Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
1
Helpful
4
Replies

Firepower FTD syslog logs increased 10x late last week.

duckngooser
Level 1
Level 1

‎08-23-2023 08:03 AM

We have two Firepower FTD boxes that showed a 10x syslog log increase starting late last week.  The first box went from 18million logs per day to 180million.  Then 2 days later a 2nd box in a different datacenter went from 19 million to over 200 million.  Both have stayed at the current log volume.  In analyzing the logs, it appears the FTD's are logging a ton of "sessions" with a duration of 0.  In some cases, it appears to be logging the same source/dest IP/Port combination on multiple logs.  I have a tac case open, but so far we've yet to hear much analysis.

Just curious if anyone else is having a similar issue.  We're running 7.0.5..

1 person had this problem
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎08-23-2023 08:22 AM

is this occuring after Upgrade ? check any changes in the ACP rule recently added with Logging in the rule.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

duckngooser
Level 1
Level 1
In response to balaji.bandi

‎08-23-2023 08:24 AM

No changes were made.  No upgrades..  These boxes were in normal operations for years with this configuration.  The only possibly updates were the automated ones for snort, vuln database, etc system "lite" updates.

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni
In response to duckngooser

‎08-24-2023 12:38 AM

Hi @duckngooser,

Have you checked interface graphs? One of the explanations can be increased traffic, which could be visible on graph levels.

Another explanation could be that you have lots of "attacks" (attempts from outside on services which are unavailable), which won't necessarily generate traffic increase, but would stress FW a bit, and would generate syslog for each denied connection. I do see lots of these.

You should do some analysis of files before and after, and to try to determine what kind of events is within those 10x increase. I do realize this is not an easy task, but is the only way to be sure from where the increase comes. E.g. try to filter old log, and start excluding expected stuff such is connection established, connection ended, NAT created, NAT ended, and monitor how much you have other stuff, and then repeat the process with new file. I would expect that you can determine failry quickly which type of events is generating this excess size.

Kind regards,

Milos

AndresCornetOliva
Level 1
Level 1

‎01-29-2024 07:40 AM

Hi!

Did you find anything? I'm experiencing the same thing and on the same FTD version. I've also seen some increased delay in connections, that I think may be related with this. Did you find the reason/solution to this increasing events?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card