Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Logical Systems and Tenant Systems User Guide for Security Devices Tenant Systems

Logical Systems and Tenant Systems User Guide for Security Devices

keyboard_arrow_up
close
keyboard_arrow_left
Logical Systems and Tenant Systems User Guide for Security Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Security Log for Tenant Systems

date_range 28-Nov-23
arrow_backward
arrow_forward

Security logs for tenant systems include security events to control system’s data planes. Security logs are sent in binary format to an external server from a tenant system interface. Security logs are generated per tenant system.

Understanding of Security Log for Tenant Systems

Junos OS generates separate log messages to record events that occur on the system’s control and data planes. The data plane logs, also called security logs, primarily include security events that are handled inside the data plane. Security logs can be in text or binary format and they can be saved locally (event mode) or sent to an external server (stream mode). The binary format is required for stream mode and recommended to conserve log space in event mode.

If you configure security logs per tenant, then security logs are generated per tenant.

Security logs for a tenant system are sent from a tenant system interface. You can configure the assigned routing instances and the interfaces that belong to the routing tables within a tenant system.

A security profile should be defined with the number of maximum and reserved policies when you configure the stream number for a tenant system. The primary administrator can use the security profiles to specify resource allocation.

If a tenant system requires more of a resource than its reserved amount allows, it can utilize resources configured for the global maximum amount if they are available and not allocated to other tenant systems. The maximum allowed quota for stream number specifies the portion of the free global resources that the tenant system can use. The maximum allowed quota does not ensure that the amount specified for the resource in the security profile is available. A reserved quota ensures that the resource amount specified is always available to the tenant system. Table 1 shows the comparison of logging stream number capacity.

Table 1: Comparison of Logging Stream Number

Platform

Logging Stream Number Capacity for Tenant System + Logical System

Reserved Logging Stream Number Quota for Tenant System

Maximum Allowed Stream Number Quota for Tenant System

Maximum Allowed Stream Number Quota for Global

SRX5400, SRX5600, and SRX5800

64

0

8

64

SRX4600

300

0

8

600

SRX4100 and 4200

200

0

8

400

SRX1500

50

0

8

100

If a device is configured for a tenant system, security logs generated within the context have the _LS suffix in the log name, which is the same as the logical system. The following security log shows the attributes of the RT_FLOW_SESSION_CLOSE_LS log for a device that is configured for a tenant system:

content_copy zoom_out_map
<14>1 2018-03-12T22:50:09.596Z user RT_FLOW_SESSION_CLOSE_LS [junos@2636.1.1.1.2.137 logical-system-name="TSYS1" reason="Some reason" source-address="192.0.2.1" source-port="7000" destination-address="198.51.100.2" destination-port="32768" connection-tag="0" service-name="Fake service" nat-source-address="192.0.2.1" nat-source-port="7000" nat-destination-address="198.51.10	0.2" nat-destination-port="32768" nat-connection-tag="0" src-nat-rule-type="Fake src nat rule" src-nat-rule-name="Fake src nat rule" dst-nat-rule-type="Fake dst nat rule" dst-nat-rule-name="Fake dst nat rule" protocol-id="17" policy-name="Fake policy" source-zone-name="Fake src zone" destination-zone-name="Fake dst zone" session-id-32="1" packets-from-client="4294967295" bytes-from-client="4294967293" packets-from-server="4294967294" bytes-from-server="4294967292" elapsed-time="4294967291" application="Fake application" nested-application="Fake nested application" username="Fake username" roles="Fake UAC roles" packet-incoming-interface="Fake packet incoming if" encrypted="Fake info telling if the traffic is encrypted" application-category="Fake application category" application-sub-category="Fake application subcategory" application-risk="-1"]

In the above example, security log includes TSYS1 as the first attribute.

Starting in Junos OS Release 19.1R1, on-box reporting configurations are supported for each tenant system and logs are handled based on these configurations. Configure the set security log report and set security log mode stream commands to enable the on-box reporting. The on-box reporting feature with stream mode is also supported on tenant systems.

