- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-27-2019 10:19 AM
I recently adding a new syslog destination at this new to me site and noticed something I hadn't seen before. That is that the sending of syslog data according to PAN Monitoring is send sporadically and in big bursts. For example when I added the new destination not long after the PAN sent one GB of syslog to all the destinations and then one small 307 byte message. Now it's not sent anything in over an hour. The Log Forwarding profile appears to have a liberal syslog info forwarding setting. e.g. All Traffic , Filter All Logs. There's tons of traffic through the FW so it should be pumping info all the time.
11-27-2019 04:56 PM
Yes, on the sending firewall you don't see the syslog sessions in traffic log (as long as you do not have the mgmt interface connected to the firewall itself).
When you speak about big syslog sessions: You see them on another firewall right? Do you log there start and end logs? If you only log session end logs, did you check for how long the session was open (difference between start and end time of the session)? So maybe this high amount of syslog traffic was sent over a long timeframe.
11-27-2019 03:42 PM - edited 11-27-2019 03:44 PM
Here's a theory - is it possible that the PAN is summarizing the syslog records because they are so frequent? I'm referring to a PAN that is receiving syslog messages from another PAN say on its inside interface and those egress another Interface. The syslogging of the systems themselves are not visible in Monitoring tab as those egress the management interface. Right?
11-27-2019 04:56 PM
Yes, on the sending firewall you don't see the syslog sessions in traffic log (as long as you do not have the mgmt interface connected to the firewall itself).
When you speak about big syslog sessions: You see them on another firewall right? Do you log there start and end logs? If you only log session end logs, did you check for how long the session was open (difference between start and end time of the session)? So maybe this high amount of syslog traffic was sent over a long timeframe.
11-27-2019 06:54 PM
Crikey - you were absolutely correct. I looked at the details of one of those fat flow records and sure enough the start time was nearly four hours before the recorded time. I'm not sure exactly how it decides when 10MB or 1GB is the time to record the flow. But the major mystery is no longer. Thanks!
11-27-2019 07:24 PM
Thanks Remo on answering this.
This PA has so many features everyday we learn more about PA
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!