Configuring a Netscreen Firewall for Syslog Server Support

A Juniper NetScreen firewall, such as the NetScreen-5GT firewall, can be configured to send event information to a syslog server. The steps for doing so using the firewalls web-based user interface are as follows:

  1. Log in to the Web UI as a user with Administrative privileges.
  2. Expand the Configuration menu.
  3. Expand the Report Settings sub-menu.
  4. Select Log Settings:
    1. Tick all event severity boxes for Syslog as the destination.
    2. Click Apply.
  5. Select Syslog from the Report Settings sub-menu:
    1. Ensure the Enable Syslog Messages is ticked.
    2. On the Source interface drop-down list, select the interface from which syslog packets are sent, e.g. you might select trust, if you wish to send syslog messages to a system behind the firewall.
    3. Tick the Enable checkbox for the entry you are adding.
    4. Enter the IP address or host name of the system to which the syslog traffic should be sent in the IP/Hostname field.
    5. Unless you want to change the default port to which the NetScreen sends syslog messages, leave 514 in the port field. If you change the port number, you will need to ensure that the system you are sending the syslog events to is listening at that custom port.
    6. Select the Security Facility, which classifies and sends emergency and alert level messages to the syslog host. This will typically be LOCAL0.
    7. Select the Facility, which classifies and sends all other messages for events unrelated to security. The default value is LOCAL0.
    8. Tick Event Log if you wish to send event log entries to the syslog host. NetScreen devices maintain three types of system logs: Event, Self, and Asset Recovery logs. Look below for further information on the Event log.
    9. Tick Traffic Log, if you want to send traffic log entries to the syslog host.
    10. Tick TCP only if you wish to use TCP as the transport protocol. Note: the default protocol for syslog traffic is UDP, so this would normally be left unchecked.
    11. Click Apply.
  6. If you are finished with configuration changes, click Logout from the main menu.

The help pages in the Juniper NetScreen-5GT router have the following information:

Syslog Report Settings

Syslog is a facility that enables the logging of system events to a single file for later review. A NetScreen device can generate syslog messages for system events at predefined severity levels and optionally for traffic that policies permit across a firewall. It sends these messages via UDP (port 514) to up to four designated syslog hosts running on UNIX/Linux systems. The severity level of an event determines whether the event is communicated in a syslog message (see Log Settings).

Note: When you enable Syslog on a NetScreen device running in Transparent mode, you must set up a static route on the Route Table.

Event Log

ScreenOS provides an Event Log for monitoring system events on the NetScreen device. You can use the Event Log to view system events and gather information about hardware or software problems. The Event Log categorizes system events by severity level.

The event log displays the following information for each event:

Date/Time: Indicates the date and time of the system event.

Level: Indicates the severity level of the system event.

Description: Describes the system events or changes and, if applicable, the source of the events.

The Event log Severity Levels Are as Follows:

EMERGENCY: Identifies critical attacks such as SYN attacks, Tear Drop attacks, and Ping of Death attacks. For more information on these types of attacks, see Screen Options.

ALERT: Identifies problems such as multiple user authentication failures and other attacks not included in the emergency category. For more information on various types of attacks, see Screen Options.

CRITICAL: Identifies events such as URL blocks, traffic alarms, high availability (HA) status changes, and global communications.

ERROR: Generates messages for admin name and password changes.

WARNING: Generates messages for admin logins and logouts, failures to log in and log out, and user authentication failures, successes, and timeouts.

NOTIFICATION: Generates messages for link status changes, load balancing server status changes, and traffic logs.

INFORMATION: Generates any kind of message not specified in other categories.

DEBUGGING: Generates all debugging messages. (See "Debug" commands in the NetScreen CLI Reference Guide.)

References:

  1. NetScreen Configuration
    IBM Support & downloads

Valid HTML 4.01 Transitional

Created: Monday, April 6, 2009