Networking
Showing results for 
Search instead for 
Do you mean 

Pix Firewall logs to syslog - missing some logs

SOLVED
Go to Solution
Highlighted
Occasional Advisor

Pix Firewall logs to syslog - missing some logs

[ Edited ]

Hi All,

 

In our environment firewall logs are configured to update in syslog.

 

 

Firewall side configuration.

 

config

logging enable

logging timestamp

logging buffered errors

logging trap informational

logging history errors

logging host inside x.x.x.x

 

 

Syslog logging: enabled

    Facility: 20

 

syslog conf

 

local4.info     /logs/pix/xyz.log

 

*.info;local3.none;local4.none;local5.none;local6.none;local7.none;mail.none    /var/adm/syslog/syslog.log
*.alert;local3.none;local4.none;local5.none;local6.none;local7.none     /dev/console
*.alert;local3.none;local4.none;local5.none;local6.none;local7.none     root
*.emerg;local3.none;local4.none;local5.none;local6.none;local7.none     *

 

But now the issue is,

 

for a particluar time,  say one minute,

 

if we log it to server1, it logs around 200 messages in server1 /logs/pix/xyz.log.

but if we log it to server2 it logs around 2000 messages in server2 /logs/pix/xyz.log.

 

What can be the issue.

 

Warm Regards,

Anish

1 ACCEPTED SOLUTIONS
Occasional Advisor

iRe: Pix Firewall logs to syslog - missing some logs

Hi MK & All,

 

Issue is resolved. It has taken long time to trouble shoot. Used tusc to identify the root cause. In resolv.conf entry 127.0.0.1 was there.

 

while addding data to syslog syslogd is doing dns lookups to localhost where no dns server was setup. So syslog is waiting for around 5 seconds to time out dns query. During this time lot of logs will  discarded.  Since its syslog protocol as you said it will not be regenerated. So we commented out the 127.0.0.1 in resolv.conf and now everything is fine.

 

Warm Regards,

Anish T S

 

3 REPLIES
Honored Contributor Honored Contributor

Re: Pix Firewall logs to syslog - missing some logs

If the network between the firewall and server1 has a lot of other traffic, some of the log messages may be dropped in transit. The syslog protocol is very basic and does not have any protections against lost messages.

MK
Occasional Advisor

Re: Pix Firewall logs to syslog - missing some logs

Hi MK,

Thank you. Let me check it out .

Warm Regards,
Anish T S
Occasional Advisor

iRe: Pix Firewall logs to syslog - missing some logs

Hi MK & All,

 

Issue is resolved. It has taken long time to trouble shoot. Used tusc to identify the root cause. In resolv.conf entry 127.0.0.1 was there.

 

while addding data to syslog syslogd is doing dns lookups to localhost where no dns server was setup. So syslog is waiting for around 5 seconds to time out dns query. During this time lot of logs will  discarded.  Since its syslog protocol as you said it will not be regenerated. So we commented out the 127.0.0.1 in resolv.conf and now everything is fine.

 

Warm Regards,

Anish T S