Syslog problem

Unanswered Question
Jan 17th, 2008
User Badges:

I've created anti-virus and anti-spam syslog pushed to a log analyzer. I've checked the log analyzer and found IronPort can successfully collect syslog from IronPort.

But sometimes I receive an alert from IronPort below. What's the problem? It seems IronPort cannot push syslog to my log analyzer sometimes.

Log Error: Subscription Syslog_Anti-Spam: Network error while sending log data to syslog server 10.13.23.23 (10.13.23.23): [Errno 61] Connection refused

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Torsten_ironport Thu, 01/17/2008 - 09:30
User Badges:

Just two wild guesses:

1) Performance issue on the syslog server? Is the IronPort the only system logging to that log host? Do you experience similar problems on other sending hosts?

2) Is there a firewall or Intrusion Detection / Prevention between the IronPort and the loghost that might block connections dynamically for various reasons?

Torsten

daniel.ao_ironport Mon, 01/21/2008 - 07:19
User Badges:


Just two wild guesses:

1) Performance issue on the syslog server? Is the IronPort the only system logging to that log host? Do you experience similar problems on other sending hosts?

2) Is there a firewall or Intrusion Detection / Prevention between the IronPort and the loghost that might block connections dynamically for various reasons?

Torsten


Hi Torsten,

1. The IronPort is not the only system logging to that log host. No problems for other sending hosts.

2. There is a Juniper IDP in the network.

BTW, this problem occurred sometimes, not always. Is there any configuration wrong or missed in the IronPort?


Daniel
Torsten_ironport Tue, 01/29/2008 - 14:31
User Badges:



2. There is a Juniper IDP in the network.


Just to make sure: you have made sure that this IDP isn't the source of your problem, right?

Torsten
sinikuub_ironport Fri, 02/08/2008 - 21:33
User Badges:


I've created anti-virus and anti-spam syslog pushed to a log analyzer. I've checked the log analyzer and found IronPort can successfully collect syslog from IronPort. 

But sometimes I receive an alert from IronPort below. What's the problem? It seems IronPort cannot push syslog to my log analyzer sometimes.

Log Error: Subscription Syslog_Anti-Spam: Network error while sending log data to syslog server 10.13.23.23 (10.13.23.23): [Errno 61] Connection refused


Yep, same here, also with ftp logs and IronPort -s (2C&1M) are the only ones who complain, all others (linux, checkpoint, juniper etc) have never complained.

So seems it's IronPort -s problem.
steven_geerts Thu, 02/21/2008 - 00:07
User Badges:

Hello,

The main question on this issue is: are you using TCP or (the default for syslog) UDP?
Normally UDP can not be rejected. (There is no verification if the packets are delivered/received properly).
We use UDP to feed our syslog server form our C600 machines and have syslog errors in the following situations:
1) Directly after the Ironport is rebooted or a change has been made to the IP configuration.
2) The firewall we use as router for the internal network connections is down or in trouble.

Normally a Device can not determine if a UDP stream is interrupted after its first hop.

If you are using TCP to feed your syslog host errors can be noticed when any network component your traffic is passing fails.

Steven

sam_ironport Tue, 05/27/2008 - 10:40
User Badges:


I've created anti-virus and anti-spam syslog pushed to a log analyzer. I've checked the log analyzer and found IronPort can successfully collect syslog from IronPort. 

But sometimes I receive an alert from IronPort below. What's the problem? It seems IronPort cannot push syslog to my log analyzer sometimes.

Log Error: Subscription Syslog_Anti-Spam: Network error while sending log data to syslog server 10.13.23.23 (10.13.23.23): [Errno 61] Connection refused



Hi daniel :
:o how about the ironport issue now ? any conclusion ?
Sam lai
joe_ironport Wed, 05/28/2008 - 17:08
User Badges:

I receive this error once in a while as well, but I don’t believe it’s an IronPort problem per se. I think the ESA is more sensitive to performance issues on either the log server or firewall in between the ESA and log server. I’ve correlated the errors with times of peak performance on both the ESA and firewall.

If you are receiving these errors continuously I would think you have a config problem. Otherwise I think you can ignore them.

Joe

Actions

This Discussion