This (remote syslog) works for me on SRX550's running 12.1R1.9
This will apply a default deny & log to the end of your security
policies, so you don't need to reorder policies after adding a new one.
I have had issues logging locally where the box will stop logging after
a while. Not a big issue, since it all gets piped off to a syslog
server, but still annoying.
Syntax for that was:
file traffic-log {
any any;
match RT_FLOW_SESSION;
structured-data;
}
groups {
global-policy {
security {
policies {
from-zone <*> to-zone <*> {
policy default-logdrop {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
}
}
}
}
system {
syslog {
host x.x.x.x {
any any;
}
}
}
security {
apply-groups global-policy;
}
On Mon, 25 Feb 2013 16:10:49 -0500, Mike Devlin wrote:
nope, that didnt work either :(
meeks@MeeksNet-SRX210# run show log TEST-DENY
[edit]
meeks@MeeksNet-SRX210# show system syslog file TEST-DENY
any any;
match RT_FLOW;
[edit]
On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon
<[email protected]>wrote:
Hello Mike
Was wondering if you can get the deny logs while doing local
logging?
set system syslog file TEST-DENY any any
set system syslog file TEST-DENY match RT_FLOW
Regards
Farrukh
On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin <[email protected]>
wrote:
So fingers crossed that this is an easy one for you guys,
Device is an SRX210BE running 11.4R5.5 code.
ive added the syslog host to the config
meeks@MeeksNet-SRX210> show configuration system syslog
archive size 100k files 3;
user * {
any emergency;
}
host 192.168.1.12 {
any any;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file security {
security any;
}
file default-log-messages {
any any;
match "(requested 'commit' operation)|(copying configuration to
juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU
removal)|(FRU insertion)|(link UP)|(vc add)|(vc
delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license
add)|(license delete)|(package -X update)|(package -X
delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD";
structured-data;
}
and implemented the default deny template i found here:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS
meeks@MeeksNet-SRX210> show configuration groups
default-deny-template {
security {
policies {
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
}
}
}
meeks@MeeksNet-SRX210> show configuration apply-groups
## Last commit: 2013-02-21 16:05:36 EST by meeks
apply-groups default-deny-template;
however, when i log on to the syslog host, and tail the syslog file
i do
not see denies being logged remotely.
if i apply the session-init and session-close options to permitted
traffic,
it does get logged remotely.
Alternatively,
creating a new policy has the same result, regardless if i use
reject or
deny
meeks@MeeksNet-SRX210# show security policies from-zone untrust
to-zone
trust policy deny-all
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
my google-foo is failing, so i hope you guys can help.
Looking forward to hearing back from you,
Mike
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp