DX Unified Infrastructure Management

Hi Everyone. How are you...

Is possible that sysloggtw probe omite registries?

I have a server that receive syslog from FortiAnalyzer, I see that in some ocations not receive some registries. For example, I am monitoring registries of "server-rst", today receive 5 registries and FortiAnalizer show 8.

I think that one needs a lot more information to answer your question definitively but for comparison purposes, we have sysloggtw on about 700 servers and push tens of thousands of messages through them every minute and I can definitively say that we don't loose 30% of those messages. 

The probe itself appears to be reliable and solid. 

I would start with validating the assumption that what is being sent to the syslog probe matches what the fortigate is reporting before looking for problems in UIM.
Original Message:
Sent: Dec 05, 2022 03:24 PM
From: Miller Echagarreta
Subject: Is possible that sysloggtw probe omite registries?

Hi Everyone. How are you...

Is possible that sysloggtw probe omite registries?

I have a server that receive syslog from FortiAnalyzer, I see that in some ocations not receive some registries. For example, I am monitoring registries of "server-rst", today receive 5 registries and FortiAnalizer show 8.

Ey @Garin Walsh thanks for your comments.

I was able to establish that the probe definitely does not have a way to exclude packets/data that arrive through port 514 of the sysloggtw probe. My intention was not to look for failures in the probe, but to understand if there was something else to do on my part in the configuration. With this conclusion we have turned to the manufacturer Fortinet, to establish if there is something wrong on that side.​
Original Message:
Sent: Dec 06, 2022 02:29 PM
From: Garin Walsh
Subject: Is possible that sysloggtw probe omite registries?

I think that one needs a lot more information to answer your question definitively but for comparison purposes, we have sysloggtw on about 700 servers and push tens of thousands of messages through them every minute and I can definitively say that we don't loose 30% of those messages.

The probe itself appears to be reliable and solid.

I would start with validating the assumption that what is being sent to the syslog probe matches what the fortigate is reporting before looking for problems in UIM.
Original Message:
Sent: Dec 05, 2022 03:24 PM
From: Miller Echagarreta
Subject: Is possible that sysloggtw probe omite registries?

Hi Everyone. How are you...

Is possible that sysloggtw probe omite registries?

I have a server that receive syslog from FortiAnalyzer, I see that in some ocations not receive some registries. For example, I am monitoring registries of "server-rst", today receive 5 registries and FortiAnalizer show 8.

Sounds good - My experience with Fortinet products is that they are solid but contain an unending set of "excepts". As such I wouldn't be at all surprised to hear that their syslog implementation forwards all messages to the configured destination "except for  a small set which go to a different destination"

Hope it's easy to clear up.
Original Message:
Sent: Dec 15, 2022 01:46 PM
From: Miller Echagarreta
Subject: Is possible that sysloggtw probe omite registries?

Ey @Garin Walsh thanks for your comments.

I was able to establish that the probe definitely does not have a way to exclude packets/data that arrive through port 514 of the sysloggtw probe. My intention was not to look for failures in the probe, but to understand if there was something else to do on my part in the configuration. With this conclusion we have turned to the manufacturer Fortinet, to establish if there is something wrong on that side.​
Original Message:
Sent: Dec 06, 2022 02:29 PM
From: Garin Walsh
Subject: Is possible that sysloggtw probe omite registries?

I think that one needs a lot more information to answer your question definitively but for comparison purposes, we have sysloggtw on about 700 servers and push tens of thousands of messages through them every minute and I can definitively say that we don't loose 30% of those messages.

The probe itself appears to be reliable and solid.

I would start with validating the assumption that what is being sent to the syslog probe matches what the fortigate is reporting before looking for problems in UIM.
Original Message:
Sent: Dec 05, 2022 03:24 PM
From: Miller Echagarreta
Subject: Is possible that sysloggtw probe omite registries?

Hi Everyone. How are you...

Is possible that sysloggtw probe omite registries?

I have a server that receive syslog from FortiAnalyzer, I see that in some ocations not receive some registries. For example, I am monitoring registries of "server-rst", today receive 5 registries and FortiAnalizer show 8.

The  other thing to consider is what protocol is being used ? TCP (blocking) or UDP (send and forget) for the syslog events. We have seen some network devices freezing up due to the syslog events being blocked (for some reason) using TCP, and other devices to avoid this situation have a "timeout" on the TCP event send to protect from this situation. UDP is not an issue as it by definition cannot be blocking. If UDP then network reliability and latency needs to be considered, but these days these are not normally issues for UDP traffic

Regards, Andrew

------------------------------
Knows a little about UIM/DXim, AE, Automic
------------------------------

Original Message:
Sent: Dec 15, 2022 02:52 PM
From: Garin Walsh
Subject: Is possible that sysloggtw probe omite registries?

Sounds good - My experience with Fortinet products is that they are solid but contain an unending set of "excepts". As such I wouldn't be at all surprised to hear that their syslog implementation forwards all messages to the configured destination "except for  a small set which go to a different destination"

Hope it's easy to clear up.
Original Message:
Sent: Dec 15, 2022 01:46 PM
From: Miller Echagarreta
Subject: Is possible that sysloggtw probe omite registries?

Ey @Garin Walsh thanks for your comments.

I was able to establish that the probe definitely does not have a way to exclude packets/data that arrive through port 514 of the sysloggtw probe. My intention was not to look for failures in the probe, but to understand if there was something else to do on my part in the configuration. With this conclusion we have turned to the manufacturer Fortinet, to establish if there is something wrong on that side.​
Original Message:
Sent: Dec 06, 2022 02:29 PM
From: Garin Walsh
Subject: Is possible that sysloggtw probe omite registries?

I think that one needs a lot more information to answer your question definitively but for comparison purposes, we have sysloggtw on about 700 servers and push tens of thousands of messages through them every minute and I can definitively say that we don't loose 30% of those messages.

The probe itself appears to be reliable and solid.

I would start with validating the assumption that what is being sent to the syslog probe matches what the fortigate is reporting before looking for problems in UIM.
Original Message:
Sent: Dec 05, 2022 03:24 PM
From: Miller Echagarreta
Subject: Is possible that sysloggtw probe omite registries?

Hi Everyone. How are you...

Is possible that sysloggtw probe omite registries?

I have a server that receive syslog from FortiAnalyzer, I see that in some ocations not receive some registries. For example, I am monitoring registries of "server-rst", today receive 5 registries and FortiAnalizer show 8.