Understand Control plane vs Data Plane log differences on Juniper SRX

LinkedIn
Facebook
Facebook
Google+
https://netfixpro.com/control-plane-vs-data-plane-log/
RSS
Follow by Email

This article identifies differences between control plane logging vs data plane logging on the Juniper SRX firewalls.

The Juniper SRX firewall can log information sourced from both the control plane and data plane, including sending the information externally or storing it locally on the control plane.

Above mentioned diagram summarize different ways to offload control plane and data plane logging.

Here are some of the differences between control plane logging and data plane logging.
Control Plane Log Data Plane Log
  • The control plane logs include events that occur on the routing engine e.g. User Processes, Interactive-commands, System daemons. This includes messages about the underlying hardware (chassisd), general-purpose messages (messages), and various protocol daemons like IDPD, appidd, and so on.
  • Data plane logs, on the other hand, are primarily those generated by components that process traffic on the data plane. Normally referred as security logs. These include the firewall logs from the flowd process, IPS logs, UTM logs, and logs from other security components like Screens.
  • Control plane logging is ON by default to log locally, but you can override this with your own log files, syslog hosts, and criteria for different log messages.
  • Data plane logging is OFF by default and must be configured.
  • To configure control plane logs [ edit system syslog ] hierarchy level is used.
  • To configure data plane logs [ edit security log ] hierarchy level is used.
  • By default, only critical messages are logged to a local file known as messages on the SRX Series device. All logs are stored in the /var/log directory on the control plane.
The data plane supports two different ways to log.

  • The first is Event mode, in which all log messages are logged to the control plane through the internal SRX infrastructure.
  • The other mode, Stream mode. This logs messages directly from the data plane to an external source.
  • NOTE: You can ONLY log in Stream or Event mode at one time on the SRX so be very careful while changing the mode.

I hope you enjoyed this article. Please feel free to leave a comment or feedback.

LinkedIn
Facebook
Facebook
Google+
https://netfixpro.com/control-plane-vs-data-plane-log/
RSS
Follow by Email

Ashutosh Patel

Ashutosh Patel is the Author and editor of netfixpro.com. He currently works as a Network Security Architect. Follow him on following social media to know more about him.

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons

Enjoy this article? Please spread the word :)