Modifying the Security Logging Configuration for Security Devices

You can use the Security Logging section on the Modify Configuration page to view and modify the parameters related to security logging on the device.

Note:

Refer to the Junos OS documentation (available at http://www.juniper.net/documentation/en_US/release-independent/junos/information-products/pathway-pages/junos/product/) for a particular release and device. There you can find detailed information on the configuration parameters for that device.

To modify the security logging parameters:

Select Devices > Security Devices.
The Security Devices page appears.
Select the devices whose configuration you want to modify.
From the More or right-click menu, select Configuration > Modify Configuration.
The Modify Configuration page appears.
Click the Security Logging link in the left-navigation menu.
The Security Logging section on the Modify Configuration page is displayed.
Modify the configuration according to the guidelines provided in Table 1.
After modifying the configuration, you can cancel the changes, save the changes, preview the changes, or save the changes and deploy the configuration on the device. See Modifying the Configuration of Security Devices.

Table 1: Security Logging Settings
Setting	Guideline
General Settings
Mode	Select how security logs are processed and exported: Stream—Specify that security logs are processed directly in the forwarding plane. Event—Specify that security logs are processed directly in the control plane.
Source Type	Select the source type as Address or Interface.
Source Address/Source Interface	If the Source Type is Address, specify the IPv4 or IPv6 address to be used as the source address when exporting security logs. If the Source Type is Interface, specify the interface to be used as the source interface when exporting security logs.
Format	Specify the security log format for the device: Syslog—Unstructured Junos OS system logs. Sd-syslog—Structured Junos OS system logs. Binary—Non-ASCII (binary) Junos OS system logs.
Disable Logging	Select this check box to disable security logging for the device. This check box is cleared by default.
UTC Timestamp	Select this check box to include the UTC timestamp in the security logs. This check box is cleared by default.
Event Rate	For the event mode, specify the rate (in logs per second) at which event logs are processed by the control plane. Range: 1 through 1500.
Stream
	The existing stream configuration entries are displayed in a table. You can do the following: Create a stream configuration–Click the + icon to create a stream configuration. The Create Stream Configuration page appears. Complete the configuration according to the guidelines provided in Table 2 and click OK. The stream configuration is created and you are returned to the Security Logging page. Modify a stream configuration–Select a stream configuration and click the pencil icon The Edit Stream configuration page appears, showing the same fields that are presented when you create a stream configuration. You can modify some of the fields on this page. Refer to Table 2 for an explanation of the fields. After you have modified the stream configuration, click OK. The changes are saved and you are returned to the Security Logging page. Delete stream configurations–Select one or more stream configurations and click the X icon to delete the stream configurations. The Warning page appears. Click Yes to confirm the deletion. The selected stream configurations are deleted.
File
File Name	Specify the filename for the binary log file.
File Path	Specify the file path for the binary log file.
File Size	Specify the maximum size (in MB) of the binary log file. Range: 1 through 10.
Maximum No. of Files	Specify the maximum number of binary log files. Range: 2 through 10.
Cache
Limit	Specify the maximum number of security log entries to keep in memory. The range is 1 through 4,294,967,295 and the default is 1000.
Exclude	The existing exclude configuration entries are displayed in a table. An exclude configuration is a list of auditable events that can be excluded from the audit log. You can do the following: Create an exclude configuration–Click the + icon to create an exclude configuration. The Create Exclude Configuration page appears. Complete the configuration according to the guidelines provided in Table 3 and click OK. The exclude configuration is created and you are returned to the Security Logging page. Modify an exclude configuration–Select an exclude configuration and click the pencil icon. The Edit Exclude Configuration page appears, showing the same fields that are presented when you create an exclude configuration. You can modify some of the fields on this page. Refer to Table 3 for an explanation of the fields. After you have modified the exclude configuration, click OK. The changes are saved and you are returned to the Security Logging page. Delete exclude configurations–Select one or more exclude configurations and click the X icon to delete the exclude configurations. The Warning page appears. Click Yes to confirm the deletion. The selected exclude configurations are deleted.

Table 2: Create Stream Configuration Settings
Setting	Guideline
Name	Enter the name of the security log stream, which should be a string containing alphanumeric characters and some special characters (_ .).
Host	Specify the IPv4 or IPv6 address of the server to which the security logs will be streamed.
Port	Enter the port number for the system log listening port. The range is 0 through 65,535 and the default is 514.
Severity	Select the severity threshold for security logs. Only the logs with the specified severity threshold are logged.
Category	Select the category of events to be logged.
Format	Specify the format of the security log for the device: Syslog–Unstructured Junos OS system logs. Sd-syslog–Structured Junos OS system logs. welf–Web Trends Extended Log Format.

Table 3: Create Exclude Configuration Settings
Setting	Guideline
Name	Specify the name of the exclude configuration.
Destination Filters
IP Address	Specify the destination IPv4 or IPv6 address from which security alarms are not included in the audit log.
Port	Specify the destination port number from which security alarms are not included in the audit log. The range is 0 through 4,294,967,295.
Source Filters
IP Address	Specify the source IPv4 or IPv6 address from which security alarms are not included in the audit log.
Port	Specify the source port number from which security alarms are not included in the audit log. The range is 0 through 4,294,967,295.
Other Filters
Event ID	Enter the event ID of the security event. The audit log does not include security alarms for the specified event ID.
Failure	Select this check box to restrict the logging only to failed events. By default, this check box is cleared, which means failed and successful events are logged.
Interface	Enter the name of the interface from which security alarms are not included in the security log.
Policy Name	Enter the name of the security policy for which security alarms are not included in the security log.
Process	Enter the name of the process (that is generating the events) for which security alarms are not included in the security log.
Protocol	Enter the name of the protocol for which security alarms are not included in the security log.
Success	Select this check box to restrict the logging only to successful events. By default, this check box is cleared, which means failed and successful events are logged.
Username	Enter the username of the authenticated user for which security alarms that are enabled by the user are not included in the security log.

After you’ve configured the security logs on the SRX Series devices, Security Director can receive those logs.

For adding Log Collector as a special node using Security Director Log Collector, click here.

For adding Log Collector as a special node using JSA Log Collector, click here.

Modifying the Security Logging Configuration for Security Devices

Related Documentation