Knowledge Search


×
 

[Junos] How to make a log file that records almost everything that happens in the device

  [KB22588] Show Article Properties


Summary:
This article provides information on how to create a log file records almost everything that happens in the device.

Important points:

  • It is important that this article is followed for efficient troubleshooting; before and after a case has been logged with JTAC.

  • This article assumes that 'event mode' logging is used.

  • This article explains the creation of a log file that contains everything that happens in the device; at the same time it is neither too populated that it becomes useless, nor too under-populated that it has nothing to look at.
Symptoms:
  • At times, customers face a network issue and need relevant logs from the device for building a Root Cause Report (for example, network outage is most common; wherein the logs at the exact time of the issue are needed).

  • In such cases, the logs are either too scanty or over-populated. They are rolled over many times, before the JTAC engineer takes a look at the log files.

  • If the log file is too scanty, then the logs will be insufficient for the JTAC to dig out the relevant information.

  • The solution is to make a log file that includes every activity in the device; but excludes the activities that contribute to 90% of the logs.
Cause:

Solution:
Such a file can be made as :

set system syslog file catch-all any any
set system syslog file catch-all match "!RT_" < This will exclude the un-necessary traffic logs
set system syslog file catch-all archive size 1m
set system syslog file catch-all archive files 3

file catch-all {
   any any;
   match "!RT_";
   archive size 1m files 3;
}

Another file must be created to catch the traffic logs:

set system syslog file traffic-logs any any
set system syslog file traffic-logs match "RT_"
set system syslog file traffic-logs archive size 1m
set system syslog file traffic-logs archive files 3
set system syslog file traffic-logs structured-data

file traffic-logs {
   any any
   match "RT_"
   archive size 1m files 3
   structured-data;
}

  • The catch-all file contains all the 'just-useful' logs; leaving out the unnecessary traffic logs.

  • The task of catching the traffic logs is performed by the traffic-logs file.


This way you can simultaneously have 2 files; one dedicated to catch the device activities and the other to log the traffic.

Note:

  • As soon as a network Issue occurs, you have to collect all the log files with the desired file name; here we have used catch-all.

  • The logs are stored at /var/log/; collect the logs as soon as the issue happens, along with the archived logs as well.

The files will look like this:

file list /var/log/catch-all?
catch-all
catch-all.0.gz
catch-all.1.gz
catch-all.2.gz
Related Links: