Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

traceoptions (Security)

Syntax

Hierarchy Level

Trace options can be configured at either the [edit security] or the [edit services ipsec-vpn] hierarchy level, but not at both levels.

Description

CAUTION:

Enabling tracing can adversely impact scale and performance and may increase security risk. We strongly recommend using the trace, tracing, or traceoptions commands only under the guidance of a JTAC support engineer. After collecting the debug information, immediately disable tracing to minimize risk and restore normal system performance.

Configure security tracing options.

To specify more than one trace option, include multiple flag statements. Trace option output is recorded in the /var/log/kmd file.

Note:

The traceoptionsstatement is not supported on QFabric systems.

Options

  • file—Configure the trace file options.

    • filename—Name of the file to receive the output of the tracing operation. Enclose the name within quotation marks. All files are placed in the directory /var/log. By default, the name of the file is the name of the process being traced.

    • files number—Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed to trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. The oldest archived file is overwritten.

      If you specify a maximum number of files, you also must specify a maximum file size with the size option and a filename.

      Range: 2 through 1000 files

      Default: 10 files

    • match regular-expression—Refine the output to include lines that contain the regular expression.

    • size maximum-file-size—Maximum size of each trace file, in kilobytes (KB), megabytes (MB), or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten.

      If you specify a maximum file size, you also must specify a maximum number of trace files with the files option and a filename.

      Syntax: x K to specify KB, x m to specify MB, or x g to specify GB

      Range: 10 KB through 1 GB

      Default: 128 KB

    • world-readable | no-world-readable—By default, log files can be accessed only by the user who configures the tracing operation. The world-readable option enables any user to read the file. To explicitly set the default behavior, use the no-world-readable option.

  • flag—Trace operation to perform. To specify more than one trace operation, include multiple flag statements.

    • all—Trace all security events.

    • certificates—Trace certificate events.

    • database—Trace database events.

    • general—Trace general events.

    • ike—Trace IKE module processing.

    • parse—Trace configuration processing.

    • policy-manager—Trace policy manager processing.

    • routing-socket—Trace routing socket messages.

    • timer—Trace internal timer events.

  • level level—(Optional) Set traceoptions level.

    • all—match all levels.

    • error—Match error conditions.

    • info—Match informational messages.

    • notice—Match conditions that should be handled specially.

    • verbose—Match verbose messages.

    • warning—Match warning messages.

  • no-remote-trace—Set remote tracing as disabled.

  • rate-limit messages-per-second—Limit the incoming rate of trace messages.

Required Privilege Level

trace—To view this in the configuration.

trace-control—To add this to the configuration.

Release Information

Statement modified in Junos OS Release 8.5.

Related Documentation