Topics Discussed
To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account:
Write Virtual Machine
Delete Log Management
Read Log Endpoints
Read Log Relays
Write Log Relays
Delete Log Relays
You can use this document to send Juniper logs to Armor's Security Information & Event Management (SIEM).
This document only applies to:
SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650, vSRX
Juniper SRX (JUNOS 15.X)
Juniper SRX (JUNOS 17.X)
Juniper SRX (JUNOS 18.X)
Juniper SRX (JUNOS 19.X)
Pre-Deployment Considerations
To create a remote Log Relay, you must already have:
A Log Relay server on your account
To learn how to add Log Relay to your account, see Obtain Log Relay for Remote Log Collection
Configured the system clock
Update Your Juniper Device
Log into the Juniper SRX device.
Access the privileged EXEC mode:
user@hostname> configure
Configure logging to a designated Armor Log Relay:
[edit] user@hostname(config)# set system syslog host <ipaddress1> <facility> <severity> user@hostname(config)# set system syslog host <ipaddress1> port <port> user@hostname(config)# set system syslog host <ipaddress1> source-address <ipaddress2> user@hostname(config)# set system syslog host <ipaddress1> structured-data
- In <ipaddress1>, enter the IP address of the designated Armor Log Relay instance.
- To locate your IP address in AMP, in the left-side navigation, click Infrastructure, click Virtual Machines, and then review the Primary IP column for the corresponding virtual machine.
- In <ipaddress2>, enter the source IP address on the SRX from where syslog messages will be sent.
- In <facility>, to filter the type of logs sent to Armor, enter the corresponding facility number, such as 0 for kernel or 4 for authorization.
- To learn about Juniper's facility numbering system, please review Juniper's documentation.
- In <severity>, to filter the type of logs sent to Armor, enter the corresponding severity level from 0 to 7.
- To send all log types, enter 7.
To learn about Juniper's severity levels, please review Juniper's documentation.
If your SRX device is licensed to use the Unified Threat Management (UTM) security feature set, then Armor recommends that you configure the severity setting to capture all relevant UTM log messages, such as web filtering, content filtering, antispam, antivirus, etc. This action may cause non-UTM log messages not to be forward to AMP. Any unwanted log messages can be filtered using the MATCH command, along with the required regular expression syntax. To learn how to filter messages, please review Juniper's documentation.
- In <port>, enter 10150 for UDP.
- TCP is not supported.
- In <ipaddress1>, enter the IP address of the designated Armor Log Relay instance.
Save the changes:
[edit} user@hostname# commit
Review the logging configuration:
user@hostname# show system syslog
Troubleshooting
Verify that logs are formatted correctly, similar to the following example:
May 22 2019 16:11:55 asav-984 : %ASA-4-411004: Interface Management0/0, changed state to administratively down
Additional Documentation
Review the following documentation from Juniper: