syslogs.

Define SecureTrack as a Syslog Server on Each JunOS Device

  1. Open a command line to the device.
  2. Run these commands:

    cli (Only if you login with the root user)
    configure
    set system syslog host <ST_IP> user info
    set system syslog host <ST_IP> change-log notice
    set system syslog host <ST_IP> interactive-commands notice
    set system syslog host <ST_IP> match
    "(UI_COMMIT:)|(UI_COMMIT_AT_COMPLETED)|(FLOW_SESSION_CREATE)|(FLOW_SESSION_DENY)|(FLOW_SESSION_CLOSE)"
    set system syslog host <ST_IP> log-prefix SecureTrack_<ST-MANAGEMENT_ID> commit
    cli (Only if you login with the root user)
    configure
    set system syslog host <ST_IP> user info
    set system syslog host <ST_IP> change-log notice
    set system syslog host <ST_IP> interactive-commands notice
    set system syslog host <ST_IP> match
    "(UI_COMMIT:)|(UI_COMMIT_AT_COMPLETED)|(FLOW_SESSION_CREATE)|(FLOW_SESSION_DENY)|(FLOW_SESSION_CLOSE)"
    set system syslog host <ST_IP> log-prefix SecureTrack_<ST-MANAGEMENT_ID> commit

    where

    • <ST_IP> - the syslog VIP address of the cluster that is managing the device
    • <ST-Management_ID> is the SecureTrack management ID for the device. For example, a device with Tufin management ID 422 has a log-prefix of SecureTrack_422. The JunOS syslog parser tries to detect the log prefix in syslog messages. If it fails, it extracts the hostname instead.

    To get usage reporting for JunOS devices, you must also configure policy rules logging for session-init, session-close, or both. If you want to use a non-default facility level, you must configure SecureTrack as described in Configuring SecureTrack for Non-Default Syslogs.

    For Juniper SRX devices running JunOS, if you configure the data plane to send syslogs, you must use sd-syslog format and add these lines before the commit command:

    set security log mode stream
    set security log source-address <SRX_IP>
    set security log stream tufin format sd-syslog
    set security log stream tufin host <ST_IP>
    set security log mode stream set security log source-address <SRX_IP> set security log stream tufin format sd-syslog set security log stream tufin host <ST_IP>

Configure Syslogs for Logical Systems

For Juniper SRX R22-1R1 devices you need to configure syslogs for logical systems.

  1. Open a command line to the device.

  2. Run these commands:

    set logical-systems <lsys_name> syslog host <ST_IP> user info
    set logical-systems <lsys_name> syslog host <ST_IP> change-log notice
    set logical-systems <lsys_name> syslog host <ST_IP> interactive-commands notice
    set logical-systems <lsys_name> syslog host <ST_IP> match "(UI_COMMIT:)|(UI_COMMIT_AT_COMPLETED)|(FLOW_SESSION_CREATE)|(FLOW_SESSION_DENY)|(FLOW_SESSION_CLOSE)"
    set logical-systems <lsys_name> syslog host <ST_IP> log-prefix SecureTrack_<ST-MANAGEMENT_ID>
    set logical-systems <lsys_name> syslog host <ST_IP> user info set logical-systems <lsys_name> syslog host <ST_IP> change-log notice set logical-systems <lsys_name> syslog host <ST_IP> interactive-commands notice set logical-systems <lsys_name> syslog host <ST_IP> match "(UI_COMMIT:)|(UI_COMMIT_AT_COMPLETED)|(FLOW_SESSION_CREATE)|(FLOW_SESSION_DENY)|(FLOW_SESSION_CLOSE)" set logical-systems <lsys_name> syslog host <ST_IP> log-prefix SecureTrack_<ST-MANAGEMENT_ID>
  3. where

    • <lsys_name> is the name of the logical system.

    • <ST_IP> is the syslog VIP address of the cluster that is managing the device.

    • <ST-Management_ID> is the SecureTrack management ID for the device. For example, a device with Tufin management ID 422 has a log-prefix of SecureTrack_422. The JunOS syslog parser tries to detect the log prefix in syslog messages. If it fails, it extracts the hostname instead.