> 1. Anyone used to setup NFSEN for this ? Nfsen doesn't know how to interpret the syslog data sent by the SRX, in either format (syslog or sd-syslog). Additionally Nfsen doesn't have fields to store the more interesting data on disk (L7 app/nested app).
>2. Anyway to see that FW is sending the collected data to server ? monitor traffic will probably show it as it's sourced by the RE, failing that tcpdump on the receiving server. I've been working on a project on and off for about six months which takes this data (well actually the sd-syslog format variant), rebuilds the firewalls flow table and then exports NetFlow v9 from it (though still throws away the AppTrack info). It actually uses RT_FLOW as well as APPTRACK_ messages, and needs logging init/close on all policies it to work well. We're having good success on a SRX 3600 cluster with sd-syslog in stream mode from the SPU's directly, though currently we're waiting for PR#924941 to be fixed due to a session-id-32 inconsistency between the message types. 250k concurrent flows with 15k updates/second in a 2Gb java process. I do intend to release it OSS, but the project internals are in a state of flux as I rework ideas and as such I wouldn't curse anyone with it. If you're really keen on nfsen for now jflow would give you the basic IP info, failing that Splunk/greylog might do in the short term? P. -- Peter Wood Network Security Specialist Information Systems Services Lancaster University _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