You can view Syslog messages in the System Log Explorer.

Example: Configure Security Log for Tenant Systems

This example shows how to configure security logs for a tenant system.

Requirements

This example uses the following hardware and software components:

  • An SRX Series Firewall.

  • Junos OS Release 18.3R1 and later releases.

Before you begin:

  • Understand how to configure a tenant system with security profiles for the primary logical system and two tenant systems. See Figure 1

Overview

SRX Series Firewalls have two types of log: system logs and security logs. System logs record control plane events, for example, admin login to the device. Security logs, also known as traffic logs, record data plane events regarding specific traffic handling, for example when a security policy denies certain traffic due to some violation of the policy.

The two types of logs can be collected and saved either on-box or off-box. The procedure below explains how to configure security logs in binary format for off-box (stream-mode) logging.

For off-box logging, security logs for a tenant system are sent from a tenant system interface. If the tenant system interface is already configured in a routing instance, then configure routing-instance routing-instance-name at edit tenants tenant-name security log stream log-stream-name host hierarchy. If the interface is not configured in routing instance, then no routing instance should be configured at set tenants tenant-name security log stream log-stream-name host hierarchy.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set tenants TSYS1 security log mode stream
set tenants TSYS1 security log stream TN1_s format binary host 1.3.54.22
set tenants TSYS1 security log source-address 2.3.45.66
set tenants TSYS1 security log transport protocol tls
set tenants TSYS1 routing-instances TN1_ri instance-type virtual-router
set tenants TSYS1 routing-instances TN1_ri interface ge-0/0/3
set tenants TSYS1 security log stream TN1_s host routing-instance TN1_ri
set system security-profile p1 security-log-stream-number reserved 1
set system security-profile p1 security-log-stream-number maximum 2
set system security-profile p1 tenant TSYS1

Procedure

Step-by-Step Procedure

The following procedure specifies how to configure security logs for a tenant system.

  1. Specify the logging mode and the format for the log file. For off-box, stream-mode logging.

    content_copy zoom_out_map
    [edit ]
user@host# set tenants TSYS1 security log mode stream
user@host# set tenants TSYS1 security log stream TN1_s format binary host 1.3.54.22

  2. For off-box security logging, specify the source address, which identifies the SRX Series Firewall that generated the log messages. The source address is required.

    content_copy zoom_out_map
    [edit ]
user@host# set tenants TSYS1 security log source-address 2.3.45.66

  3. Specify the routing instance and define the interface.

    content_copy zoom_out_map
    [edit ]
user@host# set tenants TSYS1 routing-instances TN1_ri instance-type virtual-router
user@host# set tenants TSYS1 routing-instances TN1_ri interface ge-0/0/3

  4. Define routing instance for a tenant system. If the interface is already configured in routing instance, then configure routing-instance routing-instance-name at edit tenants tenant-name security log stream log-stream-name host hierarchy. If the interface is not configured in routing instance, then no routing instance should be configured at set tenants tenant-name security log stream log-stream-name host hierarchy.

    content_copy zoom_out_map
    [edit ]
user@host# set tenants TSYS1 security log stream TN1_s host routing-instance TN1_ri

  5. Specify the security log transport protocol for the device.

    content_copy zoom_out_map
    [edit ]
user@host# set tenants TSYS1 security log transport protocol tls

Procedure

Step-by-Step Procedure

The following procedure specifies how to configure a security profile for a tenant system.

