These are the general steps you should follow to configure a Syslog server on a Juniper SRX Firewall to send all metadata to Lumu:
All the detailed steps and guidance to create, download, and install a virtual appliance on your preferred hypervisor or Cloud solution are available in our documentation:
Go to the Lumu Virtual Appliance and refresh the VA Collectors settings by running the command
lumu-appliance collectors refresh
. If the appliance is running, it should be stopped for setting up collectors.
Select the option that refers to Juniper SRX and the format that suits you best, then inform the following data:
Juniper SRX Firewall can send administrative logs and traffic logs. You need to configure your Firewall to send traffic logs or data-plane logs.
First, you need to add a new Stream configuration for Lumu VA.
<stream_name>: Distinctive name to the stream Syslog configuration.
<lumu_va_ip>: IP address of the Lumu VA.
<port>: Destination port number.
Use the one configured in the Lumu VA. In the transport protocol line, select the same protocol configured in the Lumu VA.
You need to configure each of your Firewall rules to log at the session init or close. You can configure it using the GUI or the CLI access.
You can set the global Firewall options to enable the
Session close
logging by default. To do so, go to the menu
Security Policies & Objects > Security Policies
. Click on the
Global Options
button. There, enable the
Session close
toggle. Click the
OK
button. Finally, commit your changes.
To configure the logging in the global options, access your Juniper Firewall using your preferred SSH client in edit mode. Run the following command:
Remember to commit your changes.
To enable the Session initiate logging per rule using CLI, you can use the following command.
Where:
Remember to commit your changes.
It is recommended to enable the session initiate logging for rules that explicitly deny traffic. Otherwise, this traffic will not be reported to Lumu VA.
To enhance events sent by your Juniper firewall, it is recommended to enable identity logging in the zone configuration. You can enable it using the GUI or CLI.
You can set the identity logging in each zone of interest. This will reflect the identity information of the user in the logs if identity is configured in the Firewall. To do so, go to the menu
Security Policies & Objects > Zones/Screens
. Edit the zone of interest, and enable the toggle
Source Identity Log
. Finally, click the
OK
button and commit your changes.
To configure the
Source Identity Log
option in each zone of interest using CLI, access your Juniper Firewall using your preferred SSH client in edit mode. Run the following command.
Remember to commit your changes.
For more details on the configuration settings consult the Juniper SXR official documentation article Configuring System Logging for a Security Device.