Setting the System to Stream Security Logs Through Revenue Ports
You can increase the number of data plane, or security, logs that are sent by modifying the manner in which they are sent. When the logging mode is set to stream, security logs generated in the data plane are streamed out a revenue traffic port directly to a remote server.
To use the stream mode, enter the following commands:
where source-address is the IP address of the source machine; syslog, sd-syslog (structured system logging messages) and welf are logging formats; all and content-security are the categories of logging; and ipaddr is the IP address of the server to which the logs will be streamed.
 | Note: WELF logs must be streamed through a revenue port because the eventd process does not recognize the WELF format. The category must be set to content-security. For example: {primary:node0}user@host# set security log stream securitylog1 format welf category content-security host 10.121.23.5 |
To send duplicate logs to a second remote server, repeat the command with a new ipaddr. If your deployment is an active/active chassis cluster, you can also configure security logging on the active node to be sent to separate remote servers to achieve logging redundancy.
