New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Absent Member.
Absent Member.
1014 views

Missing logs over raw syslog TCP 514

Hi,

I have missing/incomplete logs when sending syslog from Cisco Ironport to my syslog server using rawsyslog smartconnector on TCP 514. When i send it over in CEF or UDP, the logs are complete. Anyone knows what might be the issue causing this or is there some configuration that i need to apply on the smartconnector?

Labels (2)
0 Likes
4 Replies
Highlighted

We also encountered the same issue with Cisco ASA logging via TCP 1470. using udp is easily 50% more EPS. Initially it was due to an official Cisco ASA bug, but after remedy, the EPS increased from 10% to 50% but still far from udp.

Cisco is adamant it is not their issue though.

- increased connector jvm memory from 256 to 1024. No help.
- changed tcppeerclosedchecktimeout to 30000. No help.

- changed tcpmaxsockets to more than 1000. No help.

0 Likes
Highlighted

Hi,

Is the version of Cisco Ironport supported by the connector? also it maybe possible that some events are not parsed because are not recognized

0 Likes
Highlighted
Fleet Admiral
Fleet Admiral

Take a look at the syslog optimization guide - it should help on optimizing the connector to make sure you are getting the best throughput:

Its worth checking if this connector is caching though. Look in the agentdata folder to see if it has files, and if so, is it increasing? If so then the connector isnt keeping up and processing the inbound data fast enough. That being the case I would recommend optimizing the connector as best you can. Also, check the processing too - is the parsing process working correctly? Incorrect parsing will cause a slow down and make the messages larger than necessary and hence cause issues too - so are the logs that are getting through parsed correctly?

Finally, what does the agent.log say? Should have some comments in there.

0 Likes
Highlighted

Yes, also previously acknowledged Cisco ASA bug but they claimed to hv fixed it.

- Update to latest firmware

- Optimize smartconnector

- Reduce sending logs

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.