Solved

SRX240 SYSLOG Setting

Posted on 2016-11-04
6
150 Views
Last Modified: 2016-11-19
I need to set the syslog level to error level 4 but I'm not sure of the configuration notation:

Here is a short section of the config:the config code
I believe the issue is "any any" but I can't find the alternative that's needed.

If you know, then great.  If you don't know then please don't confuse me!  :-)  The system is in production so I don't want to experiment.
0
Comment
Question by:Fred Marshall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 30

Accepted Solution

by:
Predrag earned 500 total points
ID: 41874908
What facilities? Junos OS System Logging Facilities

System Log Message Severity:

any - Includes all severity levels

0 - emergency - System panic or other condition that causes the router to stop functioning
1 - alert - Conditions that require immediate correction, such as a corrupted system database
2 - critical - Critical conditions, such as hard errors
3 - error - Error conditions that generally have less serious consequences than errors at the emergency, alert, and critical levels
4 - warning - Conditions that warrant monitoring
5 - notice - Conditions that are not errors but might warrant special handling
6 - info - Events or nonerror conditions of interest
7 - debug - Events that relate to debugging a device

Juniper example - with explanation. :)

Could be different for SRX240, but the basics should be the same.

So, the first "any" is facility - all facilities
The second one "any" is all error severity levels

any warning    <-- would be any facility for severity level 4 to 0
0
 
LVL 26

Author Comment

by:Fred Marshall
ID: 41875052
Thanks!  Well I'm still just a little confused.  The settings now are generating *way* too much data and most isn't needed.  The need is to send logs into an SIEM analyzer.  It was suggested that I "change facility to local 4" and "error" was part of the description as well.  The discussion was NOT in a Juniper context.

So, I'm thinking now, with your guidance, that I perhpas should have something more like:

host 10.10.xxx.xxx {
     any error; /* or perhaps any warning; */
     port 514;
}

Do you see anything else that jumps out as curious in this configuration for this SIEM purpose?
0
 
LVL 30

Expert Comment

by:Predrag
ID: 41875155
Typically, I don't work with logging analyzers I just know basics from documentation (present on too many certifications, if you ask me, so I was forced to learn some basics  :) ).
It should not matter is it or is not in Juniper context, it is standardized severity list (defined in RFC 3164 and revised in RFC 5424 (which made 3164 obsolete)). Cisco (and most likely all other vendors) have exactly the same severity levels list. I know nothing about SIEM analyzer, but how it is typically done: you configure device to log specific severity level and whatever is logged will be sent to logging server (if login server is configured of course). Every severity level (as you are changing levels from 7 to 0) generate significantly less messages especially as you are changing it from level 7 or 6 to level 5 (severity level 4 and above should not create much messages in healthy environment).

any warning  - looks good to me (even notice looks good), but I would not recommend myself as adviser on SIEM analyzer subject (and I don't know your needs)  :)

for example at Cisco if interface is shut it will generate messages
%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down

Open in new window

5 is severity level event. By default Cisco logs evens severity level 5 and above (up to 0).
0
 
LVL 26

Author Closing Comment

by:Fred Marshall
ID: 41894427
Thanks!  It seems to be working.
0
 
LVL 30

Expert Comment

by:Predrag
ID: 41894541
Glad to hear it. You are welcome.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A clone is a duplicate copy. Sheep have been cloned and maybe someday even people will be cloned, but disk cloning (performed by the hard drive cloning software) is a vital tool used to manage and protect data. Let’s look at what hard drive cloning …
This article outlines why you need to choose a backup solution that protects your entire environment – including your VMware ESXi and Microsoft Hyper-V virtualization hosts – not just your virtual machines.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question