Syslog messages repeated

Discussion in 'Cisco' started by mikester, Dec 3, 2003.

  1. mikester

    mikester Guest

    Check out this snippet of my syslog;

    Dec 3 04:02:07 x.x.x.x Dec 03 2003 09:53:55: %FWSM-6-106015: Deny TCP
    (no connection) from x.x.x.x/1556 to x.x.x.x/80 flags ACK on
    interface inside
    Dec 3 04:02:07 x.x.x.x last message repeated 6 times< ----
    Dec 3 04:02:07 x.x.x.x Dec 03 2003 09:53:55: %FWSM-4-106023: Deny
    icmp src outside:x.x.x.x dst inside:x.x.x.x (type 11, code 0) by
    access-group "<aclname>"
    Dec 3 04:02:07 x.x.x.x Dec 03 2003 09:53:55: %FWSM-3-106011: Deny
    inbound (No xlate) udp src outside:x.x.x.x/1037 dst
    outside:x.x.x.x/137

    This message Dec 3 04:02:07 x.x.x.x last message repeated 6 times<
    ----

    Is the one I am questioning, the repeated X times...I see that a lot
    in my logs and I do not want to. I want all the messages - is this
    meaning that it isn't logging the repeats or that it just saw the same
    message 6 times?

    IF it isn't logging the repeats then how can I turn this feature off
    so that is logs everything explicitly? I'm not sure exactly if this is
    happening on the firewall services module or if it is happening on the
    syslogd on the redhat server so I have posted to both groups.

    thanks for the help,

    The Mikester
    mikester, Dec 3, 2003
    #1
    1. Advertising

  2. In article <>,
    mikester <> wrote:
    :Dec 3 04:02:07 x.x.x.x Dec 03 2003 09:53:55: %FWSM-3-106011: Deny
    :inbound (No xlate) udp src outside:x.x.x.x/1037 dst
    :eek:utside:x.x.x.x/137

    :This message Dec 3 04:02:07 x.x.x.x last message repeated 6 times

    :Is the one I am questioning, the repeated X times...I see that a lot
    :in my logs and I do not want to. I want all the messages - is this
    :meaning that it isn't logging the repeats or that it just saw the same
    :message 6 times?

    Your syslogd is trying to prevent flooding of your logs, by not
    counting repeated messages instead of writing each one out. It should
    only do so if the message is an exact repeat. If you have your FWSM
    generating timestamps (which it appears to be doing) then as soon as
    the seconds field changed, the message would be different and it would
    stop summarizing the old one. Thus in your cases, the same port 137
    probe occured 6 times in one second.

    I do not know if there is a way of getting redhat to log each
    individually rather than summarizing.


    I notice, by the way, that the minutes and seconds field are not the
    same on your first timestamp (04:02:07) compared to your second
    timestamp (09:53:55). Either you have a really *long* logging delay,
    or your clocks are out of sync on one or both devices.
    --
    Beware of bugs in the above code; I have only proved it correct,
    not tried it. -- Donald Knuth
    Walter Roberson, Dec 3, 2003
    #2
    1. Advertising

  3. mikester

    mikester Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<bql7cc$3tr$>...
    > In article <>,
    > mikester <> wrote:
    > :Dec 3 04:02:07 x.x.x.x Dec 03 2003 09:53:55: %FWSM-3-106011: Deny
    > :inbound (No xlate) udp src outside:x.x.x.x/1037 dst
    > :eek:utside:x.x.x.x/137
    >
    > :This message Dec 3 04:02:07 x.x.x.x last message repeated 6 times
    >
    > :Is the one I am questioning, the repeated X times...I see that a lot
    > :in my logs and I do not want to. I want all the messages - is this
    > :meaning that it isn't logging the repeats or that it just saw the same
    > :message 6 times?
    >
    > Your syslogd is trying to prevent flooding of your logs, by not
    > counting repeated messages instead of writing each one out. It should
    > only do so if the message is an exact repeat. If you have your FWSM
    > generating timestamps (which it appears to be doing) then as soon as
    > the seconds field changed, the message would be different and it would
    > stop summarizing the old one. Thus in your cases, the same port 137
    > probe occured 6 times in one second.
    >
    > I do not know if there is a way of getting redhat to log each
    > individually rather than summarizing.
    >
    >
    > I notice, by the way, that the minutes and seconds field are not the
    > same on your first timestamp (04:02:07) compared to your second
    > timestamp (09:53:55). Either you have a really *long* logging delay,
    > or your clocks are out of sync on one or both devices.


    Yes, the logging server and the FSM both had different time settings
    and BOTH were the wrong time settings. I've fixed that today (they are
    all new installs which I did not do).

    Thanks Walter, I'll do some more research on syslog summerizing.
    mikester, Dec 4, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    4
    Views:
    1,226
  2. Christian Knoblauch

    Syslog messages

    Christian Knoblauch, Feb 9, 2004, in forum: Cisco
    Replies:
    5
    Views:
    957
    Martin Gallagher
    Feb 12, 2004
  3. Lasani

    Syslog messages from PIX 515

    Lasani, Aug 13, 2004, in forum: Cisco
    Replies:
    1
    Views:
    4,271
    Pe5kyTac0
    Aug 15, 2004
  4. AM

    PIX syslog messages

    AM, Apr 6, 2005, in forum: Cisco
    Replies:
    16
    Views:
    8,548
  5. Graham Kinder

    repeated messages

    Graham Kinder, Apr 3, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    459
Loading...

Share This Page