Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Managing the device log volume in NSM - a detailed view

0

0

Article ID: KB22026 KB Last Updated: 19 Oct 2011Version: 1.0
Summary:
This article provides a detailed view of managing the device log volume in NSM.
Symptoms:
On NSM, the device logs are gathered and stored by the Device Server. In a given deployment, the Device Server can be deployed on the same machine as the GUI Server or on a separate machine.

When determining the disk space requirements for NSM, you must consider the log management strategy. The Device Server has the most variable disk space requirements.
Cause:

Solution:
NSM Device Server has several log cleanup parameters included in the /usr/netscreen/DevSvr/devSvr.cfg file.

Apart from storageManager.threshold, the other parameters discussed below are 'optional' for managing the disk and logs on NSM.

The following parameter settings are used to manage log disk space:
  1. storageManager.alert - Specifies the amount of free disk space on the Device Server that triggers a warning to indicate low available disk space. The user is alerted by e-mail when the free disk space approaches the default value of 1500 MB. 

    The same can be configured from the NSM GUI Client. On the NSM GUI Client , this can be configured Under Server Manager > Device Server and then the Disk and Log management tab. Selecting the enable alert on disk limit checkbox, enables the alert for the low disk space.

    Note: e-mail configuration should be done to enable email alerts.

    For configuring email alerts , refer to KB11818 - How to enable email notification alert for logs received in NSM


  2. storageManager.minimumFreeSpace - Specifies the disk space threshold to trigger the log file purging. When the available disk space approaches the default value of 1000 MB, the Device Server begins to purge log file data starting from the earliest date in the logs directory.
     
    On the NSM GUI client, this can be configured by selecting the enable action on Disk limit as shown in the image in point 3.


  3. storageManager.threshold - Specifies the minimum threshold for available diskspace; the default is 800 MB. The Device Server continues the log file purging operation, until the disk space reaches the minimumFreeSpace level. However if this goal is not achieved prior to the current day of log data, the Device Server shuts down automatically.

    The above parameter cannot be set/changed from the NSM GUI client. It is always recommended to use the default threshold value set to 800 MB and not less than that.

    If storageManager.minimumFreeSpace is set to 1000 MB (default) and the storageManager.threshold is set to 800 MB (default), then the purging operation takes place until the disk space reaches 1000 MB.

    However when the current day of log data is greater than 1000 MB and available space on disk partition approaches close to 1000 MB, then the device server shuts down automatically. The reason is that the same day log directory under 'logs' is not purged.

    Note: Approaching the value specified in above mentioned parameters will perform the automatic action as purge on the logs.




  4. Enable online retention policy (optional) - Users can specify how the retention policy is triggered (action on logs) and when it is scheduled (scheduled time).

    Action on logs can be specified as purge or archive and purge, depending on the requirement. For enabling action on logs, click the drop down box as shown in the image in point 3 and select the appropriate action.

    Choosing the archive and purge option, will archive before the system purges the logs. Specify the archive location under the archive location option as shown in the image in point 3. For example, the location can be specified as /var/nsm_devicelogs where nsm_devicelogs is a user created directory.


    1. No of Days to retain logs:

      User can specify the no of days to retain logs . The default value is 15. If the value specified is N, then the logs are retained in the /var/netscreen/DevSvr/logs directory for less than and equal to N no of days. On N + 1th day, the oldest log present in /var/netscreen/DevSvr/logs is purged. Like wise it is followed for the upcoming days.

      Note: The important aspect to be noted here is that logs are retained for a maximum of N days.

      If the size of logs for over the N days period is greater than the available space as specified in storageManager.minimumFreeSpace, then the automatic purge action takes place until the free space becomes the one specified for storageManager.minimumFreeSpace; which, in the above example, is 1000 MB.

    2. Scheduled Time:

      Depending on the above values set for online retention policy, the action on logs - either purge or archive and purge can be scheduled as per the required time . The default time is set to 2:00 AM.

    3. Estimated Disk Space required:

      After you define the number of logs and the number of days you want archived, NSM estimates the disk space required for storing the logs. In calculating the estimated required disk space, NSM uses the average size of logs per day and indicates to the user how the estimate was reached or if there was not data available to provide an estimate.

    4. Archive Location:

      The location of the archive is user-configurable from the Disk and Log Management dialog box. The options are Local and Remote:

      Local -To archive logs locally, specify the directory location where the files will be stored in the Archive Location field.

      Remote - To archive logs remotely specify the IP address, username, password, and the protocol (scp and sftp). The path on the remote server will be stored in the user preferences. SCP and SFTP work only with trusted hosts. For more information, refer to KB9642 - NSM 2007.1 How to archive device server logs to a remote server.


  5. Finally, click OK to save and apply the new settings on the NSM GUI client.


Analyzing the archived logs for later use:

Each directory archived must have the name in the YYYYMMDD format, indicating which day is contained in the directory.

Note: Archival should not be attempted on the current day’s files.

Archived logs can be analyzed later by restoring them to the logs directory on the Device Server and performing reindexing on them. For more information on reindexing device logs, refer to KB10965 - No Logs in NSM UI - Could not get day list. How to reindex the traffic logs.

The restored logs are available in the Log Viewer and Log Investigator, just as they were before archival.
  1. Use scp to copy directories from the remote archival location to:

    /usr/netscreen/DevSvr/var/logs/

  2. Analyze the logs using the NSM UI.

  3. Remove the directories when done with the analysis.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search