Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

No Events in STRM UI for a device

0

0

Article ID: KB13423 KB Last Updated: 28 Oct 2016Version: 2.0
Summary:
STRM Event Viewer does not show logs for a device
Symptoms:
How to Troubleshoot if logs do not show  up in STRM Event Viewer
Solution:
STRM might not show the logs in the Event Viewer for multiple reasons.

First, confirm if the device and the software version of the device is supported in this guide:  DSM Guide for 2008.3.
If the device is supported, then follow the steps below.

Login to STRM CLI using SSH:
  1. Make sure you have installed the latest DSM's.  Go to the Juniper Support Site and download the latest DSM's (available in the STRM download area).  Refer to KB15214 on how to check the DSM versions and how to update the DSM.


  2. Use TCPDUMP to verify if the logs from the source device are being received by STRM:

  3. #tcpdump –Ax –s 0 IP_ADDRESS_SRC and port 514 

    If you do not see any logs in the TCPDUMP output, then STRM is not receiving the logs. Verify your source device to see if it is sending the logs, and check if there are any firewalls in between which are blocking the logs.


  4. Check for errors in the file, /var/log/qradar.log

  5. Review and correct any errors in this file.

    If the following error is reported, then the logs are being sent to STRM in an incorrect format:
    ERROR] Exception was uncaught in thread: Event Parser[1] java.lang.NoClassDefFoundError
    Save the logs from device in a file - event.txt and replay them locally on STR:
    #/opt/qradar/bin/logrun.pl –f /tmp/event.txt -l 5

    This will replay 5 events/sec locally.  The events if in correct format will be shown with src-ip “127.0.0.1”.
    If you do not see any logs, even from "127.0.0.1", then the device/version of the device might not be supported by STRM. Verify if the source device is supported in the DSM Guide Appendix Section.

If the above steps fail, open a case with JTAC by either:
Calling in to Juniper Networks Technical Assistance Center at 888-314-JTAC (5822) , 408-745-9500 for domestic or international
OR Login to the Case Management tool via the Juniper support site at: Case Management and click on  "Create a Case" .
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search