Hello. I'm trying to configure our SRX3600 cluster to send syslog messages to the remote syslog/SIEM server. I have the following configured on the cluster.
syslog {
archive size 128k files 50 world-readable;
user * {
any emergency;
}
host 10.64.20.50 {
any any;
authorization any;
firewall any;
source-address 192.168.246.1;
explicit-priority;
structured-data {
brief;
}
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
file interface_logs {
any any;
match UpDown;
}
source-address 192.168.246.1;
}
The routing for the cluster:
routing-options {
static {
route 0.0.0.0/0 {
next-hop 192.168.170.1;
retain;
}
route 10.64.20.50/32 next-table internet.inet.0;
}
}
routing-instances {
internet {
instance-type virtual-router;
#interface commands excluded for brevity
routing-options {
static {
route 0.0.0.0/0 {
next-hop 193.25.220.1;
retain;
}
route 10.0.0.0/8 {
next-hop 192.168.246.254;
retain;
}
route 192.168.254.0/24 {
next-hop 192.168.246.254;
retain;
}
route 192.168.0.0/16 {
next-hop 192.168.246.254;
retain;
}
route 192.168.234.0/24 {
next-hop 192.168.246.254;
retain;
}
route 192.168.90.0/23 {
next-hop 192.168.246.254;
retain;
}
route 192.168.55.0/24 {
next-hop 192.168.246.254;
retain;
}
}
}
}
}
When configured like this I'm not seeing anything being sent to remote server.
The funny thing is that I'm sending screen messages to the same server and they are coming through without a problem with the following configuration:
security {
log {
mode stream;
format sd-syslog;
source-address 192.168.246.1;
stream SIEM_log {
category all;
host {
10.64.20.50;
port 514;
}
}
}
Any help on what I'm missing here would be great.