Hi everyone,
I had an earlier post regarding a problem with log accounting, we have been running some tests and wanted to see what everyone else's experience has been. Our main doubt is because according to the Logging guide, when using accounting the log is updated every 10 minutes, which is not our experience with outgoing syslog.
We are testing simple firewall rules with Log tracking for connections (not sessions). We are using CP Log Exporter to send sylogs to a Splunk server.
We have tested with and without accounting and changing the "Update Account Log Every" time in the FW / Management properties, which is defaulted to one hour. Below is the conclusions we have drawn from testing a telnet connection:
1) Without accounting enabled, the Log is generated on the connection start (syslog sent) and updated on connection end only (syslog sent).
2) With accounting enabled, a log is generated when connection starts (syslog sent) and
a) if there is no traffic in the connection, no accounting logs are seen
b) if there is traffic, a single syslog is sent according to the "Update Account Log Every" timer (not one for every 10 minutes)
c) when the connection closes, syslog is sent
Anybody else have similar logging experiences? We believe this is functioning as designed, just not very clear from the documentation.
Thanks,
RK
(tests running on R81, separate virtual gateway and management server)