On This Page
Configuring a Juniper JunOS device to Send Syslogs
This topic is intended for TOS Administrators. |
Overview
Syslog traffic must be configured to arrive to the TOS Aurora cluster that monitors the device - see Sending Additional Information via Syslog.
Syslog proxy is supported for specific devices. For more information on syslog proxy support for supported devices, see Configuring Devices to Send Logs.
Define SecureTrack as a Syslog Server on Each JunOS Device
- Open a command line to the device.
-
Run these commands:
cli (Only if you login with the root user)
configure
set system syslog host <ST_IP> user info
set system syslog host <ST_IP> change-log notice
set system syslog host <ST_IP> interactive-commands notice
set system syslog host <ST_IP> match
"(UI_COMMIT:)|(UI_COMMIT_AT_COMPLETED)|(FLOW_SESSION_CREATE)|(FLOW_SESSION_DENY)|(FLOW_SESSION_CLOSE)"
set system syslog host <ST_IP> log-prefix SecureTrack_<ST-MANAGEMENT_ID> commitcli (Only if you login with the root user)
configure
set system syslog host <ST_IP> user info
set system syslog host <ST_IP> change-log notice
set system syslog host <ST_IP> interactive-commands notice
set system syslog host <ST_IP> match
"(UI_COMMIT:)|(UI_COMMIT_AT_COMPLETED)|(FLOW_SESSION_CREATE)|(FLOW_SESSION_DENY)|(FLOW_SESSION_CLOSE)"
set system syslog host <ST_IP> log-prefix SecureTrack_<ST-MANAGEMENT_ID> commitwhere
<ST_IP>
- the syslog VIP address of the cluster that is managing the device-
<ST-Management_ID> is the SecureTrack management ID for the device. For example, a device with Tufin management ID 422 has a log-prefix of SecureTrack_422. The JunOS syslog parser tries to detect the log prefix in syslog messages. If it fails, it extracts the hostname instead.
To get usage reporting for JunOS devices, you must also configure policy rules logging for session-init, session-close, or both. If you want to use a non-default facility level, you must configure SecureTrack as described in Configuring SecureTrack for Non-Default Syslogs.
For Juniper SRX devices running JunOS, if you configure the data plane to send syslogs, you must use sd-syslog format and add these lines before the
commit
command:set security log mode stream
set security log source-address <SRX_IP>
set security log stream tufin format sd-syslog
set security log stream tufin host <ST_IP>set security log mode stream set security log source-address <SRX_IP> set security log stream tufin format sd-syslog set security log stream tufin host <ST_IP>
Configure Syslogs for Logical Systems
For Juniper SRX R22-1R1 devices you need to configure syslogs for logical systems.
-
Open a command line to the device.
-
Run these commands:
set logical-systems <lsys_name> syslog host <ST_IP> user info
set logical-systems <lsys_name> syslog host <ST_IP> change-log notice
set logical-systems <lsys_name> syslog host <ST_IP> interactive-commands notice
set logical-systems <lsys_name> syslog host <ST_IP> match "(UI_COMMIT:)|(UI_COMMIT_AT_COMPLETED)|(FLOW_SESSION_CREATE)|(FLOW_SESSION_DENY)|(FLOW_SESSION_CLOSE)"
set logical-systems <lsys_name> syslog host <ST_IP> log-prefix SecureTrack_<ST-MANAGEMENT_ID>set logical-systems <lsys_name> syslog host <ST_IP> user info set logical-systems <lsys_name> syslog host <ST_IP> change-log notice set logical-systems <lsys_name> syslog host <ST_IP> interactive-commands notice set logical-systems <lsys_name> syslog host <ST_IP> match "(UI_COMMIT:)|(UI_COMMIT_AT_COMPLETED)|(FLOW_SESSION_CREATE)|(FLOW_SESSION_DENY)|(FLOW_SESSION_CLOSE)" set logical-systems <lsys_name> syslog host <ST_IP> log-prefix SecureTrack_<ST-MANAGEMENT_ID> -
<lsys_name> is the name of the logical system.
-
<ST_IP>
is the syslog VIP address of the cluster that is managing the device. -
<ST-Management_ID> is the SecureTrack management ID for the device. For example, a device with Tufin management ID 422 has a log-prefix of SecureTrack_422. The JunOS syslog parser tries to detect the log prefix in syslog messages. If it fails, it extracts the hostname instead.
where