Security Director FAQ
This section includes our most frequently asked questions on Security Director. To learn more about the product, please see our User Guide.
Topics on this Page
- Log Collector Node Failure
- Unable to View Logs on the Monitor Page In Security Director
- Adding a Log Collector Node
- Monitoring Logs In Log Collector
- Increasing the Disk Size of Log Collector
- Unable to View System Logs Information
- Status of Log Collector Node Is Down
- Load Balance in Log Reception
- Unable to View Logging Infrastructure Information
Log Collector Node Failure
Problem
Description: What should I do if the Log Collector node fails to get added to Security Director?
Cause
You can only configure the IP address of a Log Collector node with the configuration script. If an IP address is configured manually, then the Log Collector node cannot be added to Security Director.
Solution
Verify that the following entry appears in the /etc/hosts file:<IP>LOG-COLLECTOR
localhost.localdomain localhost. If you do not see
this entry, then re-create the entry and add the node back through
the Security Director administration workspace.
Unable to View Logs on the Monitor Page In Security Director
Problem
Description: What should I do if I do not see logs on the Monitor page in Security Director ? I can see that logs are received on the Log Receiver node.
Cause
There could be a time mismatch between the Log Collector node and the Junos Space server.
Solution
The Log Collector and the Junos Space Network Management Platform must be synchronized with the NTP server. Use NTP to synchronize the time between nodes.
Adding a Log Collector Node
Problem
Description: I refreshed the Log Space server after I added the Log Collector node. The node failed to get added to Security Director. I see the following message: node is part of another Fabric. What should I do?
Cause
The node is added to another Junos Space server or the Junos Space server where it was added is no longer present.
Solution
You must delete the existing Log Collector node from Security Director > Administration > Logging Management > Logging Nodes before adding another Log Collector node.
- Log in to the Log Collector node using root credentials
and delete the following file:
/etc/specialNodeAgent/nodeAdded-<IP>. - Add another Log Collector node to Security Director > Administration > Logging Management > Logging Nodes.
Monitoring Logs In Log Collector
Problem
Description: How long are logs retained in Log Collector before they are recycled automatically to accommodate new logs?
Solution
System logs are retained until 80% of the disk space is utilized on the Log Collector node. Older logs are deleted to ensure that 20% of the disk space is free to store new logs.
Increasing the Disk Size of Log Collector
Problem
Description: How do I increase the disk size of Log Collector from the default storage limit of 500 GB?
Solution
You can use the resizeFS.sh script to increase the disk size.
Unable to View System Logs Information
Problem
Description: I do not see all of the information about system logs on the Security Director > Monitor > Events & Logs pages. However, the raw log shows the complete log information. What should I do?
Cause
The system logs that are received might not be structured system logs.
Solution
You must ensure that only the structured system logs are sent to Log Collector, so that they are parsed and all the fields are displayed properly.
Status of Log Collector Node Is Down
Problem
Description: What should I do if the application status of any of the Log Collector nodes is shown as Down under Administration > Logging Management > Logging Nodes?
Solution
The application status is shown as Down if the respective service is down. You must restart the service.
To restart each service:
For All-in-One node:
- Log in to the node using root credentials.
- Run the service logstash start command to start the Log Receiver service.
- Run the service elasticsearch start command to start the Log Indexer service.
For Log Receiver node:
- Log in to the node using root credentials.
- Run the service logstash start command to start the Log Receiver service.
For Log Indexer node:
- Log in to the node using root credentials.
- Run the service elasticsearch start command to start the Log Indexer service.
Load Balance in Log Reception
Problem
Description: I have a 10K events per second (eps) setup with two log receivers. I configured X number of devices to send logs between the receivers. The first log receiver is heavily loaded (a high reception rate) while the other log receiver is not. How do I load balance the log reception between the receivers?
Solution
To load balance log reception:
- Select Security Director > Administration > Logging Management > Logging Devices.
- Check the average log reception rate for each log receiver node.
- Check the Device Configuration section to see the logs based on the device. You can find the rate at which each device sends its logs.
- Reconfigure the devices so that the load is balanced between the two log receivers.
Unable to View Logging Infrastructure Information
Problem
Description: I am unable to find the problem with my logging infrastructure and want to contact support. What information should I have handy?
Solution
You can use the diagnostics tool that scans through all of your Log Collector nodes. The tool gathers log files, configuration settings, and other health status information and then bundles all the information in a zip file. You can run this tool and generate the dump file.
To run the diagnostics tool:
- Log in to the Log Indexer node (or All-in-One node) using root credentials.
- Run the healthcheckOSLC script. The initial
screening confirmation window appears.
- Enter Yes to gather more information. A high
level summary report appears.
- Press Enter to generate the detailed report.
You can find the detailed dump file in /opt/system-diagnostics/out/<Date-Time> syslog-capture.pcap.