Security Score job logs not collected in Support Bundle in certain cases
Article ID: 439595
Updated On:
Products
Issue/Introduction
In certain cases, the Security Score job logs may be missing from a collected Support Bundle. This occurs in large workload environments where log files exceed Fluentd's internal buffer size, causing score-job and report-job logs to be silently excluded from the bundle even though the pods ran successfully.
Additionally, this behavior is inconsistent: in some environments the Support Bundle collection using a 3-day window does include the score-job logs, while in others — including a confirmed customer case — these logs are absent. Regardless of whether the bundle includes these logs, it is important to be able to collect them manually whenever the Segmentation Security Score has been calculated.
Symptom
After generating a Support Bundle from an SSP environment where the Segmentation Security Score has been calculated, the following logs may be absent from the bundle:
- score-job pod logs
- report-job pod logs
At the same time, when inspecting the cluster with kubectl, the score-job pod is visible and shows a Completed status — confirming the job did run and logs should exist:
$ kubectl get pods -A | grep score-job nsxi-platform score-job-007bd747-2dfc-11f1-af12-52e7b4ddacc5-xxxxx 0/1 Completed 0 5d11h 172.21.xx.xxx n1ssp-md-0-worker-r5v8b-xxxxx <none> <none> |
Environment
- SSP5.0.0
- SSP5.1.0
- SSP5.1.1
Cause
The root cause is a buffer size limitation in the Fluentd log aggregation pipeline used during Support Bundle collection:
|
Resolution
How to Check if Score-Job Log Is Missing from the Support Bundle
Use the steps below to confirm whether the score-job log was excluded from a collected Support Bundle.
Step 1 — Extract the Support Bundle
Extract the Support Bundle archive on a machine where you have access to the files:
# Extract the tar.gz bundle tar -xzf <support-bundle-filename>.tar.gz # Example: tar -xzf xxxxxi-xxxxxxx_ssp_3d988cb0-7cfc-4f72-b224-fac2c8c87259_20260406_171209.tar.gz |
Step 2 — Search for Score-Job Log Files
After extracting, search for any file whose name contains score-job:
# Search recursively from the extracted bundle root find . -name '*score-job*' -type f # Or search specifically in the log directories find . -path '*/logs/*score-job*' |
If the command returns no results, the score-job log is missing from the Support Bundle and must be collected manually.
How to Manually Collect Score-Job Logs
If the score-job logs are missing from the Support Bundle, collect them directly from the cluster using kubectl. The pod may be in Completed state but its logs are still accessible as long as the pod has not been garbage-collected.
Step 1 — Identify the Score-Job Pod Name
# List all score-job pods across all namespaces k get pods -A | grep score-job # Or scope to the nsxi-platform namespace directly k get pods -n nsxi-platform | grep score-job |
Example output:
NAMESPACE NAME READY STATUS RESTARTS AGE nsxi-platform score-job-007bd747-2dfc-11f1-af12-52e7b4ddacc5-xxxxx 0/1 Completed 0 5d11h |
Note the full pod name — you will need it in the next steps.
Step 2 — Identify the Container Name
A pod may have one or more containers. Retrieve the container names using kubectl describe:
k describe pod score-job-007bd747-2dfc-11f1-af12-52e7b4ddacc5-5pxvb \ -n nsxi-platform |
Look for the Containers section in the output. Example:
Containers: score-job: Container ID: containerd://... Image: ... State: Terminated Reason: Completed Exit Code: 0 |
In this example, the container name is score-job. Use this value in the commands below.
Note: score-job has only one container but describe cli is the one of the best way to find out the containers.
Step 3 — Collect the Logs
Use kubectl logs to retrieve the logs. It is strongly recommended to redirect the output to a file so the logs can be attached to a support case or shared with Engineering.
Basic syntax:
k logs <pod-name> \ -n <namespace> \ -c <container-name> |
Full example with output redirected to a file:
k logs score-job-007bd747-2dfc-11f1-af12-52e7b4ddacc5-5pxvb \ -n nsxi-platform \ -c score-job \ > score-job-007bd747-2dfc-11f1-af12-52e7b4ddacc5-5pxvb.log |
This saves the output as a .log file in your current directory. Verify the file was written correctly:
# Check the file was created and has content ls -lh score-job-007bd747-2dfc-11f1-af12-52e7b4ddacc5-5pxvb.log # Preview the first and last lines head -20 score-job-007bd747-2dfc-11f1-af12-52e7b4ddacc5-5pxvb.log tail -20 score-job-007bd747-2dfc-11f1-af12-52e7b4ddacc5-5pxvb.log |
Step 4 — Collect Previous (Restarted) Logs if Needed
If the pod has restarted and you need the logs from a previous run, add the --previous flag:
k logs score-job-007bd747-2dfc-11f1-af12-52e7b4ddacc5-5pxvb \ -n nsxi-platform \ -c score-job \ --previous \ > score-job-previous-run.log |
Step 5 — Collect Logs for All Score-Job Pods (Bulk Collection)
If multiple score-job pods exist and you want to collect logs for all of them in one operation, use the following shell loop:
# Collect logs for every score-job pod in nsxi-platform for pod in $(k get pods -n nsxi-platform --no-headers | grep score-job | awk '{print $1}'); do echo "Collecting logs for pod: $pod" kubectl logs $pod -n nsxi-platform -c score-job > ${pod}.log 2>&1 echo " Saved to ${pod}.log" done |
After the loop completes, verify all log files were created:
ls -lh score-job-*.log |
Feedback
