Juniper SRX Streamed logs

  • Juniper SRX Streamed logs

    Posted by Graeme on September 8, 2022 at 5:30 pm

    Hey there,

    I have a specific scenario where we are trying to receive logs from a Juniper SRX firewall. The issue I’m running into is that the logs are streamed in such fashion without line breaks.

    I can clearly see the log breaks which can be identified by the syslog PRI field, however Logstash treats the entire TCP session as a single message. Once the session is closed, it writes the single message (100s of individual logs) to the output but because my Kafka output has a max size of 1MB it fails to be written.

    This feels like a codec issue, is there a way in your Logstash input to specify the delimiter for the logs to be split by such as the syslog PRI field, so they are written one by one?

    Setup

    TCP input

    Juniper configured with the “set security log mode stream” enabled

    Thanks for the course, it’s been really helpful so far!

    Graeme replied 3 weeks, 1 day ago 1 Member · 0 Replies
  • 0 Replies

Sorry, there were no replies found.