Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[STRM/JSA] Determining which log sources are generating the most events

0

0

Article ID: KB34700 KB Last Updated: 09 Jul 2019Version: 1.0
Summary:

Sometimes, users may need to know which log sources are heavily used and are generating the most events to decide how to distribute workload among the event collectors.

This article details the steps to determine the log sources that are generating the most events to help with your load distribution.

 

Symptoms:

Disproportionate load distribution in a multiple-collector deployment

 

Solution:

To help you determine which log sources are sending the most data, create a saved search by performing the following steps:

  1. Go to the Log Activity tab.
  2. Click Search > New Search.

  3. Load Inbound events by Country/Region saved search and leave Unique Counts disabled.

  4. Go to the Column Definition section.

  5. Remove the Geographic Country/Region column from the "Group by" section.

  6. Add the Event Processor column to the "Group by" section.

  7. Leave the Order By option set to Event count(sum).

  8. Go to the Search Parameters section.

  9. Leave the Direction is Remote to Local (Direction is R2L) filter as is.

  10. Set the Event Processor filter to your event processor.

  11. Click Search.

  12. Click the Log Source (Unique count) column to view the associated log sources.

This will display all the Log Sources and their Event count (sum), and will give you an idea of which log sources are generating the most events. When you have this information, you can balance your log sources over multiple Event Collectors.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search