Configuring a Juniper JunOS device to Send Syslogs

Syslog traffic must be configured to arrive to the SecureTrack server that monitors the device (Central Server, Distribution Server or Remote Collector Server) from the IP and/or host name of the device.

For more information see Sending Additional Information via Syslog.

Syslog proxy is supported for specific devices. For more information on syslog proxy support for supported devices, see Configuring Devices to Send Logs.

Only rules that are marked for logging in the device are included in the syslogs.

Define SecureTrack as a Syslog Server on each JunOS device

  1. Open a command line to the device.
  2. Run these commands:

    cli (Only if you login with the root user)
    configure
    set system syslog host <ST_IP> user info
    set system syslog host <ST_IP> change-log notice
    set system syslog host <ST_IP> interactive-commands notice
    set system syslog host <ST_IP> match
    "(UI_COMMIT:)|(UI_COMMIT_AT_COMPLETED)|(FLOW_SESSION_CREATE)|(FLOW_SESSION_DENY)|(FLOW_SESSION_CLOSE)"
    set system syslog host <ST_IP> log-prefix <ID>
    commit

    Where:

    • <ST_IP> - the IP address of the SecureTrack server, remote collector or distribution server that is managing the device
    • <ID> - a unique ID string for each JunOS device that must begin with: SecureTrack_

      To get usage reporting for JunOS devices, you must also configure policy rules logging for session-init, session-close, or both. If you want to use a non-default facility level, you must configure SecureTrack as described in this tech note.

      For Juniper SRX devices running JunOS, if you configure the data plane to send syslogs, you must use sd-syslog format and add these lines before the commit command:

      set security log mode stream
      set security log source-address <SRX_IP>
      set security log stream tufin format sd-syslog
      set security log stream tufin host <ST_IP>

Configure Syslogs for Logical Systems

For Juniper SRX R22-1R1 devices (Supported from R21-3 HF4 and above) you need to configure syslogs for logical systems.

  1. Open a command line to the device.

  2. Run these commands:

    set logical-systems <lsys_name> syslog host <ST_IP> user info
    set logical-systems <lsys_name> syslog host <ST_IP> change-log notice
    set logical-systems <lsys_name> syslog host <ST_IP> interactive-commands notice
    set logical-systems <lsys_name> syslog host <ST_IP> match "(UI_COMMIT:)|(UI_COMMIT_AT_COMPLETED)|(FLOW_SESSION_CREATE)|(FLOW_SESSION_DENY)|(FLOW_SESSION_CLOSE)"
    set logical-systems <lsys_name> syslog host <ST_IP> log-prefix <ST_ID>

  3. Where:

    • <lsys_name> - The name of the logical system.

    • <ST_IP> - The IP address of the SecureTrack server, remote collector or distribution server that is managing the device.

    • <ST_ID> - The SecureTrack ID used to identify the device.