Support Center > Search Results > SecureKnowledge Details
Security Gateway starts logging locally Technical Level
Symptoms
  • All or some Security Gateways log locally all the time or partially, while the fw_full process on the log server consumes a large amount of CPU (90% or more).
  • fwd.elg on the log server shows:

    [FWD PID]@Log_Server[DATE TIME] CFwdAlertsHandler::execute: failed to execute SEND_TO_SYS_STAT command
    [FWD PID]@Log_Server[DATE TIME] CFwdAlertsHandler::handleAlert: failed to execute alert alert
    [FWD PID]@Log_Server[DATE TIME] CFwdAlertsHandler::execute: failed to execute SEND_TO_SYS_STAT command
    [FWD PID]@Log_Server[DATE TIME] CFwdAlertsHandler::handleAlert: failed to execute alert alert


  • The 'cpstat fw -f log_connection' command on the Security Gateway shows that the Gateway is logging locally due to connectivity problems, high connection rate, or high log rate (buffer overflow).

Cause

One of the rules or protections configured  (like SAM alert- sk112061)  with track action as "Alert" is getting hit numerous times, which results in the generation of multiple alerts per second. This leads to the overuse of the fw_full process responsible for logging on the Log server.

To confirm this, search logs in SmartConsole with type:alerts. You will notice multiple alerts per second for a certain or multiple protections or rules.


Solution
Note: To view this solution you need to Sign In .