Knowledge Search


[ScreenOS] Storing Log Data

  [KB4258] Show Article Properties

All Juniper Firewall devices allow you to store event and traffic log data internally (in flash storage) and externally (in a number of locations). Although storing log information internally is convenient, the amount of memory is limited. When the internal storage space is full, the Firewall device begins overwriting the oldest log entries with the latest ones. If this first-in-first-out (FIFO) mechanism occurs before you save the logged information, you can lose data. To mitigate such data loss, you can store event and traffic logs externally in a syslog or WebTrends server, or in the NetScreen-Global PRO database. The Firewall device sends new event and traffic log entries to an external storage location every second.

Where can I store log data?


Note: This article applies to ScreenOS 4.0 and newer.

The following list provides the possible destinations for logged data:

  • Console: A useful destination for all log entries to appear when you are troubleshooting a NetScreen device through the console. Optionally, you might elect to have only alarm messages (critical, alert, emergency) appear here to alert you immediately if you are using the console at the time an alarm is triggered.
  • Internal: The internal database on a NetScreen device is a convenient destination for log entries, but has limited space.
  • Email: A convenient method for sending event and traffic logs to remote administrators.
  • SNMP: In addition to the transmission of SNMP traps, a NetScreen device can also send alarm messages (critical, alert, emergency) from its event log to an SNMP community.
  • Syslog: All event and traffic log entries that a NetScreen device can store internally, it can also send to a syslog server. Because syslog servers have a much greater storage capacity than the internal flash storage on a NetScreen device, sending data to a syslog server can mitigate data loss that might occur when log entries exceed the maximum internal storage space. Syslog stores alert- and emergency-level events in the security facility that you specify, and all other events (including traffic data) in the facility you specify.
  • WebTrends: Allows you to view log data for critical-, alert-, and emergency-level events in a more graphical format than syslog, which is a text-based tool.
  • CompactFlash (PCMCIA): The advantage of this destination is portability. After storing data on a CompactFlash card, you can physically remove the card from the NetScreen device and store it or load it on another device.

note: For more information on enabling these logging features, go to: Configuring the NetScreen Traffic Log.

Related Links: