Modifying the Security Logging Configuration for Security Devices
You can use the Security Logging section on the Modify Configuration page to view and modify the parameters related to security logging on the device.
Refer to the Junos OS documentation (available at http://www.juniper.net/documentation/en_US/release-independent/junos/information-products/pathway-pages/junos/product/) for a particular release and device. There you can find detailed information on the configuration parameters for that device.
To modify the security logging parameters:
Setting |
Guideline |
---|---|
General Settings |
|
Mode |
Select how security logs are processed and exported:
|
Source Type |
Select the source type as Address or Interface. |
Source Address/Source Interface |
If the Source Type is Address, specify the IPv4 or IPv6 address to be used as the source address when exporting security logs. If the Source Type is Interface, specify the interface to be used as the source interface when exporting security logs. |
Format |
Specify the security log format for the device:
|
Disable Logging |
Select this check box to disable security logging for the device. This check box is cleared by default. |
UTC Timestamp |
Select this check box to include the UTC timestamp in the security logs. This check box is cleared by default. |
Event Rate |
For the event mode, specify the rate (in logs per second) at which event logs are processed by the control plane. Range: 1 through 1500. |
Stream |
|
The existing stream configuration entries are displayed in a table. You can do the following:
|
|
File |
|
File Name |
Specify the filename for the binary log file. |
File Path |
Specify the file path for the binary log file. |
File Size |
Specify the maximum size (in MB) of the binary log file. Range: 1 through 10. |
Maximum No. of Files |
Specify the maximum number of binary log files. Range: 2 through 10. |
Cache |
|
Limit |
Specify the maximum number of security log entries to keep in memory. The range is 1 through 4,294,967,295 and the default is 1000. |
Exclude |
The existing exclude configuration entries are displayed in a table. An exclude configuration is a list of auditable events that can be excluded from the audit log. You can do the following:
|
Setting |
Guideline |
---|---|
Name |
Enter the name of the security log stream, which should be a string containing alphanumeric characters and some special characters (_ .). |
Host |
Specify the IPv4 or IPv6 address of the server to which the security logs will be streamed. |
Port |
Enter the port number for the system log listening port. The range is 0 through 65,535 and the default is 514. |
Severity |
Select the severity threshold for security logs. Only the logs with the specified severity threshold are logged. |
Category |
Select the category of events to be logged. |
Format |
Specify the format of the security log for the device:
|
Setting |
Guideline |
---|---|
Name |
Specify the name of the exclude configuration. |
Destination Filters |
|
IP Address |
Specify the destination IPv4 or IPv6 address from which security alarms are not included in the audit log. |
Port |
Specify the destination port number from which security alarms are not included in the audit log. The range is 0 through 4,294,967,295. |
Source Filters |
|
IP Address |
Specify the source IPv4 or IPv6 address from which security alarms are not included in the audit log. |
Port |
Specify the source port number from which security alarms are not included in the audit log. The range is 0 through 4,294,967,295. |
Other Filters |
|
Event ID |
Enter the event ID of the security event. The audit log does not include security alarms for the specified event ID. |
Failure |
Select this check box to restrict the logging only to failed events. By default, this check box is cleared, which means failed and successful events are logged. |
Interface |
Enter the name of the interface from which security alarms are not included in the security log. |
Policy Name |
Enter the name of the security policy for which security alarms are not included in the security log. |
Process |
Enter the name of the process (that is generating the events) for which security alarms are not included in the security log. |
Protocol |
Enter the name of the protocol for which security alarms are not included in the security log. |
Success |
Select this check box to restrict the logging only to successful events. By default, this check box is cleared, which means failed and successful events are logged. |
Username |
Enter the username of the authenticated user for which security alarms that are enabled by the user are not included in the security log. |
After you’ve configured the security logs on the SRX Series devices, Security Director can receive those logs.
For adding Log Collector as a special node using Security Director Log Collector, click here.
For adding Log Collector as a special node using JSA Log Collector, click here.