The sporadic syslog sender
cancel
Showing results for 
Search instead for 
Did you mean: 

The sporadic syslog sender

L3 Networker

I recently adding a new syslog destination at this new to me site and noticed something I hadn't seen before. That is that the sending of syslog data according to PAN Monitoring is send sporadically and in big bursts. For example when I added the new destination not long after the PAN sent one GB of syslog to all the destinations and then one small 307 byte message. Now it's not sent anything in over an hour. The Log Forwarding profile appears to have a liberal syslog info forwarding setting. e.g. All Traffic , Filter All Logs. There's tons of traffic through the FW so it should be pumping info all the time. 

1 ACCEPTED SOLUTION

Accepted Solutions

Yes, on the sending firewall you don't see the syslog sessions in traffic log (as long as you do not have the mgmt interface connected to the firewall itself).

When you speak about big syslog sessions: You see them on another firewall right? Do you log there start and end logs? If you only log session end logs, did you check for how long the session was open (difference between start and end time of the session)? So maybe this high amount of syslog traffic was sent over a long timeframe.

View solution in original post

4 REPLIES 4

L3 Networker

Here's a theory - is it possible that the PAN is summarizing the syslog records because they are so frequent? I'm referring to a PAN that is receiving syslog messages from another PAN say on its inside interface and those egress another Interface. The syslogging of the systems themselves are not visible in Monitoring tab as those egress the management interface. Right?

Yes, on the sending firewall you don't see the syslog sessions in traffic log (as long as you do not have the mgmt interface connected to the firewall itself).

When you speak about big syslog sessions: You see them on another firewall right? Do you log there start and end logs? If you only log session end logs, did you check for how long the session was open (difference between start and end time of the session)? So maybe this high amount of syslog traffic was sent over a long timeframe.

View solution in original post

Crikey - you were absolutely correct. I looked at the details of one of those fat flow records and sure enough the start time was nearly four hours before the recorded time. I'm not sure exactly how it decides when 10MB or 1GB is the time to record the flow. But the major mystery is no longer. Thanks!

Thanks Remo on answering this.

This PA has so many features everyday we learn more about PA

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!