We help IT Professionals succeed at work.

SYSLOG server for Juniper NetScreen SSG5

MERCOMMS
MERCOMMS asked
on
I need a SYSLOG server for a Netscreen SSG5.  I have installed WallWatcher and it seems to be getting some events but not many.  I think I have the NetsSreen configured properly but am expecting more stuff to be logged than I am seeing.

In Configuration->Report Settings->SysLog I have the correct IP for the machine running WallWatcher, event log and traffic log are both checked.  

Is there something else I have to do in the NetScreen or is there another app that I need to be using as the SYSLOG server?  I am not married to WallWatcher it is just something that I have used in the past that worked.
Comment
Watch Question

Commented:
I used splunk as my syslog server for netscreen devices, and must say i was very impressed with the results.

Author

Commented:
sangamc

Coincidentally I just uninstalled splunk as I could not get it to see anything coming from the SSG5 either.  I guess there is something else that has to be configured on the SSG5.

Commented:
This is what i configured on all my netscreens

Configuration > Report Settings > Syslog

enable syslog message = yes
source interface = ethernet1

no1. enabled
ip/hostname = ip of my splunk server
port = 514
security facility = LOCAL0
Facility = LOCAL0
event log = yes
traffic log = yes
tcp = no (this means syslog goes over UDP 514, make sure this port is open on syslog server and listening on UDP)

Then i configure this
Configuration > Report Settings > Log Settings

Syslog
Emergency = yes
alert = yes
critical = yes
error = yes
warning = yes
notification = no (turned it off since it was too much info)
information = no
debugging = no

hope this helps

Author

Commented:
sangamc:

Thanks.

My config looks the same except I have it sending everything in the Configuration > Report Settings > Log Settings section.  

What confuses me is the SYSLOG server is logging some things.

<132>ssg5-serial: netscreen device_id=0162082008007203  [root]system-warning-00519: admin user "netscreen" logged in for web(https) management (port 443) from 192.168.1.26:2621 (2011-12-05 15:03:43)

Commented:
that is strange indeed. so it appears you have the settings on both side correct as far as connecting. When you check all the syslog items are you also enabling all the internal and console options as well in Configuration > Report Settings > Log Settings?

Commented:
If it is logging this:
"<132>ssg5-serial: netscreen device_id=0162082008007203  [root]system-warning-00519: admin user "netscreen" logged in for web(https) management (port 443) from 192.168.1.26:2621 (2011-12-05 15:03:43)"

Then i wonder, did you turn on logging on the firewall rules themselves?  i suggest both on session creation as well as termination,

i hope this is it ;)

Author

Commented:
What do you mean on the "rules themselves".  

Configuration > Report Settings > Syslog
enable syslog message = yes
source interface = I have tried E0/0, e0/0, and broup0
ip/hostname = ip of my workstation running WalWatcherr
port = 514
security facility = LOCAL0
Facility = LOCAL0
event log = yes
traffic log = yes
tcp = no

Configuration > Report Settings > Log Settings

Syslog
Emergency = yes
alert = yes
critical = yes
error = yes
warning = yes
notification = yes
information = yes
debugging = yes

Commented:
Hi Mercom,

I mean a rule like "trust to untrust any permit"

You're not going to see any traffic logs unless you turn on logging on the firewall rules you want logging from.

i.e.:

set policy from trust to untrust any any any permit log session-init

Kr,

Author

Commented:
I get the following error  "unknown keyword session-init"
Commented:
just do it from the WebUI, it's in the advanced policy settings.... edit the policy you want to see the logging from , go to advanced and tick logging and "at session beginning"

I hope that works for you..

logging

Commented:
well, not the advanced settings, but just the first page :)