Security Director FAQ

What should I do if the Log Collector node fails to get added to Security Director?

You can only configure the IP address of a Log Collector node with the configuration script. If an IP address is configured manually, then the Log Collector node cannot be added to Security Director.

Verify that the following entry appears in the /etc/hosts file:<IP>LOG-COLLECTOR localhost.localdomain localhost. If you do not see this entry, then re-create the entry and add the node back through the Security Director administration workspace.

What should I do if I do not see logs on the Monitor page in Security Director ? I can see that logs are received on the Log Receiver node.

There could be a time mismatch between the Log Collector node and the Junos Space server.

The Log Collector and the Junos Space Network Management Platform must be synchronized with the NTP server. Use NTP to synchronize the time between nodes.

I refreshed the Log Space server after I added the Log Collector node. The node failed to get added to Security Director. I see the following message: node is part of another Fabric. What should I do?

The node is added to another Junos Space server or the Junos Space server where it was added is no longer present.

Procedure

1. Log in to the Log Collector node using root credentials and delete the following file: /etc/specialNodeAgent/nodeAdded-<IP>.
2. Add another Log Collector node to Security Director > Administration > Logging Management > Logging Nodes.

How long are logs retained in Log Collector before they are recycled automatically to accommodate new logs?

System logs are retained until 80% of the disk space is utilized on the Log Collector node. Older logs are deleted to ensure that 20% of the disk space is free to store new logs.

How do I increase the disk size of Log Collector from the default storage limit of 500 GB?

You can use the resizeFS.sh script to increase the disk size.

I do not see all of the information about system logs on the Security Director > Monitor > Events & Logs pages. However, the raw log shows the complete log information. What should I do?

The system logs that are received might not be structured system logs.

You must ensure that only the structured system logs are sent to Log Collector, so that they are parsed and all the fields are displayed properly.

What should I do if the application status of any of the Log Collector nodes is shown as Down under Administration > Logging Management > Logging Nodes?

The application status is shown as Down if the respective service is down. You must restart the service.

To restart each service:

Procedure

1. Log in to the node using root credentials.
2. Run the service jingest start command to start the Log Receiver service.

   Note Starting in Log Collector version 16.1 onward, the logstash process no longer runs on the Log Receiver node. Instead, the jingest process will run.

3. Run the service elasticsearch start command to start the Log Indexer service.

Procedure

1. Log in to the node using root credentials.
2. Run the service jingest start command to start the Log Receiver service.

Procedure

1. Log in to the node using root credentials.
2. Run the service elasticsearch start command to start the Log Indexer service.

I have a 10K events per second (eps) setup with two log receivers. I configured X number of devices to send logs between the receivers. The first log receiver is heavily loaded (a high reception rate) while the other log receiver is not. How do I load balance the log reception between the receivers?

Procedure

1. Select Security Director > Administration > Logging Management > Logging Devices.
2. Check the average log reception rate for each log receiver node.
3. Check the Device Configuration section to see the logs based on the device. You can find the rate at which each device sends its logs.
4. Reconfigure the devices so that the load is balanced between the two log receivers.

I am unable to find the problem with my logging infrastructure and want to contact support. What information should I have handy?

You can use the diagnostics tool that scans through all of your Log Collector nodes. The tool gathers log files, configuration settings, and other health status information and then bundles all the information in a zip file. You can run this tool and generate the dump file.

Procedure

1. Log in to the Log Indexer node (or All-in-One node) using root credentials.
2. Run the healthcheckOSLC script. The initial screening confirmation window appears.
   
3. Enter Yes to gather more information. A high level summary report appears.
   
4. Press Enter to generate the detailed report.
   

You can find the detailed dump file in /opt/system-diagnostics/out/<Date-Time> syslog-capture.pcap.

I am unable to view devices under Logging Devices after configuring devices to send logs to Log Collector.

It will take an hour for devices that are configured to send logs to Log Collector to be displayed under Logging Devices.

I am an existing Spotlight Secure customer, do I need to purchase additional licenses to use Policy Enforcer within Security Director?

No, the existing Spotlight Secure license (SPOT-CC) entitles you to use Policy Enforcer. There is no need to re-issue or transfer any licenses. You must, however, make sure you are using a supported version of Security Director. In addition, the SPOT-CC licenses gives you access to Command and Control (C & C) feeds, GeoIP feeds, and custom feeds.

What hypervisor does Policy Enforcer support?

Policy Enforcer supports only the VMware ESXi hypervisor.

If I want to manage Sky ATP with Security Director, do I have to install the Policy Enforcer virtual machine?

Yes. Policy Enforcer itself is installed on a virtual machine and uses RESTful APIs to communicate with both Security Director and Sky ATP.