Ask the Community
Groups
How do I configure remote syslog logging a Juniper firewall - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="this-article-will-walk-through-the-steps-required-to-enable-syslog-forwarding-on-a-juniper-firewall">This article will walk through the steps required to enable syslog forwarding on a Juniper Firewall</h2> <h3 data-id="enable-syslog-server-reporting"><strong>Enable syslog server reporting</strong></h3> <p>1. On the Juniper Firewall, ssh into configuration CLI.</p> <p>2. Enter the configure menu<br> > configure</p> <p>3. Select security log hierarchy<br> > edit security log<br> > set mode stream</p> <p>4. Assign the address of remote syslog server (rocketagent server). <br> For demonstration 10.5.5.100 is used.<br> > set stream remote-logging host 10.5.5.100 any any</p> <p>5. Assign a location where a local syslog is stored.<br> > set stream local-logging file name local-logs</p> <p>6. Configuration may be reviewed.<br> > show<br> mode stream:<br> stream remote-logging {<br> host{<br> 10.5.5.100;<br> }<br> }<br> stream local-logging {<br> file {<br> name local-logs;<br> }<br> }</p> <h3 data-id="enable-logging-of-events">Enable Logging of Events</h3> <p>Rocket Agent monitors the following event types; Internet Traffic, Intrusion Detection, and Failed Login authorization attempts. Each system policy must be defined, enabled, and configured to allow syslog reporting.</p> <ol><li> <strong><em>Internet Traffic. (Inet-access policy)</em></strong><br>The firewall has a default Inet-access policy. To view and modify the policy:<br>>edit security policies from-zone Users to-zone Internet policy Inet-access<br>show<br> match {<br> source-address any;<br> destination-address any;<br> application any;<br> }<br> then {<br> permit<br> }<br><br>Enable Inet-access events to syslog<br> >set then log session-init<br> >commit</li> <li> <strong><em>Intrusion Detection (IDP policy rule base)</em></strong><br>A default policy exists which allows an admin to customize by specifying which intrusion events will be detected. We recommend the following configuration of events: <br> >set security screen ids-option internet-screen-options icmp ip-sweep<br> >set security screen ids-option internet-screen-options icmp ping-death<br> >set security screen ids-option internet-screen-options ip bad-option<br> >set security screen ids-option internet-screen-options ip spoofing<br> >set security screen ids-option internet-screen-options ip tear-drop<br> >set security screen ids-option internet-screen-options tcp syn-fin<br> >set security screen ids-option internet-screen-options tcp tcp-no-flag<br> >set security screen ids-option internet-screen-options tcp syn-frag<br> >set security screen ids-option internet-screen-options tcp port-scan. <br> >set security screen ids-option internet-screen-options tcp syn-ack-ack-proxy<br> >set security screen ids-option internet-screen-options tcp land<br> >set security screen ids-option internet-screen-options tcp winnuke<br> >set security screen ids-option internet-screen-options tcp tcp-sweep<br> >set security screen ids-option internet-screen-options udp flood<br> >set security screen ids-option internet-screen-options udp udp-sweep<br> >set security screen ids-option internet-screen-options udp port-scan<br> >set security screen ids-option internet-screen-options limit-session source-ip-based 1000<br> >set security screen ids-option internet-screen-options limit-session destination-ip-based 1000<br><br><em>The IDP policy can be reviewed using the following command.</em> <br> >show security idp active-policy<br> active-policy Recommended;<br> then {<br> action {<br> recommended;<br> }<br> notification {<br> log-attacks;<br> }<br> }<br><br><em>Ensure IDP policy is enabled.</em><br> >set security policy from-zone sec-zone-source to-zone sec-zone-destination policy name-of-sec-policy then permit application-services idp <br><em>Form a routing rule to forward IDP/IDS events to syslog</em><br><em> >set system syslog host 10.5.5.100 match "RT_IDP|RT_IDS"<br> >commit</em> </li> <li> <strong><em>Failed Login Authorization Attempts</em></strong> This is accomplished monitoring interactive commands interface. To route these<br>messages to the syslog;<br> >set system syslog host 10.5.5.100 interactive-commands any<br> >commit</li> </ol><h3 data-id="syslog-log-formats">Syslog Log Formats</h3> <p><strong>IDS Event:</strong> <19>Feb 3 03:30:05 SRX-2 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! ource:172.xxx.xxx.213, destination: 185.xxx.xx.76, zone name: manage, interface name: ge-0/0/0.0<br><br><strong>IDP Event:</strong> <19>Dec 28 15:09:30 ankara RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1325084969, TRAFFIC Attack log <192.xxx.xxx.2/37731->212.xxx.xxx.78/443> for TCP protocol and service SERVICE_NONE application NONE by rule 1 of rulebase IPS in policy My_Policy. attack: repeat=0, action=TRAFFIC_IPACTION_DROP, threat-severity=INFO, name=_, NAT <172.xxx.xxx.219:42029->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:lan:fe-0/0/1.0->wan:fe-0/0/0.0, packet-log-id: 0 and misc-message - <br><br><strong>IP Traffic Event:</strong> <19>Dec 17 08:04:45 srx-firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created xx.xx.xx.xx/53836->xx.xx.xx.xx/22 junos-ssh xx.xx.xx.xx/53836->10.10.10.1/22 None None 6 log-host-traffic untrust junos-host 5 N/A(N/A) ge-0/0/1.0<br><br><strong>Authorization Event:</strong> <19>Jun 15 02:46:39 srx-firewall mgd[8265]: FWAUTH_TELNET_USER_AUTH_FAIL: User 'tsmith' at 'xx.xx.xx.123' is rejected.</p> </article> </main>