Viewing Log Files
Once Trisul is running and processing traffic, logs become the primary way to understand what the system is doing internally.
You’ll typically come here when:
- A component doesn’t start as expected
- Traffic is not being processed even though inputs are configured
- You need to audit user actions or integrate logs with a SIEM
- You want to verify normal operation during setup or maintenance
This page helps you identify which log to check, where it lives, and how to view it efficiently.
What You'll Find Here
This page covers:
- The different types of logs generated by Trisul
- Where each log type is stored on disk
- Practical ways to view logs locally during troubleshooting
It does not explain how to interpret every log line, but it tells you where to look first depending on what you’re trying to verify.
Log File Types
Trisul generates logs at different layers of the system. Each serves a distinct purpose.
Application Logs: Core Hub and Probe process logs.
Web Server Logs: Logs from the WebTrisul UI.
Audit Logs: User activity and administrative actions.
Domain Process Logs: Logs from internal domain processes that coordinate distributed nodes.
Log File Locations
Log locations follow a consistent directory structure. Paths include identifiers such as domain, hub, probe, and context, which vary depending on your deployment.
Application logs
Probe
These logs reflect packet and flow processing activity on the probe.
| Type | What it is | Default location | Files |
|---|---|---|---|
| Application | trisul-probe main process | /usr/local/var/log/trisul-probe/domain0/probe0/context0 replace the domain, probe, and context with the actual fields if you have created your own contexts | ns-.log – trisul probe logs, xLuaX.log redirected print() statements from LUA script instances |
Hub
These logs relate to data ingestion, storage, and querying.
| Type | What it is | Default location | Files |
|---|---|---|---|
| Application | trisul-hub Flush process | /usr/local/var/log/trisul-hub/domain0/hub0/context0replace the domain, hub, and context with the actual values | fs-.log – trisul_flushd database writer logs , qs_.log – trisul_trpd TRP database query logs |
Web Server logs
These logs capture WebTrisul UI activity and errors.
| Type | What it is | Default location | Files |
|---|---|---|---|
| Web | Web Trisul webserver logs | /usr/local/var/log/trisul-hub/webtrisul | production.log – the main webserver log |
Audit logs
Audit logs track who did what, when, and from where in the Web UI.
Purpose
Audit logs record:
- User logins
- Start and stop actions
- Context changes
- User and permission modifications
These logs are commonly exported to SIEM platforms for compliance and monitoring.
Location
Filename audit.log
/usr/local/var/log/trisul-hub/webtrisul
To quickly navigate to this directory:
source /usr/local/share/trisul-hub/trisbashrc
cd.wl
Audit Log Format
Each entry follows this structure:
<TIMESTAMP> <SEVERITY> <IPADDRESS1> <IPADDRESS2> <USERNAME> <CONTEXTNAME> - <MESSAGE>
Example:
19-09-2024 18:39:14 INFO 192.168.1.20 127.0.0.1 user default - User successfully logged in
| Name | Sample Value | Description |
|---|---|---|
| Time Stamp | 19-09-2024 18:39:14 | The timestamp of the logged event. |
| Severity Level | INFO | Event severity classification (eg, INFO, WARNING, ERROR) |
| HTTP Real IP | 192.168.1.20 | Original IP address of the client that retrieves the value from the HTTP header. |
| Request IP | 127.0.0.1 | IP address of the proxy server requested by the client. |
| Username | user | Username who triggered the event. |
| Context Name | default | Context in which the event occured. |
| Log Message | User successfully logged in | A descriptive message on the logged activity. |
HTTP Real IP allows you to get the true client IP rather than the IP of the proxy. If the application is behind a proxy and the
X-Forwarded-Forheader is present, Request IP will typically return the IP of the proxy server instead of the client.
Domain process logs
Domain processes coordinate internal components and distributed nodes.
| Type | What it is | Default location | Files |
|---|---|---|---|
| Domain | Domain processes that co-ordinate nodes | /usr/local/var/log/trisul-probe/domain0/probe0 replace with probe ID. Each probe has its own domain processes because they are independent entities even if on the same machine | cp-XX.log probe logs |
| Domain | Domain processes that co-ordinate nodes | /usr/local/var/log/trisul-hub/domain0/hub0 | cp-XX.log hub logs |
Each probe and hub maintains its own domain processes, even when running on the same machine.
Viewing Logs Locally
The most common troubleshooting workflow involves tailing logs in real time.
Trisul provides shell aliases via trisbashrc to make this easier.
# as root
source /usr/local/share/trisul-probe trisbashrc
tailf.ns
Useful aliases:
- Use
tailf.nsalias to tail probe logs - Use
cd.lto change directory to the log directory
Hub
Available aliases include:
- Use
tailf.fsto tail database flusher logs - Use
tailf.qsto tail database query logs - Use
cd.lto change directory to the log directory - Use
tailf.wsto tail webtrisul logs - Use
cd.wlto change directory to webtrisul log directory
See trisbashrc reference for full list of aliases