12-11-2012 12:09 AM - edited 12-11-2012 12:14 AM
In our environment firewall logs are configured to update in syslog.
Firewall side configuration.
logging buffered errors
logging trap informational
logging history errors
logging host inside x.x.x.x
Syslog logging: enabled
But now the issue is,
for a particluar time, say one minute,
if we log it to server1, it logs around 200 messages in server1 /logs/pix/xyz.log.
but if we log it to server2 it logs around 2000 messages in server2 /logs/pix/xyz.log.
What can be the issue.
Solved! Go to Solution.
12-11-2012 04:27 AM
If the network between the firewall and server1 has a lot of other traffic, some of the log messages may be dropped in transit. The syslog protocol is very basic and does not have any protections against lost messages.
01-10-2013 03:15 AM
Hi MK & All,
Issue is resolved. It has taken long time to trouble shoot. Used tusc to identify the root cause. In resolv.conf entry 127.0.0.1 was there.
while addding data to syslog syslogd is doing dns lookups to localhost where no dns server was setup. So syslog is waiting for around 5 seconds to time out dns query. During this time lot of logs will discarded. Since its syslog protocol as you said it will not be regenerated. So we commented out the 127.0.0.1 in resolv.conf and now everything is fine.
Anish T S