Junos Space Developer
Junos Space Developer

SD: suddenly no data for the Applications sections, Top applications by bandwidth and report for the same

‎10-05-2018 01:01 AM

Hello,

 

We’ve ran into issue with security director, but we have nowehre to get help from. Am not able to create the  Technical support ticket, as it says me that provided serial number is not valid.

 

 All was good until some moment when we stopped receiving any data under the Monitor>Applications section. It shows data and graphs only for the last day, nothing more. Also same error on the Top Applications by Volume widget.

 

I see the APPTRACK_SESSION_ events under the Apptrack section.

 

Same goes to the Users section. There are top IP-s for the last day, but nothing anything smaller (like 15 mins etc)

 

Any way to debug this one and fix? 

 

This seems related:

https://forums.juniper.net/t5/Junos-Space-Developer/Junos-Space-Security-Director-no-user-data/td-p/...

 

3 REPLIES 3
Junos Space Developer

Re: SD: suddenly no data for the Applications sections, Top applications by bandwidth and report for the same

‎10-05-2018 01:26 AM

restarting the log collector (we use standalone one) helps for a while, but then same issue comes again.

Junos Space Developer

Re: SD: suddenly no data for the Applications sections, Top applications by bandwidth and report for the same

‎10-09-2018 04:48 AM

yeah, after some time it stops to show logs again. Seems like the elasticsearch process dies. As I log into the system I see that load average of the system is around 0, when there are no more app and users logs. If I do restart to the elasticsearch process, the load average goes back to "normal" like 2,5-3. Junos SD says that logging node is not available for a while and then everything works well again.

Junos Space Developer

Re: SD: suddenly no data for the Applications sections, Top applications by bandwidth and report for the same

[ Edited ]
‎10-19-2018 08:59 AM

Hi,

 

After rebooting verify how many EPS your collector is receiving, if they seem too much, then look for logs that contain traffic such as "any", or try to recognize the type of traffic that is filling the logs.

Something similar happened to me with security events, and it was for a "deny any" rule that was receiving far too many logs per second, since it was innocous traffic, I proceeded to permit it and the CPU and RAM usage on the VM resumed to normal.

 

Narkissus