  1. Configure a security profile and specify the number of maximum and reserved policies.

    content_copy zoom_out_map
    [edit ]
user@host# set system security-profile p1 security-log-stream-number reserved 1
user@host# set system security-profile p1 security-log-stream-number maximum 2

  2. Assign the configured security profile to TSYS1.

    content_copy zoom_out_map
    [edit ]
user@host# set system security-profile p1 tenant TSYS1

Results

From configuration mode, confirm your configuration by entering the show system security-profile, show tenants TSYS1 security log, and show tenants TSYS1 routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show tenants TSYS1 security log
mode stream;
source-address 2.3.45.66;
transport {
    protocol tls;
}
stream TN1_s {
    format binary;
    host {
        1.3.54.22;
        routing-instance TN1_ri;
    }
}
content_copy zoom_out_map
[edit]
user@host# show tenants TSYS1 routing-instances
TN1_ri {
    instance-type virtual-router;
    interface ge-0/0/3.0; 
}
content_copy zoom_out_map
[edit]
user@host# show system security-profile
p1 {
    security-log-stream-number {
        maximum 2;
        reserved 1;
    }
    tenant TSYS1;
}

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Detailed Output for Security Log

Purpose

Verify that the output displays the resource information for all tenant systems.

Action

From operational mode, enter the show system security-profile security-log-stream-number tenant all command.

content_copy zoom_out_map
logical-system tenant name  security profile name  usage    reserved    maximum

root-logical-system         Default-Profile           0          0         8
TSYS1                       p1                        1          1         2
Meaning

The output displays the resource information for tenant systems.

Understanding On-Box Reporting for Tenant Systems

Starting in Junos OS Release 19.1R1, on-box reporting configurations are supported for tenant systems and logs are handled based on these configurations.

Stream mode is a set of logging services that includes:

  • Off-box logging (SRX Series)

  • On-box logging and reporting (SRX1500, SRX4100, SRX4200, and SRX4600 Series)

Per tenant system configuration is supported for the off-box logging and logs are handled based on these configurations. The tenant system logs for off-box logging can only be generated from the tenant system interface.

On-box reporting mechanism is an enhancement to the existing logging functionality. The existing logging functionality is modified to collect system traffic logs, analyzes the logs, and generate reports of these logs. On-box reporting feature is intended to provide a simple and easy to use interface for viewing security logs.

Configure the set security log report and set security log mode stream commands to enable the on-box reporting feature on the device for tenant systems. The on-box reporting feature with stream mode is also supported on tenant systems.

The on-box reporting feature supports:

  • Generating reports based on the requirements. For example: count or volume of the session, types of logs for activities such as IDP, Content Security, and IPsec VPN.

  • Capturing real-time events within a specified time range.

  • Capturing all the network activities in a logical, organized, and easy-to-understand format based on various CLI specified conditions.

Configuring On-Box Reporting for Tenant Systems

SRX Series Firewalls supports different types of reports for tenant system users.

Reports are stored locally on the SRX Series Firewall and there is no requirement for separate devices or tools for logs and reports storage. The on-box reports provides a simple and easy-to-use interface for viewing the security logs.

Before you begin:

  • Understand how to configure security log for tenant systems. See Example: Configure Security Log for Tenant Systems.

To configure on-box reporting for tenant system:

  1. Define the tenant system name as TSYS1.
    content_copy zoom_out_map
    user@host# set tenants TSYS1
  2. Create report within security log per tenant system.
    content_copy zoom_out_map
    user@host# set tenants TSYS1 security log report
  3. Confirm your configuration by entering the show tenants TSYS1 command.
    content_copy zoom_out_map
    user@host# show tenants TSYS1
security {
    log {
        report;
    }
}
Note:

By default the report option is disabled.

Understanding On-Box and Off-Box Logging for Tenant System

SRX Series devices have two types of log: system logs and security logs. System logs record control plane events, for example admin login to the device. Security logs, also known as traffic logs, record data plane events regarding specific traffic handling, for example when a security policy denies certain traffic due to some violation of the policy.

Starting in Junos OS Release 19.2R1, on-box logging configurations are supported for each tenant system and logs are handled based on these configurations.

The two types of log can be collected and saved either on-box or off-box.

