More discussions in Kiwi SyslogWhere is this place located?
3 Replies Latest reply: Feb 24, 2012 6:14 AM by Fodome RSS

free version 9.20 implementation -- drops syslog records?

Dave Zordan
Dave Zordan Feb 22, 2012 12:30 PM
Currently Being Moderated

I'm running a Cisco ACS appliance which is logging to a remote syslog -- this version on Win 2003 virtual server. The ACS appliance sends log syslog entries which IT splits up into shorter messages. So a failed login could result in a dozen or so syslog messages. The record layout lists the total number of syslog records, plus a counter -- so for any given failure you can see the syslog entires -- entry 1 of 13, entry 2 of 13, etc.

So I know how many records should be there. But frequently a message doesn't show up in the syslog. I'll get 2 of 13 through 13 of 13 without logging the 1st record.

My server stats don't show anything suspicious:

+ Messages received - Total:          310180
+ Messages received - Last 24 hours:  310180
+ Messages received - Since Midnight: 309858
+ Messages received - Last hour:      43996
+ Message queue overflow - Last hour: 0
+ Messages received - This hour:      13634
+ Message queue overflow - This hour: 0
+ Messages per hour - Average:        21182

+ Messages forwarded:                 0
+ Messages logged to disk:            309848

+ Errors - Logging to disk:           0
+ Errors - Invalid priority tag:      0
+ Errors - No priority tag:           0
+ Errors - Oversize message:          0

I'm trying to determine if this is an artifact of the Cisco ACS appliance not sending what it claims to be sending, the Kiwi Syslog server not being able to log the entry or a capacity issue.

Any suggestions.? On any given day I'll have dozens of "missing" records in the syslog file. Naturally, I can't really tell how many records are being dropped and whether the paid version would alleviate that issue.

  • 92 Views
  • Re: free version 9.20 implementation -- drops syslog records?
    bshopp
    bshopp Feb 23, 2012 8:15 AM (in response to Dave Zordan)
    Currently Being Moderated

    Since UDP is an unreliable delivery protocol, could you configure the ACS server to send Syslog leveraging TCP? 

    • Re: free version 9.20 implementation -- drops syslog records?
      Dave Zordan
      Dave Zordan Feb 24, 2012 6:01 AM (in response to bshopp)
      Currently Being Moderated

      That's not an option. Based on the numbers I presented above, am I within the capabilities of the syslog server? This server is pretty much ONLY running syslog.

      • Re: free version 9.20 implementation -- drops syslog records?
        Fodome
        Fodome Feb 24, 2012 6:14 AM (in response to Dave Zordan)
        Currently Being Moderated

        Hello Dave,

        When a syslog message goes missing, is it always the first one from the set (1 out of X)?  If so, I would say this has something to do with the mechanism that is splitting the syslog messages into multiple messages where it is not always sending the first message correctly.

        I believe the important question here is, is the syslog message reaching its destination in the first place?  Have you run a packet capture utility such as Wireshark on the Kiwi Syslog Server host in order to analyze the packets coming in?  If any go missing within Kiwi Syslog Server, we would need to look at the packet capture and see if it was received.  Obviously we could not run a packet capture utility for an extended period of time, so I am hoping the missing messages occurs often...

        Let me know.

        Chris Foley | Support Representative
        SolarWinds | IT Management, Inspired By You
        Support:866.530.8040 || Fax:512.857.0125

Actions

More Like This

  • Retrieving data ...