Non logging issue

Reply
Not applicable

Re: Non logging issue

Logging statistics

------------------------------ -----------

Log incoming rate:             195/sec

Log written rate:              195/sec

Corrupted packets:             0

Corrupted URL packets:         0

Logs discarded (queue full):   0

Traffic logs written:          336744

URL logs written:              0

Anti-virus logs written:       0

Spyware logs written:          0

Attack logs written:           0

Vulnerability logs written:    543

Fileext logs written:          0

URL cache age out count:       0

URL cache full count:          0

Traffic alarms dropped due to sysd write failures: 0

Traffic alarms dropped due to global rate limiting: 0

Traffic alarms dropped due to each source rate limiting: 0

Traffic alarms generated count:  0

Log Forward in queue count:    0

Log Forward count:             337287

Log Forward discarded (queue full) count: 0

Log Forward discarded (send error) count: 0

L4 Transporter

Re: Non logging issue

what is the output for  show session id 1245412

Not applicable

Re: Non logging issue

Session         1245412

        c2s flow:

                source:      SRC IP[ProdApp]

                dst:         DST IP

                proto:       6

                sport:       60373           dport:      8005

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source:     DST IP [Deep Dark Woods]

                dst:         SRC IP

                proto:       6

                sport:       8005            dport:      60373

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        start time                    : Tue Jun 18 12:20:19 2013

        timeout                       : 5 sec

        total byte count(c2s)         : 0

        total byte count(s2c)         : 0

        layer7 packet count(c2s)      : 1

        layer7 packet count(s2c)      : 0

        vsys                          : vsys2

        application                   : incomplete

        rule                          : 146

        session to be logged at end   : False

        session in session ager       : False

        session synced from HA peer   : False

        layer7 processing             : enabled

        URL filtering enabled         : False

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/4

        egress interface              : ethernet1/15

        session QoS rule              : N/A (class 4)

L4 Transporter

Re: Non logging issue

from the configure prompt what is the output for show rulebase security rules 146

for log-start, log-end and log-setting

Not applicable

Re: Non logging issue

  log-start yes;

  log-end no;

  log-setting brinkman-logging;

OK, I think I may have found what was biting me on this one.  That 146 rule is a generic rule to allow that subnet ping to anywhere.  I had the application as icmp but the service was any instead of application-default.  I just changed it to application-default and reloaded the rulebase.  Now it shows up as being denied by the explicit deny rule.  I'm still trying to understand why it wouldn't log when it saw the SYN though.

L4 Transporter

Re: Non logging issue

  log-end no;

it was getting associated to a rule that would not report the end of the session

Not applicable

Re: Non logging issue

Wouldn't the log-start yes cause it to log the SYN packet though.

L6 Presenter

Re: Non logging issue

if there is a syn and there is a allow rule for that yes you should see a log.

try to change icmp so that you should see a log.

Not applicable

Re: Non logging issue

I changed the ICMP rule service to application-default and now I get an allow log entry if I ping out and I get a deny by the explicit deny if I do something else.  Before though the traffic would get caught by this rule I'm assuming because the any service allowed all protocols not just the ICMP but why wasn't it showing a log entry of some sort when it allowed it.

Highlighted
L4 Transporter

Re: Non logging issue

I can't give an authoritative answer as to why, but the log at start does not appear to be invoked until the session establishes. With log at end set to no, it would not have shown up as an incomplete either.

Was rule 146 created at the command line by any chance?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!