that got it working it seems :) Thanks guys!!!
On Tue, Feb 26, 2013 at 12:06 AM, Gordon Smith <[email protected]>wrote: > This (remote syslog) works for me on SRX550's running 12.1R1.9 > This will apply a default deny & log to the end of your security policies, > so you don't need to reorder policies after adding a new one. > > I have had issues logging locally where the box will stop logging after a > while. Not a big issue, since it all gets piped off to a syslog server, but > still annoying. > Syntax for that was: > file traffic-log { > any any; > match RT_FLOW_SESSION; > structured-data; > } > > > > groups { > global-policy { > security { > policies { > from-zone <*> to-zone <*> { > policy default-logdrop { > > match { > source-address any; > destination-address any; > application any; > } > then { > deny; > log { > session-init; > } > } > } > } > } > } > } > } > system { > syslog { > host x.x.x.x { > any any; > } > } > } > security { > apply-groups global-policy; > > } > > > > On Mon, 25 Feb 2013 16:10:49 -0500, Mike Devlin wrote: > >> nope, that didnt work either :( >> >> meeks@MeeksNet-SRX210# run show log TEST-DENY >> >> [edit] >> >> meeks@MeeksNet-SRX210# show system syslog file TEST-DENY >> any any; >> match RT_FLOW; >> >> [edit] >> >> On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon >> <[email protected]>**wrote: >> >> Hello Mike >>> >>> Was wondering if you can get the deny logs while doing local logging? >>> >>> set system syslog file TEST-DENY any any >>> set system syslog file TEST-DENY match RT_FLOW >>> >>> Regards >>> Farrukh >>> >>> >>> On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin <[email protected]> >>> wrote: >>> >>> So fingers crossed that this is an easy one for you guys, >>>> >>>> Device is an SRX210BE running 11.4R5.5 code. >>>> >>>> ive added the syslog host to the config >>>> >>>> meeks@MeeksNet-SRX210> show configuration system syslog >>>> archive size 100k files 3; >>>> user * { >>>> any emergency; >>>> } >>>> host 192.168.1.12 { >>>> any any; >>>> } >>>> file messages { >>>> any critical; >>>> authorization info; >>>> } >>>> file interactive-commands { >>>> interactive-commands error; >>>> } >>>> file security { >>>> security any; >>>> } >>>> file default-log-messages { >>>> any any; >>>> match "(requested 'commit' operation)|(copying configuration to >>>> juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU >>>> removal)|(FRU insertion)|(link UP)|(vc add)|(vc >>>> >>>> >>>> delete)|transitioned|**Transferred|transfer-file|** >>>> QFABRIC_NETWORK_NODE_GROUP|**QFABRIC_SERVER_NODE_GROUP|** >>>> QFABRIC_NODE|(license >>>> add)|(license delete)|(package -X update)|(package -X >>>> >>>> delete)|GRES|CFMD_CCM_DEFECT|**LFMD_3AH|MEDIA_FLOW_ERROR|RPD_** >>>> MPLS_PATH_BFD"; >>>> structured-data; >>>> } >>>> >>>> >>>> >>>> and implemented the default deny template i found here: >>>> >>>> >>>> http://kb.juniper.net/**InfoCenter/index?page=content&** >>>> id=KB20778&actp=RSS<http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS> >>>> >>>> >>>> meeks@MeeksNet-SRX210> show configuration groups >>>> default-deny-template { >>>> security { >>>> policies { >>>> from-zone untrust to-zone trust { >>>> policy default-deny { >>>> match { >>>> source-address any; >>>> destination-address any; >>>> application any; >>>> } >>>> then { >>>> deny; >>>> log { >>>> session-init; >>>> } >>>> } >>>> } >>>> } >>>> } >>>> } >>>> } >>>> >>>> meeks@MeeksNet-SRX210> show configuration apply-groups >>>> ## Last commit: 2013-02-21 16:05:36 EST by meeks >>>> apply-groups default-deny-template; >>>> >>>> however, when i log on to the syslog host, and tail the syslog file i do >>>> not see denies being logged remotely. >>>> >>>> if i apply the session-init and session-close options to permitted >>>> traffic, >>>> it does get logged remotely. >>>> >>>> Alternatively, >>>> >>>> creating a new policy has the same result, regardless if i use reject or >>>> deny >>>> >>>> meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone >>>> trust policy deny-all >>>> match { >>>> source-address any; >>>> destination-address any; >>>> application any; >>>> } >>>> then { >>>> deny; >>>> log { >>>> session-init; >>>> } >>>> } >>>> >>>> my google-foo is failing, so i hope you guys can help. >>>> >>>> Looking forward to hearing back from you, >>>> >>>> Mike >>>> ______________________________**_________________ >>>> juniper-nsp mailing list [email protected] >>>> https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.nether.net/mailman/listinfo/juniper-nsp> >>>> >>>> >>> >>> ______________________________**_________________ >> juniper-nsp mailing list [email protected] >> https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.nether.net/mailman/listinfo/juniper-nsp> >> > > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp

