On the 5800 in stream mode (which is the way to go) you must configure a source
address on each node.
Because the logs come from the control plane and NOT the routing engines.
So, the solution is to configure your security log under the groups stanza for
both nodes.
Within each node, you configure the individual source address for each one.
Also, if you are making use of routing instances - I use a separate instance
for my network management network, you may have to configure next-hop routes to
the appropriate routing instance.
Since I use a particular host for lots of things including syslog, I ended up
adding a secondary ip to that host for my next hop route.
Will
On Oct 9, 2013, at 9:02 AM, Ahmed -Y wrote:
> Hello Guys,
>
> I have two SRX 5800 firewalls in cluster active-active mode so both
> firewalls carry the session. I configured security logs sent to syslog
> server (precisely STRM), below is config.
>
> security log
> mode stream;
> format sd-syslog;
> source-address <Master-Only IP>;
> stream security-logs {
> category all;
> host {
> <STRM/SYSLog server IP>;
> port 514;
>
> i have recently noticed that only primary firewall sends log. If session
> close on primary firewall, the log gives the reason of session closure like
> TCP FIN, RST, Timeout etc but if the session close on secondary firewall,
> the reason in log shows HA so i can't see why the session was closed. Am I
> missing anything in configuration? I will be thankful if you give your
> thoughts on it.
>
> Regards
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
