Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6412
Views
0
Helpful
7
Replies

Syslog problem

daniel.ao_ironport
Level 1
Level 1

‎01-17-2008 09:06 AM

I've created anti-virus and anti-spam syslog pushed to a log analyzer. I've checked the log analyzer and found IronPort can successfully collect syslog from IronPort.

But sometimes I receive an alert from IronPort below. What's the problem? It seems IronPort cannot push syslog to my log analyzer sometimes.

Log Error: Subscription Syslog_Anti-Spam: Network error while sending log data to syslog server 10.13.23.23 (10.13.23.23): [Errno 61] Connection refused

2 people had this problem
Labels:
0 Helpful
7 Replies 7

Torsten_ironport
Level 1
Level 1

‎01-17-2008 09:30 AM

Just two wild guesses:

1) Performance issue on the syslog server? Is the IronPort the only system logging to that log host? Do you experience similar problems on other sending hosts?

2) Is there a firewall or Intrusion Detection / Prevention between the IronPort and the loghost that might block connections dynamically for various reasons?

Torsten

0 Helpful

daniel.ao_ironport
Level 1
Level 1

‎01-21-2008 07:19 AM 

Just two wild guesses:

1) Performance issue on the syslog server? Is the IronPort the only system logging to that log host? Do you experience similar problems on other sending hosts?

2) Is there a firewall or Intrusion Detection / Prevention between the IronPort and the loghost that might block connections dynamically for various reasons?

Torsten


Hi Torsten,

1. The IronPort is not the only system logging to that log host. No problems for other sending hosts.

2. There is a Juniper IDP in the network.

BTW, this problem occurred sometimes, not always. Is there any configuration wrong or missed in the IronPort?


Daniel

0 Helpful

Torsten_ironport
Level 1
Level 1

‎01-29-2008 02:31 PM 


2. There is a Juniper IDP in the network.


Just to make sure: you have made sure that this IDP isn't the source of your problem, right?

Torsten

0 Helpful

sinikuub_ironport
Level 1
Level 1

‎02-08-2008 09:33 PM 

I've created anti-virus and anti-spam syslog pushed to a log analyzer. I've checked the log analyzer and found IronPort can successfully collect syslog from IronPort. 

But sometimes I receive an alert from IronPort below. What's the problem? It seems IronPort cannot push syslog to my log analyzer sometimes.

Log Error: Subscription Syslog_Anti-Spam: Network error while sending log data to syslog server 10.13.23.23 (10.13.23.23): [Errno 61] Connection refused


Yep, same here, also with ftp logs and IronPort -s (2C&1M) are the only ones who complain, all others (linux, checkpoint, juniper etc) have never complained.

So seems it's IronPort -s problem.

0 Helpful

steven_geerts
Level 1
Level 1

‎02-21-2008 12:07 AM

Hello,

The main question on this issue is: are you using TCP or (the default for syslog) UDP?
Normally UDP can not be rejected. (There is no verification if the packets are delivered/received properly).
We use UDP to feed our syslog server form our C600 machines and have syslog errors in the following situations:
1) Directly after the Ironport is rebooted or a change has been made to the IP configuration.
2) The firewall we use as router for the internal network connections is down or in trouble.

Normally a Device can not determine if a UDP stream is interrupted after its first hop.

If you are using TCP to feed your syslog host errors can be noticed when any network component your traffic is passing fails.

Steven

0 Helpful

sam_ironport
Level 1
Level 1

‎05-27-2008 10:40 AM 

I've created anti-virus and anti-spam syslog pushed to a log analyzer. I've checked the log analyzer and found IronPort can successfully collect syslog from IronPort. 

But sometimes I receive an alert from IronPort below. What's the problem? It seems IronPort cannot push syslog to my log analyzer sometimes.

Log Error: Subscription Syslog_Anti-Spam: Network error while sending log data to syslog server 10.13.23.23 (10.13.23.23): [Errno 61] Connection refused



Hi daniel :
:o how about the ironport issue now ? any conclusion ?
Sam lai

0 Helpful

joe_ironport
Level 1
Level 1

‎05-28-2008 05:08 PM

I receive this error once in a while as well, but I don’t believe it’s an IronPort problem per se. I think the ESA is more sensitive to performance issues on either the log server or firewall in between the ESA and log server. I’ve correlated the errors with times of peak performance on both the ESA and firewall.

If you are receiving these errors continuously I would think you have a config problem. Otherwise I think you can ignore them.

Joe

0 Helpful
Customers Also Viewed These Support Documents