This article provides information about the location of RT_FLOW logs / traffic logs / policy logs on an SRX or J Series chassis cluster and explains how to view these logs.
When the show log traffic-log
command is executed, no recent traffic logs are output.
The traffic or policy logs are logs generated when there is a policy hit and policy logging is enabled.
To configure policy logging, refer to KB16509 - SRX Getting Started - Configure Traffic Logging (Security Policy Logs) for SRX100, SRX210, SRX240, and SRX650 Devices.
root# show system syslog
file traffic-log {
any any;
match RT_FLOW;
}
If the configuration shown above is executed outside the group configuration in a J/SRX cluster to collect traffic/policy logs on to a file named "traffic-log
," it is observed that the logs are seen on the device where Redundancy Group 1 is primary, irrespective of where Redundancy Group 0 is primary. (To understand more about Redundancy Groups, refer to Understanding Redundancy Groups.)
Example:
root@NODE-0> show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover
Redundancy group: 0 , Failover count: 0
node0 100 primary no no
node1 10 secondary no no
Redundancy group: 1 , Failover count: 1
node0 100 secondary no no
node1 10 primary no no <---------------
In the above example, the traffic logs would be seen in node1 although node1 is secondary for the Routing Engine. This is because node1 is primary for Redundancy Group 1.
To view the logs that are located on another node, log in to the other node's Command Line Interface (CLI) from the current node's CLI with the following commands (note that in this example, we are logged in to node0, and want to view logs in node1):
Branch SRX and J Series:
{primary:node0}
user@srx> request routing-engine login node 1
{secondary:node1}
user@srx> show log traffic-log
{secondary:node1}
user@srx> exit
High-end SRX:
{primary:node0}
user@srx> start shell
user@srx% rlogin -T node1
{secondary:node1}
user@srx> show log traffic-log
{secondary:node1}
user@srx> exit
If preferred, the file can also be copied from one node to another with the following command (the same command applies for J Series, branch, and high-end SRX devices). Keep in mind that this must be done from the node that has the files stored (node1 in this example):
{secondary:node1}
user@srx> file copy /var/log/traffic-log node0:/var/log/
2018-06-26: Solution section updated with steps to view logs located on another node; symptom section updated. Other minor modifications made (non-technical).