Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[J/SRX] Location of RT_FLOW logs / traffic logs / policy logs on an SRX or a J Series chassis cluster

0

0
Article ID: KB21316 KB Last Updated: 26 Jun 2018Version: 2.0 Summary:

This article provides information about the location of RT_FLOW logs / traffic logs / policy logs on an SRX or J Series chassis cluster and explains how to view these logs.

 

Symptoms:

When the show log traffic-log command is executed, no recent traffic logs are output.

 

Cause:

The traffic or policy logs are logs generated when there is a policy hit and policy logging is enabled.

To configure policy logging, refer to KB16509 - SRX Getting Started - Configure Traffic Logging (Security Policy Logs) for SRX100, SRX210, SRX240, and SRX650 Devices.

root# show system syslog
    file traffic-log {
        any any;
        match RT_FLOW;
     }
 

If the configuration shown above is executed outside the group configuration in a J/SRX cluster to collect traffic/policy logs on to a file named "traffic-log," it is observed that the logs are seen on the device where Redundancy Group 1 is primary, irrespective of where Redundancy Group 0 is primary. (To understand more about Redundancy Groups, refer to Understanding Redundancy Groups.)

Example:

root@NODE-0> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 0
node0 100 primary        no no
node1 10  secondary      no no

Redundancy group: 1 , Failover count: 1
node0 100 secondary      no no
node1 10  primary        no no  <---------------

In the above example, the traffic logs would be seen in node1 although node1 is secondary for the Routing Engine. This is because node1 is primary for Redundancy Group 1.

 

Solution:

To view the logs that are located on another node, log in to the other node's Command Line Interface (CLI) from the current node's CLI with the following commands (note that in this example, we are logged in to node0, and want to view logs in node1):

Branch SRX and J Series:

{primary:node0}
user@srx> request routing-engine login node 1

{secondary:node1}
user@srx> show log traffic-log

{secondary:node1}
user@srx> exit

High-end SRX:

{primary:node0}
user@srx> start shell

user@srx% rlogin -T node1

{secondary:node1}
user@srx> show log traffic-log

{secondary:node1}
user@srx> exit

If preferred, the file can also be copied from one node to another with the following command (the same command applies for J Series, branch, and high-end SRX devices). Keep in mind that this must be done from the node that has the files stored (node1 in this example):

{secondary:node1}
user@srx> file copy /var/log/traffic-log node0:/var/log/

 

Modification History:

2018-06-26: Solution section updated with steps to view logs located on another node; symptom section updated. Other minor modifications made (non-technical).

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search