How do I configure remote syslog logging a Juniper firewall - Connect IT Community

/* * These styles apply ONLY to the header and footer assets. */ * { padding: 0; margin: 0; box-sizing: border-box; } .super-nav { display: flex; justify-content: flex-end; align-items: center; margin: 0 auto; max-width: 1264px; padding-left: 40px; padding-right: 40px; height: 40px; text-align: right; } .super-nav a { color: #34427c; margin-right: 20px; padding: 10px; text-decoration: none; } .super-nav a:hover, .super-nav a:focus { background-color: #f7f9fa; } .footer { background: #f5f5f6; color: #555a62; font-size: 14px; line-height: 1.5; padding: 0; } .footer-image { background-image: url("/themes/kaseya/assets/images/footerImage.png"); height: 500px; background-repeat: no-repeat; background-size: cover; margin-top: -100px; } .footer-wrap { padding-left: 18px; padding-right: 18px; max-width: 1236px; margin: 0 auto; } .footer-main-content { background-color: #000; padding: 100px 0; } .footer .footer-col-title { color: #ffffff; font-weight: 700; font-size: 13px; padding-bottom: 10px; text-transform: uppercase; } .footer .footer-link { color: #9b9ca0; text-decoration: none; } .footer .footer-link:hover, .footer .footer-link:focus, .footer .footer-link:active { text-decoration: underline; } .footer-main-content .footer-link { padding-top: 10px; } .footer-row { display: flex; flex-wrap: wrap; justify-content: space-between; align-items: center; margin: -3px; } .footer-main-content-row { align-items: flex-start; } .footer-bottom-content { padding: 10px; align-items: center; } .footer-col { padding: 0 3px; display: flex; flex-direction: column; } .footer-col-copyRight { justify-content: flex-start; color: #9b9ca0; flex: 1; display: flex; } .footer-last-col { flex-direction: row; } .footer-last-col .footer-link { padding-right: 10px; text-transform: uppercase; } @media screen and (max-width: 768px) { .super-nav { padding-right: 0; } .footer-image { height: 250px; } .footer-main-content { padding: 40px 0; } .footer .footer-col-title { padding-top: 10px; } .footer-row:not(.footer-main-content-row) { display: block; } .footer-col:not(.footer-main-content-col) { width: 100%; text-align: center; padding: 10px 0; } .footer-main-content-col { width: 50%; } .footer-last-col { flex-direction: column; } .footer-last-col .footer-link { padding-bottom: 10px; } } /*# sourceMappingURL=styles.css.map */ Ask the Community Groups

How do I configure remote syslog logging a Juniper firewall - Connect IT Community | Kaseya

This article will walk through the steps required to enable syslog forwarding on a Juniper Firewall

Enable syslog server reporting

1. On the Juniper Firewall, ssh into configuration CLI.

2. Enter the configure menu
> configure

3. Select security log hierarchy
> edit security log
> set mode stream

4. Assign the address of remote syslog server (rocketagent server).
For demonstration 10.5.5.100 is used.
> set stream remote-logging host 10.5.5.100 any any

5. Assign a location where a local syslog is stored.
> set stream local-logging file name local-logs

6. Configuration may be reviewed.
> show
mode stream:
stream remote-logging {
host{
10.5.5.100;
}
}
stream local-logging {
file {
name local-logs;
}
}

Enable Logging of Events

Rocket Agent monitors the following event types; Internet Traffic, Intrusion Detection, and Failed Login authorization attempts. Each system policy must be defined, enabled, and configured to allow syslog reporting.

Internet Traffic. (Inet-access policy)
The firewall has a default Inet-access policy. To view and modify the policy:
>edit security policies from-zone Users to-zone Internet policy Inet-access
show
match {
source-address any;
destination-address any;
application any;
}
then {
permit
}

Enable Inet-access events to syslog
>set then log session-init
>commit
Intrusion Detection (IDP policy rule base)
A default policy exists which allows an admin to customize by specifying which intrusion events will be detected. We recommend the following configuration of events:
>set security screen ids-option internet-screen-options icmp ip-sweep
>set security screen ids-option internet-screen-options icmp ping-death
>set security screen ids-option internet-screen-options ip bad-option
>set security screen ids-option internet-screen-options ip spoofing
>set security screen ids-option internet-screen-options ip tear-drop
>set security screen ids-option internet-screen-options tcp syn-fin
>set security screen ids-option internet-screen-options tcp tcp-no-flag
>set security screen ids-option internet-screen-options tcp syn-frag
>set security screen ids-option internet-screen-options tcp port-scan.
>set security screen ids-option internet-screen-options tcp syn-ack-ack-proxy
>set security screen ids-option internet-screen-options tcp land
>set security screen ids-option internet-screen-options tcp winnuke
>set security screen ids-option internet-screen-options tcp tcp-sweep
>set security screen ids-option internet-screen-options udp flood
>set security screen ids-option internet-screen-options udp udp-sweep
>set security screen ids-option internet-screen-options udp port-scan
>set security screen ids-option internet-screen-options limit-session source-ip-based 1000
>set security screen ids-option internet-screen-options limit-session destination-ip-based 1000

The IDP policy can be reviewed using the following command.
>show security idp active-policy
active-policy Recommended;
then {
action {
recommended;
}
notification {
log-attacks;
}
}

Ensure IDP policy is enabled.
>set security policy from-zone sec-zone-source to-zone sec-zone-destination policy name-of-sec-policy then permit application-services idp
Form a routing rule to forward IDP/IDS events to syslog
>set system syslog host 10.5.5.100 match "RT_IDP|RT_IDS"
>commit
Failed Login Authorization Attempts This is accomplished monitoring interactive commands interface. To route these
messages to the syslog;
>set system syslog host 10.5.5.100 interactive-commands any
>commit

Syslog Log Formats

IDS Event: <19>Feb 3 03:30:05 SRX-2 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! ource:172.xxx.xxx.213, destination: 185.xxx.xx.76, zone name: manage, interface name: ge-0/0/0.0

IDP Event: <19>Dec 28 15:09:30 ankara RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1325084969, TRAFFIC Attack log <192.xxx.xxx.2/37731->212.xxx.xxx.78/443> for TCP protocol and service SERVICE_NONE application NONE by rule 1 of rulebase IPS in policy My_Policy. attack: repeat=0, action=TRAFFIC_IPACTION_DROP, threat-severity=INFO, name=_, NAT <172.xxx.xxx.219:42029->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:lan:fe-0/0/1.0->wan:fe-0/0/0.0, packet-log-id: 0 and misc-message -

IP Traffic Event: <19>Dec 17 08:04:45 srx-firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created xx.xx.xx.xx/53836->xx.xx.xx.xx/22 junos-ssh xx.xx.xx.xx/53836->10.10.10.1/22 None None 6 log-host-traffic untrust junos-host 5 N/A(N/A) ge-0/0/1.0

Authorization Event: <19>Jun 15 02:46:39 srx-firewall mgd[8265]: FWAUTH_TELNET_USER_AUTH_FAIL: User 'tsmith' at 'xx.xx.xx.123' is rejected.