Juniper : Introduction to the Junos Operating System: Junos : Sending IDP and traffic logs to a syslog server in SRX

Sunday 9 December 2012

Junos : Sending IDP and traffic logs to a syslog server in SRX

If you want to forward your IDP and traffic session logs to a syslog server, here is how we can do it;

1) First inside the security policy we should set that we want to log session initiations e.g;

{primary:node0}[edit]
root@srx210-1# top show security policies 
from-zone downlink to-zone wan {
    policy net-access {
        match {
            source-address net_210;
            destination-address any;
            application any;
        }
        then {
            permit {
                application-services {
                    idp;
                }
            }
            log {
 session-init;
            }
        }
    }
}

2) Then syslog server configuration;

root@srx210-1# show system syslog        
host 192.168.103.20 {
    any any;
    match "RT_IDP|RT_FLOW_SESSION";
    structured-data;
}

After this we should be able to log our traffic logs to the syslog server 192.168.103.20
As you might see there is RT_IDP regular expression string for IDP logs as well. If you set the following configuration under
IDP rule base, you will also log IDP notifications.

3) IDP notifications

{primary:node0}[edit]
root@srx210-1# show security idp idp-policy Recommended_1 
rulebase-ips {
    rule 1 {
        match {
            source-address any;
            destination-address any;
            application default;
            attacks {
                predefined-attacks ICMP:INFO:ECHO-REQUEST;
            }
        }
        then {
            action {
                drop-packet;
            }
            notification {
 log-attacks;
            }
        }
    }
}

Juniper : Introduction to the Junos Operating System

Sunday 9 December 2012

Junos : Sending IDP and traffic logs to a syslog server in SRX

No comments:

Post a Comment

Visitors