MERCOMMS
asked on
SYSLOG server for Juniper NetScreen SSG5
I need a SYSLOG server for a Netscreen SSG5. I have installed WallWatcher and it seems to be getting some events but not many. I think I have the NetsSreen configured properly but am expecting more stuff to be logged than I am seeing.
In Configuration->Report Settings->SysLog I have the correct IP for the machine running WallWatcher, event log and traffic log are both checked.
Is there something else I have to do in the NetScreen or is there another app that I need to be using as the SYSLOG server? I am not married to WallWatcher it is just something that I have used in the past that worked.
In Configuration->Report Settings->SysLog I have the correct IP for the machine running WallWatcher, event log and traffic log are both checked.
Is there something else I have to do in the NetScreen or is there another app that I need to be using as the SYSLOG server? I am not married to WallWatcher it is just something that I have used in the past that worked.
Sanga Collins
I used splunk as my syslog server for netscreen devices, and must say i was very impressed with the results.
ASKER
sangamc
Coincidentally I just uninstalled splunk as I could not get it to see anything coming from the SSG5 either. I guess there is something else that has to be configured on the SSG5.
Coincidentally I just uninstalled splunk as I could not get it to see anything coming from the SSG5 either. I guess there is something else that has to be configured on the SSG5.
This is what i configured on all my netscreens
Configuration > Report Settings > Syslog
enable syslog message = yes
source interface = ethernet1
no1. enabled
ip/hostname = ip of my splunk server
port = 514
security facility = LOCAL0
Facility = LOCAL0
event log = yes
traffic log = yes
tcp = no (this means syslog goes over UDP 514, make sure this port is open on syslog server and listening on UDP)
Then i configure this
Configuration > Report Settings > Log Settings
Syslog
Emergency = yes
alert = yes
critical = yes
error = yes
warning = yes
notification = no (turned it off since it was too much info)
information = no
debugging = no
hope this helps
Configuration > Report Settings > Syslog
enable syslog message = yes
source interface = ethernet1
no1. enabled
ip/hostname = ip of my splunk server
port = 514
security facility = LOCAL0
Facility = LOCAL0
event log = yes
traffic log = yes
tcp = no (this means syslog goes over UDP 514, make sure this port is open on syslog server and listening on UDP)
Then i configure this
Configuration > Report Settings > Log Settings
Syslog
Emergency = yes
alert = yes
critical = yes
error = yes
warning = yes
notification = no (turned it off since it was too much info)
information = no
debugging = no
hope this helps
ASKER
sangamc:
Thanks.
My config looks the same except I have it sending everything in the Configuration > Report Settings > Log Settings section.
What confuses me is the SYSLOG server is logging some things.
<132>ssg5-serial: netscreen device_id=0162082008007203
Thanks.
My config looks the same except I have it sending everything in the Configuration > Report Settings > Log Settings section.
What confuses me is the SYSLOG server is logging some things.
<132>ssg5-serial: netscreen device_id=0162082008007203
that is strange indeed. so it appears you have the settings on both side correct as far as connecting. When you check all the syslog items are you also enabling all the internal and console options as well in Configuration > Report Settings > Log Settings?
If it is logging this:
"<132>ssg5-serial: netscreen device_id=0162082008007203
Then i wonder, did you turn on logging on the firewall rules themselves? i suggest both on session creation as well as termination,
i hope this is it ;)
"<132>ssg5-serial: netscreen device_id=0162082008007203
Then i wonder, did you turn on logging on the firewall rules themselves? i suggest both on session creation as well as termination,
i hope this is it ;)
ASKER
What do you mean on the "rules themselves".
Configuration > Report Settings > Syslog
enable syslog message = yes
source interface = I have tried E0/0, e0/0, and broup0
ip/hostname = ip of my workstation running WalWatcherr
port = 514
security facility = LOCAL0
Facility = LOCAL0
event log = yes
traffic log = yes
tcp = no
Configuration > Report Settings > Log Settings
Syslog
Emergency = yes
alert = yes
critical = yes
error = yes
warning = yes
notification = yes
information = yes
debugging = yes
Configuration > Report Settings > Syslog
enable syslog message = yes
source interface = I have tried E0/0, e0/0, and broup0
ip/hostname = ip of my workstation running WalWatcherr
port = 514
security facility = LOCAL0
Facility = LOCAL0
event log = yes
traffic log = yes
tcp = no
Configuration > Report Settings > Log Settings
Syslog
Emergency = yes
alert = yes
critical = yes
error = yes
warning = yes
notification = yes
information = yes
debugging = yes
Hi Mercom,
I mean a rule like "trust to untrust any permit"
You're not going to see any traffic logs unless you turn on logging on the firewall rules you want logging from.
i.e.:
set policy from trust to untrust any any any permit log session-init
Kr,
I mean a rule like "trust to untrust any permit"
You're not going to see any traffic logs unless you turn on logging on the firewall rules you want logging from.
i.e.:
set policy from trust to untrust any any any permit log session-init
Kr,
ASKER
I get the following error "unknown keyword session-init"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
well, not the advanced settings, but just the first page :)