Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes

Security Director FAQ

This section includes our most frequently asked questions on Security Director. To learn more about the product, please see our User Guide.

Log Collector Node Failure

Problem

Description: What should I do if the Log Collector node fails to get added to Security Director?

Cause

You can only configure the IP address of a Log Collector node with the configuration script. If an IP address is configured manually, then the Log Collector node cannot be added to Security Director.

Solution

Verify that the following entry appears in the /etc/hosts file:<IP>LOG-COLLECTOR localhost.localdomain localhost. If you do not see this entry, then re-create the entry and add the node back through the Security Director administration workspace.

Unable to View Logs on the Monitor Page In Security Director

Problem

Description: What should I do if I do not see logs on the Monitor page in Security Director ? I can see that logs are received on the Log Receiver node.

Cause

There could be a time mismatch between the Log Collector node and the Junos Space server.

Solution

The Log Collector and the Junos Space Network Management Platform must be synchronized with the NTP server. Use NTP to synchronize the time between nodes.

Adding a Log Collector Node

Problem

Description: I refreshed the Log Space server after I added the Log Collector node. The node failed to get added to Security Director. I see the following message: node is part of another Fabric. What should I do?

Cause

The node is added to another Junos Space server or the Junos Space server where it was added is no longer present.

Solution

You must delete the existing Log Collector node from Security Director > Administration > Logging Management > Logging Nodes before adding another Log Collector node.

  1. Log in to the Log Collector node using root credentials and delete the following file: /etc/specialNodeAgent/nodeAdded-<IP>.

  2. Add another Log Collector node to Security Director > Administration > Logging Management > Logging Nodes.

Monitoring Logs In Log Collector

Problem

Description: How long are logs retained in Log Collector before they are recycled automatically to accommodate new logs?

Solution

System logs are retained until 80% of the disk space is utilized on the Log Collector node. Older logs are deleted to ensure that 20% of the disk space is free to store new logs.

Increasing the Disk Size of Log Collector

Problem

Description: How do I increase the disk size of Log Collector from the default storage limit of 500 GB?

Solution

You can use the resizeFS.sh script to increase the disk size.

Unable to View System Logs Information

Problem

Description: I do not see all of the information about system logs on the Security Director > Monitor > Events & Logs pages. However, the raw log shows the complete log information. What should I do?

Cause

The system logs that are received might not be structured system logs.

Solution

You must ensure that only the structured system logs are sent to Log Collector, so that they are parsed and all the fields are displayed properly.

Status of Log Collector Node Is Down

Problem

Description: What should I do if the application status of any of the Log Collector nodes is shown as Down under Administration > Logging Management > Logging Nodes?

Solution

The application status is shown as Down if the respective service is down. You must restart the service.

To restart each service:

For All-in-One node:

  1. Log in to the node using root credentials.

  2. Run the service jingest start command to start the Log Receiver service.

    Note: Starting in Log Collector version 16.1 onward, the logstash process no longer runs on the Log Receiver node. Instead, the jingest process will run.

  3. Run the service elasticsearch start command to start the Log Indexer service.

For Log Receiver node:

  1. Log in to the node using root credentials.

  2. Run the service jingest start command to start the Log Receiver service.

For Log Indexer node:

  1. Log in to the node using root credentials.

  2. Run the service elasticsearch start command to start the Log Indexer service.

Load Balance in Log Reception

Problem

Description: I have a 10K events per second (eps) setup with two log receivers. I configured X number of devices to send logs between the receivers. The first log receiver is heavily loaded (a high reception rate) while the other log receiver is not. How do I load balance the log reception between the receivers?

Solution

To load balance log reception:

  1. Select Security Director > Administration > Logging Management > Logging Devices.

  2. Check the average log reception rate for each log receiver node.

  3. Check the Device Configuration section to see the logs based on the device. You can find the rate at which each device sends its logs.

  4. Reconfigure the devices so that the load is balanced between the two log receivers.

Unable to View Logging Infrastructure Information

Problem

Description: I am unable to find the problem with my logging infrastructure and want to contact support. What information should I have handy?

Solution

You can use the diagnostics tool that scans through all of your Log Collector nodes. The tool gathers log files, configuration settings, and other health status information and then bundles all the information in a zip file. You can run this tool and generate the dump file.

To run the diagnostics tool:

  1. Log in to the Log Indexer node (or All-in-One node) using root credentials.

  2. Run the healthcheckOSLC script. The initial screening confirmation window appears.

  3. Enter Yes to gather more information. A high level summary report appears.

  4. Press Enter to generate the detailed report.

You can find the detailed dump file in /opt/system-diagnostics/out/<Date-Time> syslog-capture.pcap.

Unable to View Devices Under Logging Devices

Problem

Description: I am unable to view devices under Logging Devices after configuring devices to send logs to Log Collector.

Solution

It will take an hour for devices that are configured to send logs to Log Collector to be displayed under Logging Devices.

Spotlight Secure Customers and Policy Enforcer Licenses

Problem

Description: I am an existing Spotlight Secure customer, do I need to purchase additional licenses to use Policy Enforcer within Security Director.

Solution

No, the existing Spotlight Secure license (SPOT-CC) entitles you to use Policy Enforcer. There is no need to re-issue or transfer any licenses. You must, however, make sure you are using a supported version of Security Director. In addition, the SPOT-CC licenses gives you access to Command and Control (C&C) feeds, GeoIP feeds, and custom feeds.

What Hypervisor Does Policy Enforcer Support

Problem

Description: What hypervisor does Policy Enforcer support.

Solution

Policy Enforcer supports only the VMware ESXi hypervisor.

Policy Enforcer Virtual Machine

Problem

Description: If I want to manage Sky ATP with Security Director, do I have to install the Policy Enforcer virtual machine.

Solution

Yes. Policy Enforcer itself is installed on a virtual machine and uses RESTful APIs to communicate with both Security Director and Sky ATP.

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit