This article:

• describes an event log message, which states that packets were dropped because the log buffer was full

• explains why the packets were dropped and why traffic was stopped

• shows how to get the security device to start receiving and processing traffic again

• lists the commands to acknowledge alarms, clear events, and disable and check the status of the set log audit-loss-mitigation command

The problem is revealed in the sample Event Log output below:

 

2009-02-16 11:53:41
notif Log buffer was full and remaining messages were sent to external destination. 1115 packets were dropped.

get log sys
## 2014-03-10 22:56:13 : The dlog chunk in use (56) is larger than the high threshold (55), stop forwarding new traffic

get sys-cfg | in dlog
dlog buf max chunk number: 256
dlog queue max chunk number: 56
dlog session log pool number: 256

 

When the log buffer in a security device reaches its capacity, the device sends all log entries to an external host for storage. During the transmission process, the security device stops receiving traffic and, as reported on some security devices, drops the specified number of packets.

Note: After the security device transmits all log entries, it starts receiving and processing traffic again.

The default behavior in ScreenOS is for logs to be overwritten when the log buffer reaches its capacity. The logs are handled on a first-in, first-out basis.

If the set log audit-loss-mitigation command is enabled, precedence is given to the logs that are stored on the firewall, as opposed to traffic passing through the firewall.

Enabling the set log audit-loss-mitigation command stops the generation of auditable events when the number of such events exceeds the capacity of the security device. Enabling this feature reduces the loss of event logs due to log overloads. However, when the log buffer in the security device reaches its capacity, the device sends all log entries to an external host (that is, syslog) for storage. During the transmission process, the security device stops receiving traffic and drops the specified number of packets. After the device has finished transmitting all the log entries, it starts receiving and processing traffic again.

On some security devices, the syslog server must be connected to the management interface on the Management Module. This ensures that the syslog server is available if the buffer fills up and network traffic stops.

 

When the set log audit-loss-mitigation command is enabled, the device stops receiving traffic if the log buffer is full. In this case, either the alarms must be acknowledged or the clear event command must be issued in order to resume traffic.

To acknowledge an alarm, use the following syntax:

exec alarm security ack-id number  (ack-id can be found in the alarm event.)

[or]

exec alarm security all

To clear an event, use the following syntax:

clear event

To disable the set log audit-loss-mitigation command, issue the following command:

unset log audit-loss-mitigation

To confirm the status of the set log audit-loss-mitigation command, issue the following command:

get log audit-loss-mitigation

 

2018-10-05: Syntax added for acknowledging or clearing alarms in the Solution section.