HPE Community
Operating System - HP-UX
1752301 Members
5157 Online
108786 Solutions
New Discussion юеВ

Re: Pix Firewall logs to syslog - missing some logs

 
SOLVED
Go to solution
AnishTS2005
Occasional Advisor

тАО12-11-2012 12:09 AM - edited тАО12-11-2012 12:14 AM

тАО12-11-2012 12:09 AM - edited тАО12-11-2012 12:14 AM

Pix Firewall logs to syslog - missing some logs

Hi All,

 

In our environment firewall logs are configured to update in syslog.

 

 

Firewall side configuration.

 

config

logging enable

logging timestamp

logging buffered errors

logging trap informational

logging history errors

logging host inside x.x.x.x

 

 

Syslog logging: enabled

    Facility: 20

 

syslog conf

 

local4.info     /logs/pix/xyz.log

 

*.info;local3.none;local4.none;local5.none;local6.none;local7.none;mail.none    /var/adm/syslog/syslog.log
*.alert;local3.none;local4.none;local5.none;local6.none;local7.none     /dev/console
*.alert;local3.none;local4.none;local5.none;local6.none;local7.none     root
*.emerg;local3.none;local4.none;local5.none;local6.none;local7.none     *

 

But now the issue is,

 

for a particluar time,  say one minute,

 

if we log it to server1, it logs around 200 messages in server1 /logs/pix/xyz.log.

but if we log it to server2 it logs around 2000 messages in server2 /logs/pix/xyz.log.

 

What can be the issue.

 

Warm Regards,

Anish

0 Kudos
Reply
3 REPLIES 3
Matti_Kurkela
Honored Contributor

тАО12-11-2012 04:27 AM

тАО12-11-2012 04:27 AM

Re: Pix Firewall logs to syslog - missing some logs

If the network between the firewall and server1 has a lot of other traffic, some of the log messages may be dropped in transit. The syslog protocol is very basic and does not have any protections against lost messages.

MK
0 Kudos
Reply
AnishTS2005
Occasional Advisor

тАО12-11-2012 09:43 PM

тАО12-11-2012 09:43 PM

Re: Pix Firewall logs to syslog - missing some logs

Hi MK,

Thank you. Let me check it out .

Warm Regards,
Anish T S
0 Kudos
Reply
AnishTS2005
Occasional Advisor

тАО01-10-2013 03:15 AM

тАО01-10-2013 03:15 AM

Solution

iRe: Pix Firewall logs to syslog - missing some logs

Hi MK & All,

 

Issue is resolved. It has taken long time to trouble shoot. Used tusc to identify the root cause. In resolv.conf entry 127.0.0.1 was there.

 

while addding data to syslog syslogd is doing dns lookups to localhost where no dns server was setup. So syslog is waiting for around 5 seconds to time out dns query. During this time lot of logs will  discarded.  Since its syslog protocol as you said it will not be regenerated. So we commented out the 127.0.0.1 in resolv.conf and now everything is fine.

 

Warm Regards,

Anish T S

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.