It looks like since the connection is being denied there is never as session initialized or closed to be logged?
Would you be able to get the logging you need by doing it on an input filter in the interface(s)? It seems like it's having to examing the traffic twice, but maybe it's more efficient in the internals? On Mon, Feb 25, 2013 at 04:10:49PM -0500, Mike Devlin wrote: > nope, that didnt work either :( > > meeks@MeeksNet-SRX210# run show log TEST-DENY > > [edit] > > meeks@MeeksNet-SRX210# show system syslog file TEST-DENY > any any; > match RT_FLOW; > > [edit] > > On Sat, Feb 23, 2013 at 2:35 AM, Farrukh Haroon > <farrukhhar...@gmail.com>wrote: > > > Hello Mike > > > > Was wondering if you can get the deny logs while doing local logging? > > > > set system syslog file TEST-DENY any any > > set system syslog file TEST-DENY match RT_FLOW > > > > Regards > > Farrukh > > > > > > On Fri, Feb 22, 2013 at 4:39 AM, Mike Devlin <juni...@meeksnet.ca> wrote: > > > >> So fingers crossed that this is an easy one for you guys, > >> > >> Device is an SRX210BE running 11.4R5.5 code. > >> > >> ive added the syslog host to the config > >> > >> meeks@MeeksNet-SRX210> show configuration system syslog > >> archive size 100k files 3; > >> user * { > >> any emergency; > >> } > >> host 192.168.1.12 { > >> any any; > >> } > >> file messages { > >> any critical; > >> authorization info; > >> } > >> file interactive-commands { > >> interactive-commands error; > >> } > >> file security { > >> security any; > >> } > >> file default-log-messages { > >> any any; > >> match "(requested 'commit' operation)|(copying configuration to > >> juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU > >> removal)|(FRU insertion)|(link UP)|(vc add)|(vc > >> > >> delete)|transitioned|Transferred|transfer-file|QFABRIC_NETWORK_NODE_GROUP|QFABRIC_SERVER_NODE_GROUP|QFABRIC_NODE|(license > >> add)|(license delete)|(package -X update)|(package -X > >> delete)|GRES|CFMD_CCM_DEFECT|LFMD_3AH|MEDIA_FLOW_ERROR|RPD_MPLS_PATH_BFD"; > >> structured-data; > >> } > >> > >> > >> > >> and implemented the default deny template i found here: > >> > >> http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778&actp=RSS > >> > >> > >> meeks@MeeksNet-SRX210> show configuration groups > >> default-deny-template { > >> security { > >> policies { > >> from-zone untrust to-zone trust { > >> policy default-deny { > >> match { > >> source-address any; > >> destination-address any; > >> application any; > >> } > >> then { > >> deny; > >> log { > >> session-init; > >> } > >> } > >> } > >> } > >> } > >> } > >> } > >> > >> meeks@MeeksNet-SRX210> show configuration apply-groups > >> ## Last commit: 2013-02-21 16:05:36 EST by meeks > >> apply-groups default-deny-template; > >> > >> however, when i log on to the syslog host, and tail the syslog file i do > >> not see denies being logged remotely. > >> > >> if i apply the session-init and session-close options to permitted > >> traffic, > >> it does get logged remotely. > >> > >> Alternatively, > >> > >> creating a new policy has the same result, regardless if i use reject or > >> deny > >> > >> meeks@MeeksNet-SRX210# show security policies from-zone untrust to-zone > >> trust policy deny-all > >> match { > >> source-address any; > >> destination-address any; > >> application any; > >> } > >> then { > >> deny; > >> log { > >> session-init; > >> } > >> } > >> > >> my google-foo is failing, so i hope you guys can help. > >> > >> Looking forward to hearing back from you, > >> > >> Mike > >> _______________________________________________ > >> juniper-nsp mailing list juniper-nsp@puck.nether.net > >> https://puck.nether.net/mailman/listinfo/juniper-nsp > >> > > > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp -- Hans K. Fiedler h...@hermes.louisville.edu 502-852-7427 _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp