Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to determine where logs or traceoptions output is written to



Article ID: KB16273 KB Last Updated: 04 Mar 2017Version: 3.0
How do you determine where logs are written to
  • In ScreenOS, logs triggered are written to alarm and event logs
  • In ScreenOS, policy logs can be obtained directly from the box
  • Traceoptions are enabled
  • Policy Logs are enabled
  • Where are logs written to?
In general, when you run a traceoption, you can specify the file where you want the traceoption output to be written to.

For example, the following configuration will send the output to a file called webnotime.txt, with a maximum file size of 1 MB.  Note that it is security flow traceoptions, with a flag of basic-datapath (which is similar to a debug flow basic in ScreenOS).
[edit security flow]
lab@test# show 
inactive: traceoptions {
    file web-notime.txt size 1000k;
    flag basic-datapath;
    packet-filter trust-pc {

When you apply a traceoption for any UTM feature, there is not an option to specify a file to write to.  By default, these will be written to a file based on the UTM module used.  The table below lists the file the output will be written to when enabled under that UTM module:

Feature File Name
anti-virus utmd-av
web-filtering utmd-wf
anti-spam utmd-as
application proxy utmd-apppxy

IKE or IPsec
When you apply a traceoption for IKE or IPSec, the output for this is written to a file called kmd.

Policy and System Logs

Policy logs and any other system level events are written to the file specified in the system syslog configuration file.  By default, this file is called messages.  By default, the messages file will only log critical level messages.  In order to view messages lower than critical level, you need to configure the syslog server to accept messages of a lower severity level. 

In the system syslog config, by default, it will have the following configuration:
[edit system syslog]
lab@test# show 
user * {
    any emergency;
file messages {
    any critical;
    authorization info;
Policy logs have the severity level of info.  You can create a separate file called policy-logs, and have info level messages sent to policy-logs.
[edit system syslog]
lab@test# show 
file policy-logs {
    any info;
    authorization info;

Refer to KB16172 - What is the default output log file for 'interface' traceoptions.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search