Junos Space Developer
Highlighted
Junos Space Developer

Any other option if single Log Collector so fast full?

‎07-10-2018 01:14 AM

Hi all,

 

 

Since 3 month ago our log collector is just can hold log around 24 hours only. Currently we just have one single collector and one SD only. On our SRX we have around 7k security policy with all policy has been log (session init and close with apptrack) and send to LC. So any other advise that can share with me.

 

test@srx5800> show configuration security log
mode stream;
inactive: event-rate 1000;
format sd-syslog;
source-address x.x.x.x;
stream TO-LOG-COLLECTOR {
    format sd-syslog;
    category all;
    host {
        x.x.x.x;
        port 514;
    }
}

 

Thanks

3 REPLIES 3
Highlighted
Junos Space Developer

Re: Any other option if single Log Collector so fast full?

‎07-26-2018 09:35 PM

You can have multiple collector or deploy JSA (Juniper Secure Analytics) in the network.

-PL
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. Kudos are always appreciated!
Highlighted
Junos Space Developer

Re: Any other option if single Log Collector so fast full?

‎07-27-2018 12:04 AM
https://www.juniper.net/documentation/en_US/junos-space16.1/topics/concept/junos-space-log-collector... You can plan to go ahead for distributed architecture for your log receiver.

*************************************
HTH.
Accept this as solution if it resolved your issue.
Kudos would be appreciated too.
Highlighted
Junos Space Developer

Re: Any other option if single Log Collector so fast full?

‎09-25-2018 10:25 AM

Hi,

 

I asume your hardware does not have enough resources to redimension the hard drive and keep the logs, or to deploy a distributed architecture (you can find several posts for both this options), if this is the case, you can use a backup server in another machine in order to send the logs that are automatically rolled over by JSD.

 

The script that performs disk rollover (called diskRollCheck_Integrated) calls to another (backupESIndices.sh) which will perform the backup task if scheduled.

 

Once you set up your backup server, set it under the elasticRemoteBackupConfig.cfg file, which you can modify by running the logBackupConfig.sh script (in /opt/jnpr/bin directory) and configure the backup parameters.

 

 

I hope this helps,

 

Narkissus

Feedback