Re: [rsyslog] Palo Alto Network device logging stopped working

Tue, 25 Aug 2020 06:28:57 -0700 

On 2020-08-25 07:18, Tod A Sandman via rsyslog wrote:
does it show the imtcp thread using 100% cpu? if so, you may have run into a problem that I am occasionally having. 

No, not at all.  Not on my standby which I have isolated and am using
to debug this PAN issue.

However, speak of the devil, I went and checked my production box and
it is exactly as you say.  And, Proofpoint logging has indeed stopped
(last night at 11:24pmCST).  Note that Proofpoint is the only other
source that uses imtcp.  The bulk of the sources are non-SSL and use
imptcp.  And they never seem to have any trouble.

I have run into issues over the last few months with Proofpoint and/or
PAN logging stopping.  In an attempt to debug, I pointed Proofpoint to
our standby server over a month ago, and the 100% CPU issue ended and
all logging worked.  Within a few days, the PAN logging stopped, but
the 100% CPU did not take place.  Proofpoint logging to the standby
continued.  Yesterday I pointed Proofpoint back to our production
server so I could test PAN on the standby, and Proofpoint logging
worked fine until last night.

I have just blocked via iptables connections from the PAN devices to
our primary (not working anyway) and have restarted rsyslog.
Proofpoint logs are flowing again.

I will focus now on the PAN devices and our standby server.

This does not make a lot of sense yet.  It seems:

PAN and Proofpoint logging together led to the 100% CPU issue, and
both logs stopped.

Proofpoint logging alone worked fine (though I do see some ossl syslog
error messages similar to what I see for PAN).

PAN logging (no Proofpoint) stopped; no CPU load issue.  Can't even
get it working on standby, rsyslog restarts, etc.


Tod A. Sandman
Office of Information Technology
Rice University
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.


Upgrade your PA...this is a bug.

James
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to