Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Traffic Log to USB drive is overwritten with high session creation rate

0

0

Article ID: KB28100 KB Last Updated: 11 Sep 2013Version: 1.0
Summary:

This article describes the behavior of writing traffic logs to a USB drive when the session creation rate is high. Storing traffic log in the USB memory fails. The workaround to check complete traffic log is to gather get log traffic, which is stored in internal buffer.

Symptoms:

For traffic log queues, the traffic log queue sizes are 4096/32765/16384 depending on the platform of the ScreenOS devices.

The traffic logs can be checked from get log traffic.

get log traffic


SSG550-> get log traffic
PID 1, from Trust to Untrust, src Any, dst Any, service ANY, action Permit
Total traffic entries matched under this policy = 4096
===================================================================================
Date Time Duration Source IP Port Destination IP Port Service SessionID In Interface
Reason Protocol Xlated Src IP Port Xlated Dst IP Port ID PID Out Interface
===================================================================================
2013-09-03 16:58:27 0:00:04 10.1.1.10 12568 20.1.1.20 4 ICMP 255401 ethernet0/0
Close - RESP 1 10.1.1.10 12568 20.1.1.20 4 1 ethernet0/1
2013-09-03 16:58:27 0:00:04 10.1.1.10 12560 20.1.1.20 4 ICMP 255583 ethernet0/0
Close - RESP 1 10.1.1.10 12560 20.1.1.20 4 1 ethernet0/1

The ScreenOS device transfers traffic records to the USB device with the following configuration, and it outputs the traffic logs with the same categories to the USB drive.

set log usb enable
set policy from <zone1> to <zone2> <source address> <destination address> <service> permit log

<USB Logs>
2013-09-03 16:58:11 [Root]system-traffic-information: 0:00:03 src 10.1.1.10:8843 dst 30.1.1.20:4 xlated-src 10.1.1.10:8843 xlated-dst 30.1.1.20:4 ICMP Close - RESP
2013-09-03 16:58:11 [Root]system-traffic-information: 0:00:03 src 10.1.1.10:8946 dst 30.1.1.10:4 xlated-src 10.1.1.10:8946 xlated-dst 30.1.1.10:4 ICMP Close - RESP
2013-09-03 16:58:11 [Root]system-traffic-information: 0:00:03 src 10.1.1.10:8857 dst 30.1.1.20:4 xlated-src 10.1.1.10:8857 xlated-dst 30.1.1.20:4 ICMP Close - RESP
2013-09-03 16:58:11 [Root]system-traffic-information: 0:00:04 src 10.1.1.10:8754 dst 30.1.1.10:4 xlated-src 10.1.1.10:8754 xlated-dst 30.1.1.10:4 ICMP Close - RESP
2013-09-03 16:58:11 [Root]system-traffic-information: 0:00:03 src 10.1.1.10:8869 dst 30.1.1.20:4 xlated-src 10.1.1.10:8869 xlated-dst 30.1.1.20:4 ICMP Close - RESP
2013-09-03 16:58:11 [Root]system-traffic-information: 0:00:04 src 10.1.1.10:8709 dst 30.1.1.20:4 xlated-src 10.1.1.10:8709 xlated-dst 30.1.1.20:4 ICMP Close - RESP
:
:
:

When sessions are created at a high rate, such as 2msec/session,  the ScreenOS device is not able to transfer all the traffic log to the USB device, and it will record the following event log:

event log

2013-09-03 18:10:51 system notif 00628 audit log queue Traffic Log is overwritten

Cause:
 
Solution:

The buffer for the log to write to a USB drive is smaller than the traffic log buffer.  With the small buffer size and fast rate of session creations, the device is likely to lose a few logs when writing to a USB drive. When the log buffer for the USB drive overflows, it will try to overwrite the earliest message in the buffer. When this overwrite happens, the above event log is generated.  This is by design on the ScreenOS devices, and  if you find a few logs missing from the USB drive, then it is important to first check the event logs to see whether the traffic log was overwritten.  

Workaround to check complete traffic log is to gather get log traffic, which is stored in an internal buffer.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search