Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Subscribers 4 subscribers
  • Views 4036 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote logging stops at midnight

darrellr_01
I am seeing, for about the past week, that the remote logging is failing at midnight each night.  If I turn off remote logging, then turn it back on, it works.  I am remote syslogging via TCP to a splunk server, but I don't think that matters as I have not changed that in quite some time.  I cannot think of anything I have done recently that would have changed this behavior, but it is getting troublesome now.  I am a home user, so no support options other than this.

I do not see anything in the logs I have checked (kernel, system, logging) but is there somewhere else?  Is there a task that might contribute to this?

Thanks for any pointers.


This thread was automatically locked due to age.
  • 0
    Do you have WAN link monitoring set up, if so, does it show a outage at midnight as well?
  • 0
    I don't see any other activities during that time period.  The local logs continue to work as far as I can tell.

    I am on 9.315-2, so I will go ahead and let the 9.350-12 install I guess and see what happens.  As a last resort, I backed up today and will reinstall.  It doesn't take too long.
  • 0
    Another odd thing, during the time overnight when  remote logging is not working, the first graph showing drive usage when clicking on logging shows space a 0.  Once remote logging is reset, it appears normal.  However, all of the logs I have checked were logging overnight and working.
  • 0
    I will have to watch closer.  I did see traffic between my utm and my logger just after midnight, but then it quit shortly afterward.  I went ahead and switched it to UDP and restarted (read somewhere else on board to try it), but then today I decided to log to syslog-ng (udp) instead and then forward the logs from there.  I think the issue would have to either be in the UTM or something in the TCP stream that is not handled gracefully.  I will watch logs this week and try again this weekend to figure out why if it is still failing.  The upgrade to 9-350 did not fix the issue (didn't expect it would, but hoped).
  • 0
    Everything is working right now and I seem to be the only one with the issue, so I am sure it is/was something local.
  • 0
    The magical world of technology fixing itself for no reason at all! Glad it's working now [:)]
  • 0 in reply to Emile Belcourt

    I got the same issue with version 9.410-6 and Splunk. Remote logging stops at midnight and works again after manually de-and reactivating it.

     

    CPU and RAM usage graphs show no problems.

     

  • 0

    Hi,

    I think Support can help you monitor the dynamic events causing this issue. I feel that this would require an active troubleshooting session.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to Florian Glanz

    Ultimately, I ended up logging to syslog-ng from the UTM and then consumed the syslog-ng logs via Splunk rather than logging directly to Splunk.  I have not looked back.

Unfiltered HTML