hypercube
asked on
SRX240 SYSLOG Setting
I need to set the syslog level to error level 4 but I'm not sure of the configuration notation:
Here is a short section of the config:
I believe the issue is "any any" but I can't find the alternative that's needed.
If you know, then great. If you don't know then please don't confuse me! :-) The system is in production so I don't want to experiment.
Here is a short section of the config:
I believe the issue is "any any" but I can't find the alternative that's needed.
If you know, then great. If you don't know then please don't confuse me! :-) The system is in production so I don't want to experiment.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Typically, I don't work with logging analyzers I just know basics from documentation (present on too many certifications, if you ask me, so I was forced to learn some basics :) ).
It should not matter is it or is not in Juniper context, it is standardized severity list (defined in RFC 3164 and revised in RFC 5424 (which made 3164 obsolete)). Cisco (and most likely all other vendors) have exactly the same severity levels list. I know nothing about SIEM analyzer, but how it is typically done: you configure device to log specific severity level and whatever is logged will be sent to logging server (if login server is configured of course). Every severity level (as you are changing levels from 7 to 0) generate significantly less messages especially as you are changing it from level 7 or 6 to level 5 (severity level 4 and above should not create much messages in healthy environment).
any warning - looks good to me (even notice looks good), but I would not recommend myself as adviser on SIEM analyzer subject (and I don't know your needs) :)
for example at Cisco if interface is shut it will generate messages
It should not matter is it or is not in Juniper context, it is standardized severity list (defined in RFC 3164 and revised in RFC 5424 (which made 3164 obsolete)). Cisco (and most likely all other vendors) have exactly the same severity levels list. I know nothing about SIEM analyzer, but how it is typically done: you configure device to log specific severity level and whatever is logged will be sent to logging server (if login server is configured of course). Every severity level (as you are changing levels from 7 to 0) generate significantly less messages especially as you are changing it from level 7 or 6 to level 5 (severity level 4 and above should not create much messages in healthy environment).
any warning - looks good to me (even notice looks good), but I would not recommend myself as adviser on SIEM analyzer subject (and I don't know your needs) :)
for example at Cisco if interface is shut it will generate messages
%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to administratively down
5 is severity level event. By default Cisco logs evens severity level 5 and above (up to 0).
ASKER
Thanks! It seems to be working.
Glad to hear it. You are welcome.
ASKER
So, I'm thinking now, with your guidance, that I perhpas should have something more like:
host 10.10.xxx.xxx {
any error; /* or perhaps any warning; */
port 514;
}
Do you see anything else that jumps out as curious in this configuration for this SIEM purpose?