Versions Compared

Old Version 5

changes.mady.by.user Aaron Gabriel (Deactivated)

Saved on

compared with

New Version 6

changes.mady.by.user Aaron Gabriel (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Version published after converting to the new editor

Insert excerpt
ESLP:Permissions for Log Relay and Remote Log Collection (snippet)
ESLP:Permissions for Log Relay and Remote Log Collection (snippet)
nopaneltrue

You can use this document to send Juniper logs to Armor's Security Information & Event Management (SIEM).

This document only applies to:

...

  1. Log into the Juniper SRX device.

  2. Access the privileged EXEC mode:

    Code Block
    languagebash
    themeMidnight
    user@hostname> configure


  3. Configure logging to a designated Armor Log Relay:

    Code Block
    languagebash
    themeMidnight
    [edit]
user@hostname(config)# set system syslog host <ipaddress1> <facility> <severity>
user@hostname(config)# set system syslog host <ipaddress1> port <port>
user@hostname(config)# set system syslog host <ipaddress1> source-address <ipaddress2>
user@hostname(config)# set system syslog host <ipaddress1> structured-data


    Note
    • In <ipaddress1>, enter the IP address of the designated Armor Log Relay instance.
      • To locate your IP address in AMP, in the left-side navigation, click Infrastructure, click Virtual Machines, and then review the Primary IP column for the corresponding virtual machine.
    • In <ipaddress2>, enter the source IP address on the SRX from where syslog messages will be sent.
    • In <facility>, to filter the type of logs sent to Armor, enter the corresponding facility number, such as 0 for kernel or 4 for authorization.
    • In <severity>, to filter the type of logs sent to Armor, enter the corresponding severity level from 0 to 7.
      • To send all log types, enter 7.

      • To learn about Juniper's severity levels, please review Juniper's documentation.

        Note

        If your SRX device is licensed to use the Unified Threat Management (UTM) security feature set, then Armor recommends that you configure the severity setting to capture all relevant UTM log messages, such as web filtering, content filtering, antispam, antivirus, etc. This action may cause non-UTM log messages not to be forward to AMP. Any unwanted log messages can be filtered using the MATCH command, along with the required regular expression syntax. To learn how to filter messages, please review Juniper's documentation.


    • In <port>, enter 10150 for UDP.
      • TCP is not supported.


  4. Save the changes:

    Code Block
    languagebash
    themeMidnight
    [edit}
user@hostname# commit


  5. Review the logging configuration:

    Code Block
    languagebash
    themeMidnight
    user@hostname# show system syslog


Info

Troubleshooting

Verify that logs are formatted correctly, similar to the following example:

Code Block
languagetext
themeMidnight
May 22 2019 16:11:55 asav-984 : %ASA-4-411004: Interface Management0/0, changed state to administratively down


...




Was this helpful?

Topics Discussed

...