Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Understanding System Logging for Security Devices

Redundant System Log Server

Security system logging traffic intended for remote servers is sent through the network interface ports, which support two simultaneous system log destinations. Each system logging destination must be configured separately. When two system log destination addresses are configured, identical logs are sent to both destinations. While two destinations can be configured on any device that supports the feature, adding a second destination is primarily useful as a redundant backup for standalone and active/backup configured chassis cluster deployments.

The following redundant server information is available:

• Facility: cron
• Description: cron scheduling process
• Severity Level (from highest to lowest severity): debug
• Description: Software debugging messages

Control Plane and Data Plane Logs

Junos OS generates separate log messages to record events that occur on the system’s control and data planes.

• The control plane logs include events that occur on the routing platform. The system sends control plane events to the eventd process on the Routing Engine, which then handles the events by using Junos OS policies, by generating system log messages, or both. You can choose to send control plane logs to a file, user terminal, routing platform console, or remote machine. To generate control plane logs, use the syslog statement at the [system] hierarchy level.
• The data plane logs primarily include security events that the system has handled directly inside the data plane. These system logs are also referred to as security logs. How the system handles data plane events depends on the device:
  • For SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the default logging mode is stream mode. The system streams already-processed data plane events directly to external log servers, bypassing the Routing Engine.

    We recommend stream mode logging for the data plane. Data plane logs can be forwarded to the Routing Engine only when data plane logging is configured as an event mode.

    Note: We recommend that only stream mode be used for security logs on high-end SRX Series devices. We do not recommend using event mode logging for high-end SRX Series devices. Supported logging rates apply to stream mode only. Logs might be dropped if you configure event mode logging on high-end SRX Series devices.

  • For SRX100, SRX210, SRX220, SRX240, and SRX650 devices, by default, the system sends data plane events to the eventd process on the Routing Engine to be processed, formatted, and written to system log files in a similar manner to control plane events.