The problem is revealed in the sample Event Log output below:
2009-02-16 11:53:41
notif Log buffer was full and remaining messages were sent to external destination. 1115 packets were dropped.
get log sys
## 2014-03-10 22:56:13 : The dlog chunk in use (56) is larger than the high threshold (55), stop forwarding new traffic
get sys-cfg | in dlog
dlog buf max chunk number: 256
dlog queue max chunk number: 56
dlog session log pool number: 256
When the log buffer in a security device reaches its capacity, the device sends all log entries to an external host for storage. During the transmission process, the security device stops receiving traffic and, as reported on some security devices, drops the specified number of packets.
Note: After the security device transmits all log entries, it starts receiving and processing traffic again.
The default behavior in ScreenOS is for logs to be overwritten when the log buffer reaches its capacity. The logs are handled on a first-in, first-out basis.
If the set log audit-loss-mitigation
command is enabled, precedence is given to the logs that are stored on the firewall, as opposed to traffic passing through the firewall.
Enabling the set log audit-loss-mitigation
command stops the generation of auditable events when the number of such events exceeds the capacity of the security device. Enabling this feature reduces the loss of event logs due to log overloads. However, when the log buffer in the security device reaches its capacity, the device sends all log entries to an external host (that is, syslog) for storage. During the transmission process, the security device stops receiving traffic and drops the specified number of packets. After the device has finished transmitting all the log entries, it starts receiving and processing traffic again.
On some security devices, the syslog server must be connected to the management interface on the Management Module. This ensures that the syslog server is available if the buffer fills up and network traffic stops.
When the
set log audit-loss-mitigation
command is enabled, the device stops receiving traffic if the log buffer is full. In this case, either the alarms must be acknowledged or the
clear event
command must be issued in order to resume traffic.
To acknowledge an alarm, use the following syntax:
exec alarm security ack-id number
(ack-id can be found in the alarm event.)
[or]
exec alarm security all
To clear an event, use the following syntax:
clear event
To disable the set log audit-loss-mitigation
command, issue the following command:
unset log audit-loss-mitigation
To confirm the status of the set log audit-loss-mitigation
command, issue the following command:
get log audit-loss-mitigation
2018-10-05: Syntax added for acknowledging or clearing alarms in the Solution section.