Swamped with Syslog logging...

cancel
Showing results for 
Search instead for 
Did you mean: 

Swamped with Syslog logging...

L4 Transporter

Our PAN is in an L3 config, and our syslog server is in a virtual-wire zone.

Basically, if I look at monitor/traffic or monitor/session browser, I'm simply swamped with syslog messages as everything is being syslogged once as the PAN management NIC goes from trust (LAN) to untrust, then again as it goes through the vwire-untrust to the vwire-dmz.

Is there any way to reduce this at all please?

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

L4 Transporter

Hi There,

Perhaps youcould create a specific rule for the traffic that is being double counted in the VWire and set the option to not log (or not send to syslog - which ever you prefer).

Thanks

James

View solution in original post

7 REPLIES 7

L4 Transporter

Hi There,

Perhaps youcould create a specific rule for the traffic that is being double counted in the VWire and set the option to not log (or not send to syslog - which ever you prefer).

Thanks

James

Thanks James, that's what I've done in the interim, I didn't know if there was a "smarter" way of tackling it was all?

We don't really need real-time logging, we just want some off box logging, and my limited experience of the FTP export found it a bit hit and miss as you have to look in several places to marry up all the data.

I have to say as an aside, this thing rocks, I setup a vwire today and it's saved me having to totally re-IP (is that a word?!) our websites and services on our DMZ hosts to be able to do application recognition and decryption and IPS.

This would be the only option - as we must log (as a security device) everything we see and where we see it.  Unless the administrator configures the PA Appliance not to.

You are right that FTP export does not correllate the data for you - the two items to look at when cross referencing logs is the time and session ID.  Session ID's do wrap, but within a time frame they are unique - Session ID is a "tag" PANOS puts on the logs for this purpose (and other purposes).

Good to hear the DMZ insertion worked well for - VWire is very handy.  Also nice you can mix and match deployment modes in one box.

Thanks

James

Thanks James, and yes feeling quite peeved at not trying the vwire stuff sooner.

I'll go with the policy with no logging for now, if it becomes too much I can always look at running a syslog box on the LAN so the management NIC won't be traversing zones.

Aaah, OK - now I get you.

Try using the service route configuration under the Device tab - main setup screen.  You'll need to scroll down to see it.  You can then change the source of the syslog traffic to be an alternative L3 Interface - so you could plug another L3 interface into the DMZ and use it just for logging.

Screen shot 2010-11-05 at 18.40.43.png

Thanks

James

Ah I never spotted that!  Thank you.

Tbh right now it's not much better simply because even if I change the L3 interface it would have to cross zones to get to the syslog box on the vwire.

As it stands with the "no log" policy it looks like the logs are clear and the syslog stuff only shows up in the session browser, which of course it has to because it's active traffic.

You could put a dedicated L3 interface in the DMZ, which does nothing except send syslog - then it would not cross the VWire.  Or leave it as is Smiley Happy

Thanks

James

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!