2 Replies Latest reply on Sep 25, 2013 11:44 AM by sliedl

    Admin Console Crash while exporting logs

    ebeneezersquid

      Due to an administrative SNAFU, we do not presently have a log server, and have to export our Firewall logs manually.

       

      Firewall version 70102

      Admin Console Version 4.10

       

      Unfortunately, exporting audit logs (from a custom filter, of course), can get rather large, especially during weekly penetration scans.

      Anytime a log export file reaches in the area of 400 megs (anywhere from 380-420), the admin console crashes, and we then have to either open the massive logfile and wait forever for it to fully load and try to find how far it got before crashing, and break the log file up, or simply guess (which works rather well as we know roughly when the scans get started). Unfortunately, especially since new system upgrades were installed, the logs during the scans can reach 400 megs for periods as small as 10 minutes.

       

      I am powerless to get a log server up and running. (well, any faster. We have 5 shops with leads far higher on the totem pole than I screaming for it. Still looks like it will be over a year minimum)

      We cannot change the configuration of the new systems which cause so many audits to be generated.

      My Google-Fu has failed to turn up a solution.

       

      Anyone have a solution to either get the admin console to stop crashing or to automatically split the log files (to prevent crashing and make auditing them easier)?

       

      Edit & PS:

      on an unrelated note, we are also getting an unusual "MAJOR" "ATTACK" audit entry with no source and no destination. the only data in the audit is the Gibberish Code-speak entry in the "Information" block: "ffs_alloc(): freespace override"

      My Google-Fu has again failed me, and my shop lead has decided to ignore it, but it looks to me like it may indicate a database error of some sort? Worried it may come back to bite us later.

       

      Message was edited by: ebeneezersquid on 9/25/13 8:24:49 AM CDT
        • 1. Re: Admin Console Crash while exporting logs

          Hello,

           

          Would command line tools to view the audit help you? If so, then I would recommend acat and showaudit. You can view the man page for both to give you all the syntax. Let me know if you would like to go this route and I can help find more documentation about the commands. Also you may want to search the KB for "sacap filters".

           

          As for the "freespace override" you are seeing, I think that might be due to a partition being full on the firewall. Running the "df" command may point out which partition.

           

          -Matt

          • 2. Re: Admin Console Crash while exporting logs
            sliedl

            The Admin Console has a hardcoded timeout of 5 minutes (when it receives no response), that is why it is timing out.

             

            You can export the audits using SCP or FTP; you can export them in multiple formats (ASCII is one) on a regular basis.  That exports the entire audit.raw file from that day.

             

            If you run the acat command on the CLI it will be much faster than doing this through the GUI (you can then use a SACAP filter [Sidewinder audit capture] to get only the information you want).

             

            You also need to upgrade to 70103 as 70102 is End of Support next Tuesday, 09/30/2013.