Delay in sending syslogs towards remote logging server.
-
Hello Team,
We have a pair of pfsense firewalls deployed in out network and we have lately observed that the syslogs are sent with a delay of around 1 hour from the pfsense to the external logging server. Due to this issue, the logging server triggers the alert late which causes a delay in the detection of the issue. We have checked the settings on pfsense and there is no exclusive setting that could cause this. But upon checking from the remote logging server we observed that it is receiving logs after almost 1 hour since the issue actually occurred.
For instance, if there is a BGP flap event or BGP does down that is notified almost after an hour to the alert monitoring system which causes a delay in issue detection.
Also, this issue is random, not every time the issue is reported late. We have checked the CPU usage and memory usage however couldn't find anything conclusive.
Anybody has observed such kind of issue in their network?
-
I have not. In fact when I log in to the dashboard, I usually have the email alert that "someone" has logged in, delivered to my phone, and sent from the syslog server before the dashboard even finishes displaying.
maybe monitor the traffic and see if the delay is actually in the sending or perhaps in processing at the syslog end?
How busy is the syslog? (are they other systems sending to it?)What pfSense version are you running and on what hardware?
-
How do you have the syslog exporting setup? I've never seen it do anything except send close to instantly though. I can't imagine anything buffering 1h of logs locally.
Check the timezone is set correctly. The clocks are sync'd on both systems.
Steve
