I know that using stream mode means that dataplane (security) logs are sent to the syslog servers instead of logging locally. However, I noticed a steram mode "cache" setting (security/log section) that seems to be associated with writing log entries to the "audit log buffer". I'm guessing this is just a memory buffer that is overwritten as needed, but I'm not sure. Additionally, I'm wondering if there is a way to view the contents of this buffer? Ultimately, I was looking for a way to look at the security (traffic ) logs on the local firewall, even if it is only a few recent minutes worth.
OK, I haven't found any more information on the cache setting, but it looks like the new "report" security/log configuration setting added in 15.x-d100 allows you to store all of the dataplane logs on the local box while in stream mode. It also allows you to create reports and graphs in jweb using the data or access the data right from the CLI using show security log report in-detail all and similar commands. There are a lot of options for parsing/displaying the information in the CLI. If you want to be able to view dataplane (security) logs on the firewall while running in stream mode, this may be just what you are looking for.