Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RKinsp
Contributor

Log tracking and account - timers

Jump to solution

Hi everyone,

I had an earlier post regarding a problem with log accounting, we have been running some tests and wanted to see what everyone else's experience has been. Our main doubt is because according to the Logging guide, when using accounting the log is updated every 10 minutes, which is not our experience with outgoing syslog.

We are testing simple firewall rules with Log tracking for connections (not sessions). We are using CP Log Exporter to send sylogs to a Splunk server.

We have tested with and without accounting and changing the "Update Account Log Every" time in the FW / Management properties, which is defaulted to one hour. Below is the conclusions we have drawn from testing a telnet connection:

1) Without accounting enabled, the Log is generated on the connection start (syslog sent) and updated on connection end only (syslog sent).

2) With accounting enabled, a log is generated when connection starts (syslog sent) and

        a) if there is no traffic in the connection, no accounting logs are seen

        b) if there is traffic, a single syslog is sent according to the "Update Account Log Every" timer (not one for every 10 minutes)

        c) when the connection closes, syslog is sent

Anybody else have similar logging experiences? We believe this is functioning as designed, just not very clear from the documentation.

Thanks,

RK

(tests running on R81, separate virtual gateway and management server)

0 Kudos
Reply
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

That's my understanding and, if I'm understanding you correctly, it sounds like you confirmed it in your experience?

View solution in original post

0 Kudos
Reply
Timothy_Hall
Champion
Champion

> Noting that in this particular case we don't actually care about accounting data, only tracking connection state.

Are you aware of this feature: sk101221: TCP state logging

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

0 Kudos
Reply
7 Replies
PhoneBoy
Admin
Admin

I have to assume there is no update to the log entry in the situation where there was no traffic for 10 minutes (ie nothing to update).
What would be the point of sending a syslog message with exactly the same information received 10 minutes ago?

0 Kudos
Reply
RKinsp
Contributor

We are making the same assumption regarding the update. This particular case, the idea is just to know if the connection has been closed or not. Although one could also assume that if there is no other log, the connection is still open with no traffic (or at least not properly closed).

Regarding the "Update Account Log Every" time setting, we just wanted to make sure that we can control not just how often but how many logs are sent. During out tests, when set to 20 minutes we would have a single log sent every 20 minutes for an active telnet sessions with traffic. We are also assuming that this log contains the aggregated accounting data.

This is our desired outcome as we want to be able to limit logs sent without losing information. Noting that in this particular case we don't actually care about accounting data, only tracking connection state.

So in reality we are trying to confirm if the following statement is true:

"With accounting turned on for a rule, accounting data is updated every 10 minutes and sent to the log server in an aggregated manner according to the time configured under Update Account Log Every setting, if there is traffic for the connection."

0 Kudos
Reply
PhoneBoy
Admin
Admin

That's my understanding and, if I'm understanding you correctly, it sounds like you confirmed it in your experience?

View solution in original post

0 Kudos
Reply
Timothy_Hall
Champion
Champion

> Noting that in this particular case we don't actually care about accounting data, only tracking connection state.

Are you aware of this feature: sk101221: TCP state logging

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

0 Kudos
Reply
RKinsp
Contributor

Thanks Phoneboy and Timothy for your responses!

It is working as we expected. Regarding the TCP state logging, we had previously presented that alternative, but because it is unpredictable inter terms of interim logging, it did not meet the requirements.

So far all our tests confirm our hypothesis, just adding that after 10 minutes with no traffic, it will send an updated as soon as there is any traffic.

0 Kudos
Reply
Timothy_Hall
Champion
Champion

Note that TCP state logging may not work as expected in releases prior to R81.  There was a significant fix for TCP state logging included in R80.40 Jumbo Take 91 which just went GA.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
RKinsp
Contributor

Thanks Timothy! It's a brand new environment, and because of VSX requirements we are using R81.

0 Kudos
Reply