Juniper SRX Branch + NSM + Logging + High CPU (Syslog)

SRX Branch + NSM + Logging + High CPU

1. Log directly to a syslog server instead
2. NSM 2011.1 appears to support SRX sd-syslog format.

NSM can be configured to receive syslog messages directly. See page 765 of

http://www.juniper.net/techpubs/software/management/security-manager/nsm2011_1/nsm-admin-guide.pdf

set security log mode stream
 set security log format sd-syslog
 set security log source-address <source address of dmi device>
 set security log stream nsm-dataplane-log category all
set security log stream nsm-dataplane-log severity info
set security log stream nsm-dataplane-log format sd-syslog
 set security log stream nsm-dataplane-log host <ip of nsm devSvr>
 set security log stream nsm-dataplane-log port 5140
 set security log stream nsm-dataplane-log severity

The error in default-log-messages is

“UI_CONFIGURATION_ERROR: Process: rtlogd, path: [edit security log], statement: stream nsm-dataplane-log, Stream has no meaning when system-event-mode is on”

[edit system syslog]
 # show
file default-log-messages {
 any any;
 match "!(.*dfwd_ev_client.*)";
 structured-data;
 }

 

Configuring the DMI Device for Stream Mode
To configure the DMI device to send the logs to NSM using stream mode:
1. Edit the /var/netscreen/DevSvr/devSvr.cfg file andset the devSvr.enableSyslogOverUdp
parameter to true:
devSvr.enableSyslogOverUdp true
2. Restart the DevSvrMgr.
3. In the NSM navigation tree, select Device Manager > Devices.
4. Click the Device Tree tab, and then double-click the device for which you want to
configure stream mode.
5. Click the Configuration tab. In the configuration tree, select Security > Log.
6. Configure the following parameters:

• Mode—Select stream.
• Format—Select sd-syslog.
• Source Address—Enter the address of the DMI device.
7. Select Security > Log > Stream.
a. Click the Add icon.
b. In the Name field, enter a unique name for the stream.
c. In the Format drop-down list, select sd-syslog.
8. Select Host.
a. In the Ipaddr field, enter the IP address of the NSM server.
b. In the Port field, enter 5140.
For HA setup, complete Step 8 for the primary DevSvr and the secondary DevSvr.
9. Update the device

 

This entry was posted in Juniper. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s