Configuring a Juniper JunOS device to Send Syslogs

Syslog traffic must be configured to arrive to the TOS Aurora cluster that monitors the device at the Syslog VIP.

For more information see Sending Additional Information via Syslog.

Syslog proxy is supported for specific devices. For more information on syslog proxy support for supported devices, see Configuring Devices to Send Logs.

Only rules that are marked for logging in the device are included in the syslogs.

Define SecureTrack as a Syslog Server on Each JunOS Device

  1. Open a command line to the device.

  2. Run these commands:

    cli (Only if you login with the root user)
    configure
    set system syslog host <ST_IP> user info
    set system syslog host <ST_IP> change-log notice
    set system syslog host <ST_IP> interactive-commands notice
    set system syslog host <ST_IP> match
    "(UI_COMMIT:)|(UI_COMMIT_AT_COMPLETED)|(FLOW_SESSION_CREATE)|(FLOW_SESSION_DENY)|(FLOW_SESSION_CLOSE)"
    set system syslog host <ST_IP> log-prefix <ID>
    commit

    Where:

    • <ST_IP> - the syslog VIP address of the cluster that is managing the device

    • <ID> - a unique ID string for each JunOS device that must begin with: SecureTrack_

      To get usage reporting for JunOS devices, you must also configure policy rules logging for session-init, session-close, or both. If you want to use a non-default facility level, you must configure SecureTrack as described in Configuring SecureTrack for Non-Default Syslogs.

      For Juniper SRX devices running JunOS, if you configure the data plane to send syslogs, you must use sd-syslog format and add these lines before the commit command:

      set security log mode stream
      set security log source-address <SRX_IP>
      set security log stream tufin format sd-syslog
      set security log stream tufin host <ST_IP>

Configure Syslogs for Logical Systems

For Juniper SRX R22-1R1 devices you need to configure syslogs for logical systems.

  1. Open a command line to the device.

  2. Run these commands:

    set logical-systems <lsys_name> syslog host <ST_IP> user info
    set logical-systems <lsys_name> syslog host <ST_IP> change-log notice
    set logical-systems <lsys_name> syslog host <ST_IP> interactive-commands notice
    set logical-systems <lsys_name> syslog host <ST_IP> match "(UI_COMMIT:)|(UI_COMMIT_AT_COMPLETED)|(FLOW_SESSION_CREATE)|(FLOW_SESSION_DENY)|(FLOW_SESSION_CLOSE)"
    set logical-systems <lsys_name> syslog host <ST_IP> log-prefix <ST_ID>

    3. Where:

    • <lsys_name> - The name of the logical system.

    • <ST_IP> - The syslog VIP address of the cluster that is managing the device.

    • <ST_ID> - The SecureTrack ID used to identify the device.