The sporadic syslog sender

Reply
Highlighted
L3 Networker

The sporadic syslog sender

I recently adding a new syslog destination at this new to me site and noticed something I hadn't seen before. That is that the sending of syslog data according to PAN Monitoring is send sporadically and in big bursts. For example when I added the new destination not long after the PAN sent one GB of syslog to all the destinations and then one small 307 byte message. Now it's not sent anything in over an hour. The Log Forwarding profile appears to have a liberal syslog info forwarding setting. e.g. All Traffic , Filter All Logs. There's tons of traffic through the FW so it should be pumping info all the time. 


Accepted Solutions
Highlighted
Cyber Elite

Re: The sporadic syslog sender

Yes, on the sending firewall you don't see the syslog sessions in traffic log (as long as you do not have the mgmt interface connected to the firewall itself).

When you speak about big syslog sessions: You see them on another firewall right? Do you log there start and end logs? If you only log session end logs, did you check for how long the session was open (difference between start and end time of the session)? So maybe this high amount of syslog traffic was sent over a long timeframe.

View solution in original post


All Replies
Highlighted
L3 Networker

Re: The sporadic syslog sender

Here's a theory - is it possible that the PAN is summarizing the syslog records because they are so frequent? I'm referring to a PAN that is receiving syslog messages from another PAN say on its inside interface and those egress another Interface. The syslogging of the systems themselves are not visible in Monitoring tab as those egress the management interface. Right?

Highlighted
Cyber Elite

Re: The sporadic syslog sender

Yes, on the sending firewall you don't see the syslog sessions in traffic log (as long as you do not have the mgmt interface connected to the firewall itself).

When you speak about big syslog sessions: You see them on another firewall right? Do you log there start and end logs? If you only log session end logs, did you check for how long the session was open (difference between start and end time of the session)? So maybe this high amount of syslog traffic was sent over a long timeframe.

View solution in original post

Highlighted
L3 Networker

Re: The sporadic syslog sender

Crikey - you were absolutely correct. I looked at the details of one of those fat flow records and sure enough the start time was nearly four hours before the recorded time. I'm not sure exactly how it decides when 10MB or 1GB is the time to record the flow. But the major mystery is no longer. Thanks!

Highlighted
Cyber Elite

Re: The sporadic syslog sender

Thanks Remo on answering this.

This PA has so many features everyday we learn more about PA

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!