Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Syslog problem

I've created anti-virus and anti-spam syslog pushed to a log analyzer. I've checked the log analyzer and found IronPort can successfully collect syslog from IronPort.

But sometimes I receive an alert from IronPort below. What's the problem? It seems IronPort cannot push syslog to my log analyzer sometimes.

Log Error: Subscription Syslog_Anti-Spam: Network error while sending log data to syslog server 10.13.23.23 (10.13.23.23): [Errno 61] Connection refused

7 REPLIES
New Member

Re: Syslog problem

Just two wild guesses:

1) Performance issue on the syslog server? Is the IronPort the only system logging to that log host? Do you experience similar problems on other sending hosts?

2) Is there a firewall or Intrusion Detection / Prevention between the IronPort and the loghost that might block connections dynamically for various reasons?

Torsten

Re: Syslog problem

Just two wild guesses:

1) Performance issue on the syslog server? Is the IronPort the only system logging to that log host? Do you experience similar problems on other sending hosts?

2) Is there a firewall or Intrusion Detection / Prevention between the IronPort and the loghost that might block connections dynamically for various reasons?

Torsten


Hi Torsten,

1. The IronPort is not the only system logging to that log host. No problems for other sending hosts.

2. There is a Juniper IDP in the network.

BTW, this problem occurred sometimes, not always. Is there any configuration wrong or missed in the IronPort?


Daniel

New Member

Re: Syslog problem


2. There is a Juniper IDP in the network.


Just to make sure: you have made sure that this IDP isn't the source of your problem, right?

Torsten

New Member

Re: Syslog problem

I've created anti-virus and anti-spam syslog pushed to a log analyzer. I've checked the log analyzer and found IronPort can successfully collect syslog from IronPort. 

But sometimes I receive an alert from IronPort below. What's the problem? It seems IronPort cannot push syslog to my log analyzer sometimes.

Log Error: Subscription Syslog_Anti-Spam: Network error while sending log data to syslog server 10.13.23.23 (10.13.23.23): [Errno 61] Connection refused


Yep, same here, also with ftp logs and IronPort -s (2C&1M) are the only ones who complain, all others (linux, checkpoint, juniper etc) have never complained.

So seems it's IronPort -s problem.

New Member

Re: Syslog problem

Hello,

The main question on this issue is: are you using TCP or (the default for syslog) UDP?
Normally UDP can not be rejected. (There is no verification if the packets are delivered/received properly).
We use UDP to feed our syslog server form our C600 machines and have syslog errors in the following situations:
1) Directly after the Ironport is rebooted or a change has been made to the IP configuration.
2) The firewall we use as router for the internal network connections is down or in trouble.

Normally a Device can not determine if a UDP stream is interrupted after its first hop.

If you are using TCP to feed your syslog host errors can be noticed when any network component your traffic is passing fails.

Steven

New Member

Re: Syslog problem

I've created anti-virus and anti-spam syslog pushed to a log analyzer. I've checked the log analyzer and found IronPort can successfully collect syslog from IronPort. 

But sometimes I receive an alert from IronPort below. What's the problem? It seems IronPort cannot push syslog to my log analyzer sometimes.

Log Error: Subscription Syslog_Anti-Spam: Network error while sending log data to syslog server 10.13.23.23 (10.13.23.23): [Errno 61] Connection refused



Hi daniel :
:o how about the ironport issue now ? any conclusion ?
Sam lai

New Member

Re: Syslog problem

I receive this error once in a while as well, but I don’t believe it’s an IronPort problem per se. I think the ESA is more sensitive to performance issues on either the log server or firewall in between the ESA and log server. I’ve correlated the errors with times of peak performance on both the ESA and firewall.

If you are receiving these errors continuously I would think you have a config problem. Otherwise I think you can ignore them.

Joe

2710
Views
0
Helpful
7
Replies
CreatePlease login to create content