Log Server in MDS

Matlu · ‎2025-04-28

Hello.

In environments where MDS and VSX are used, it seems that the command like:

* VSX ----> cpstat fw -f log_connection (To see information from sending logs to my Log Server MDS, does not work).

I have a Log Server MDS HA, but when I run the command on some “box” of one of my VSX Cluster members, this command only shows me that 1 of my Log Server is connected and the other one is not, and in the “Sending Rate” column it shows me a value of 0.

Is this normal?

What we want is to confirm that the members of the VSX Cluster are really sending logs to the MDS LOG SERVER, and are not saving the logs locally in the GW.

Thanks for your comments.

the_rock · ‎2025-04-28

Hey bro,

If you just run cpstat, do you see the flag for fw and then log_connection? If yes, then should work...maybe try from vs level?

Andy

Best,
Andy
"Have a great day and if its not, change it"

the_rock · ‎2025-04-28

I actually may build MDS lab tomorrow to verify this.

Andy

Best,
Andy
"Have a great day and if its not, change it"

JozkoMrkvicka · ‎2025-04-28

You have checked the status of logs from VS0 on VSX member. If you need to check log status from different virtual system, you need to change the context to that VS using command "vsenv <VS-ID>", for example "vsenv 3". Then run the same command you used and status of logs will show you how it looks like for virtual system number 3 on VSX member.

If at least one of configured log servers is not reachable and/or cannot handle logs, firewall starts to log locally.

Kind regards,
Jozko Mrkvicka

Matlu · ‎2025-04-29

Hello, @JozkoMrkvicka

I have tested again, and indeed, when I run the command

#cpstat fw -f log_connection (VS0)

In one of the members of my VSX Cluster, it shows me that it is connected to my LOG SERVER, but the value in the “Sending Rate” column is 0.

Is this behavior normal?

I have tested the command, jumping to any VS, for example, 3, and here the “Sending Rate” column shows a value.

The problem we have, is that the VSX Cluster member where we are running these commands, has a problem that “constantly” fills the /var/log/ disk partition.

The box constantly exceeds the threshold of >90% and this generates constant alarms in our monitoring tool.

This should not be happening, because the FW is sending the logs to a Log Server.

JozkoMrkvicka · ‎2025-04-29

Sending Rate might be 0 if cluster member is standby. There are no logs sent from standby member as most of logs are from active member.

Rate of 0 is also if firewall is logging locally, which can be your case as /var/log/ partition is filled. Investigate why there is no connectivity to configured log server(s). You can start with Basic workflow for Logging issues troubleshooting.

Kind regards,
Jozko Mrkvicka

Matlu · ‎2025-04-30

Hello,
In VSX environments, the command.
#cpstat fw -f log_connection
should be applied at the box level (VS0)?
Or should we always ‘Jump’ to a particular VS (For example, vsenv 4 or 5) and only then apply the command?

JozkoMrkvicka · ‎2025-05-02

it all depends from which VS you want to check the logs. If you need to check status of logging on VS 4, then you need to enter that particular VS using "vsenv 4" and then execute "cpstat fw -f log_connection".

Kind regards,
Jozko Mrkvicka

Amir_Senn · ‎2025-05-04

Shooting at the dark here:

Is the IP for the VS routable from the management/log server?

This reminds me something related to NAT by 3rd party vendors, I wonder...

Do you have other VS? Are they the same subnet as the VSX or same subnet as the first VS?

Kind regards, Amir Senn

the_rock · ‎2025-05-04

I think those are all good points Amir!

Andy

Best,
Andy
"Have a great day and if its not, change it"

Are you a member of CheckMates?

Log Server in MDS