juniper SRX650 设置IDP日志记录

按

> help syslog | match IDPIDP_APPDDOS_APP_ATTACK_EVENT_LS  IDP: DDOS attack on applicationIDP_APPDDOS_APP_STATE_EVENT      IDP: DDOS application state transition eventIDP_APPDDOS_APP_STATE_EVENT_LS   IDP: DDOS application state transition eventIDP_ATTACK_LOG_EVENT_LS          IDP attack logIDP_COMMIT_COMPLETED             IDP policy commit completedIDP_COMMIT_FAILED                IDP commit exited with failureIDP_DAEMON_INIT_FAILED           Failed to initialize IDP daemonIDP_IGNORED_IPV6_ADDRESSES       IDP ingnores IPv6 addressesIDP_INTERNAL_ERROR               IDP daemon encountered an internal error.IDP_POLICY_COMPILATION_FAILED    IDP policy compilation failedIDP_POLICY_LOAD_FAILED           Failed to load an IDP policy

在设置syslog是用的match 是 IDP_ATTACK_LOG_EVENT_LS，但一直没有日志记录，后改成RT_IDP

就有了，发现日志中记录的是这样的：

Oct 31 13:51:27   RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1477893086, SIG Attack log <180.173.206.150/19438->43.254.106.11/80> for TCP protocol and service SERVICE_IDP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP, threat-severity=HIGH, name=HTTP:APACHE:FILEUPLOAD-CNT-TYPE, NAT <0.0.0.0:0->172.16.50.2:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:untrust:ge-0/0/0.0->trust:ae2.0, packet-log-id: 0, alert=no and misc-message -

原来并非 IDP_ATTACK_LOG_EVENT_LS, 而是IDP_ATTACK_LOG_EVENT