Syslog problem

daniel.ao_ironport · ‎01-17-2008

I've created anti-virus and anti-spam syslog pushed to a log analyzer. I've checked the log analyzer and found IronPort can successfully collect syslog from IronPort.

But sometimes I receive an alert from IronPort below. What's the problem? It seems IronPort cannot push syslog to my log analyzer sometimes.

Log Error: Subscription Syslog_Anti-Spam: Network error while sending log data to syslog server 10.13.23.23 (10.13.23.23): [Errno 61] Connection refused

Torsten_ironport · ‎01-17-2008

Just two wild guesses:

1) Performance issue on the syslog server? Is the IronPort the only system logging to that log host? Do you experience similar problems on other sending hosts?

2) Is there a firewall or Intrusion Detection / Prevention between the IronPort and the loghost that might block connections dynamically for various reasons?

Torsten

daniel.ao_ironport · ‎01-21-2008

Just two wild guesses:

1) Performance issue on the syslog server? Is the IronPort the only system logging to that log host? Do you experience similar problems on other sending hosts?

2) Is there a firewall or Intrusion Detection / Prevention between the IronPort and the loghost that might block connections dynamically for various reasons?

Torsten

Hi Torsten,

1. The IronPort is not the only system logging to that log host. No problems for other sending hosts.

2. There is a Juniper IDP in the network.

BTW, this problem occurred sometimes, not always. Is there any configuration wrong or missed in the IronPort?

Daniel

Torsten_ironport · ‎01-29-2008


2. There is a Juniper IDP in the network.

Just to make sure: you have made sure that this IDP isn't the source of your problem, right?

Torsten

sinikuub_ironport · ‎02-08-2008

I've created anti-virus and anti-spam syslog pushed to a log analyzer. I've checked the log analyzer and found IronPort can successfully collect syslog from IronPort. 

But sometimes I receive an alert from IronPort below. What's the problem? It seems IronPort cannot push syslog to my log analyzer sometimes.

Log Error: Subscription Syslog_Anti-Spam: Network error while sending log data to syslog server 10.13.23.23 (10.13.23.23): [Errno 61] Connection refused

Yep, same here, also with ftp logs and IronPort -s (2C&1M) are the only ones who complain, all others (linux, checkpoint, juniper etc) have never complained.

So seems it's IronPort -s problem.

steven_geerts · ‎02-21-2008

Hello,

The main question on this issue is: are you using TCP or (the default for syslog) UDP?
Normally UDP can not be rejected. (There is no verification if the packets are delivered/received properly).
We use UDP to feed our syslog server form our C600 machines and have syslog errors in the following situations:
1) Directly after the Ironport is rebooted or a change has been made to the IP configuration.
2) The firewall we use as router for the internal network connections is down or in trouble.

Normally a Device can not determine if a UDP stream is interrupted after its first hop.

If you are using TCP to feed your syslog host errors can be noticed when any network component your traffic is passing fails.

Steven

sam_ironport · ‎05-27-2008

I've created anti-virus and anti-spam syslog pushed to a log analyzer. I've checked the log analyzer and found IronPort can successfully collect syslog from IronPort. 

But sometimes I receive an alert from IronPort below. What's the problem? It seems IronPort cannot push syslog to my log analyzer sometimes.

Log Error: Subscription Syslog_Anti-Spam: Network error while sending log data to syslog server 10.13.23.23 (10.13.23.23): [Errno 61] Connection refused

Hi daniel :
:o how about the ironport issue now ? any conclusion ?
Sam lai

joe_ironport · ‎05-28-2008

I receive this error once in a while as well, but I don’t believe it’s an IronPort problem per se. I think the ESA is more sensitive to performance issues on either the log server or firewall in between the ESA and log server. I’ve correlated the errors with times of peak performance on both the ESA and firewall.

If you are receiving these errors continuously I would think you have a config problem. Otherwise I think you can ignore them.

Joe