Stream mode is a set of logging services that includes:

  • Off-box logging (SRX Series)

  • On-box logging (SRX1500, SRX4100, SRX4200, and SRX4600 Series)

Per tenant system configuration is supported for the off-box logging and logs are handled based on these configurations. The tenant system logs for off-box logging can only be generated from the tenant system interface.

Configure the security files in binary/syslog/sd-syslog/welf format for stream-mode and binary format for event-mode by using the log statement at the [set tenants TSYS1 security] hierarchy level.

Note:

You cannot configure the security log file path for Tenant System.

For on-box logging with stream mode with binary format log, the set security log stream stream-name file command is configured per tenant system. The file name must be end with .bin. For example TSYS1_f1.bin in tenant system TSYS1. A new file TSYS1_f1.bin is created in the /var/traffic-log/tenant-systems/TSYS1 directory.

For on-box logging with stream mode with other format logs, the set security log stream stream-name file command is configured per tenant system. For example tenant system TSYS1. A new file with the name configured is created in the /var/traffic-log/tenant-systems/TSYS1 directory.

Configuring On-Box Binary Security Log Files for Tenant System

SRX Series devices support two types of log: system logs and security logs.

The two types of log are collected and saved either on-box or off-box. The following procedure explains how to configure security logs in binary format for on-box (event-mode and stream-mode) logging for tenant system.

The following procedure specifies binary format for event-mode security logging, and defines the log filename, path, and log file characteristics for tenant system.

  1. Specify the logging mode and the format for the log file. For on-box, event-mode logging:

    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS1 security log mode event
user@host# set tenants TSYS1 security log format binary

  2. (Optional) Specify a log filename.

    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS1 security log file name security-binary-log
    Note:

    Security log filename is not mandatory. If security log filename is not configured, by default the file bin_messages is created in the /var/log directory.

  3. Confirm your configuration by entering the show tenants TSYS1 command.

    content_copy zoom_out_map
    [edit]
user@host# show tenants TSYS1
security {
    log {
        mode event;
        format binary;
        file {
            name security-binary-log;
        }
    }
}

The following procedure specifies binary format for stream-mode security logging, and defines the log filename and log file characteristics for tenant system.

  1. Specify the logging mode and the format for the log file. For on-box, stream-mode logging:

    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS1 security log mode stream
user@host# set tenants TSYS1 security log stream s1 format binary

  2. (Optional) Specify a log filename.

    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS1 security log stream s1 file name f1.bin

  3. Confirm your configuration by entering the show tenants TSYS1 command.

    content_copy zoom_out_map
    [edit]
user@host# show tenants TSYS1
security {
    log {
        mode stream;
        stream s1 {
            format binary;
            file {
                name f1.bin;
            }
        }
    }
}

Configuring Off-Box Binary Security Log Files for Tenant System

SRX Series devices support two types of log: system logs and security logs.

The two types of log can be collected and saved either on-box or off-box. The procedure below explains how to configure security logs in binary format for off-box (stream-mode) logging.

The following procedure specifies binary format for stream-mode security logging, and defines the logging mode, source address, and host name characteristics for tenant system.

  1. Specify the logging mode and the format for the log file. For off-box, stream-mode logging:

    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS1 security log mode stream s1 format binary

  2. Specify the source address for off-box security logging.

    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS1 security log source-address 100.0.0.1

  3. Specify the host name.

    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS1 security log stream s1 host 100.0.0.2

  4. Confirm your configuration by entering the show tenants TSYS1 command.

    content_copy zoom_out_map
    [edit]
user@host# show tenants TSYS1
security {
    log {
        mode stream;
        source-address 100.0.0.1;
        stream s1 {
            format binary;
            host {
                100.0.0.2;
            }
        }
    }
}

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
19.2R1
Starting in Junos OS Release 19.2R1, on-box logging configurations are supported for each tenant system and logs are handled based on these configurations
arrow_backward PREVIOUS DHCP for Tenant Systems
NEXT arrow_forward AppQoS for Tenant Systems
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top