topic Swamped with Syslog logging... in General Topics

Swamped with Syslog logging...

networkadmin — Fri, 05 Nov 2010 17:54:00 GMT

Our PAN is in an L3 config, and our syslog server is in a virtual-wire zone.

Basically, if I look at monitor/traffic or monitor/session browser, I'm simply swamped with syslog messages as everything is being syslogged once as the PAN management NIC goes from trust (LAN) to untrust, then again as it goes through the vwire-untrust to the vwire-dmz.

Is there any way to reduce this at all please?

Thanks in advance.

Re: Swamped with Syslog logging...

James — Fri, 05 Nov 2010 18:09:49 GMT

Hi There,

Perhaps youcould create a specific rule for the traffic that is being double counted in the VWire and set the option to not log (or not send to syslog - which ever you prefer).

Thanks

James

Re: Swamped with Syslog logging...

networkadmin — Fri, 05 Nov 2010 18:17:14 GMT

Thanks James, that's what I've done in the interim, I didn't know if there was a "smarter" way of tackling it was all?

We don't really need real-time logging, we just want some off box logging, and my limited experience of the FTP export found it a bit hit and miss as you have to look in several places to marry up all the data.

I have to say as an aside, this thing rocks, I setup a vwire today and it's saved me having to totally re-IP (is that a word?!) our websites and services on our DMZ hosts to be able to do application recognition and decryption and IPS.

Re: Swamped with Syslog logging...

James — Fri, 05 Nov 2010 18:31:49 GMT

This would be the only option - as we must log (as a security device) everything we see and where we see it. Unless the administrator configures the PA Appliance not to.

You are right that FTP export does not correllate the data for you - the two items to look at when cross referencing logs is the time and session ID. Session ID's do wrap, but within a time frame they are unique - Session ID is a "tag" PANOS puts on the logs for this purpose (and other purposes).

Good to hear the DMZ insertion worked well for - VWire is very handy. Also nice you can mix and match deployment modes in one box.

Thanks

James

Re: Swamped with Syslog logging...

networkadmin — Fri, 05 Nov 2010 18:38:03 GMT

Thanks James, and yes feeling quite peeved at not trying the vwire stuff sooner.

I'll go with the policy with no logging for now, if it becomes too much I can always look at running a syslog box on the LAN so the management NIC won't be traversing zones.

Re: Swamped with Syslog logging...

James — Fri, 05 Nov 2010 18:45:13 GMT

Aaah, OK - now I get you.

Try using the service route configuration under the Device tab - main setup screen. You'll need to scroll down to see it. You can then change the source of the syslog traffic to be an alternative L3 Interface - so you could plug another L3 interface into the DMZ and use it just for logging.

Thanks

James

Re: Swamped with Syslog logging...

networkadmin — Fri, 05 Nov 2010 18:48:56 GMT

Ah I never spotted that! Thank you.

Tbh right now it's not much better simply because even if I change the L3 interface it would have to cross zones to get to the syslog box on the vwire.

As it stands with the "no log" policy it looks like the logs are clear and the syslog stuff only shows up in the session browser, which of course it has to because it's active traffic.

Re: Swamped with Syslog logging...

James — Fri, 05 Nov 2010 18:52:06 GMT

You could put a dedicated L3 interface in the DMZ, which does nothing except send syslog - then it would not cross the VWire. Or leave it as is

Thanks

James