cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
nashcoop
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 6
‎06-27-2018 11:59 AM

"Dropping syslog entry because queue is full"

I'm seeing the message "Dropping syslog entry because queue is full" in the mwg-core.error.log file on two out of a dozen MWG 5500 appliances running version 7.7.2.8.0.  If I restart the rsyslog service (service rsyslog restart) on the appliances, then they resume sending syslogs for an indeterminate amount of time.  Usually anywhere from a few minutes to a few hours before they stop again, and the error messages in the mwg-core.error.log resume.  The rsyslog configuration on the two appliances is configured the same as the other ten appliances which are centrally managed and not having this issue.  Has anybody else had similar experience with this error on an MWG appliance, and have a recommended fix?  I have a ticket open with McAfee tech support, but they haven't provided any answers so far.  

Tags (2)
1 person had this problem.
0 Kudos
Reply
5 Replies
aloksard
Employee
Employee
Report Inappropriate Content
Message 2 of 6
‎06-27-2018 11:29 PM

Re: "Dropping syslog entry because queue is full"

Hi Nashcoop,

Hope you are doing well.

Firstly can you provide the service ticket number to take a  look at it.

Can you check if the following two lines exist in /etc/rsyslog.d/mwg.conf?

$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0


How many syslog servers are defined in rsyslog.conf file? Can you confirm if all are reachable from MWG and available?

 

Regards

Alok Sarda

0 Kudos
Reply
nashcoop
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 6
‎06-28-2018 09:14 AM

Re: "Dropping syslog entry because queue is full"

Yes, these lines are present in the mwg.conf file.

$SystemLogRateLimitInterval 0

$SystemLogRateLimitBurst 0

0 Kudos
Reply
aloksard
Employee
Employee
Report Inappropriate Content
Message 4 of 6
‎06-28-2018 09:23 AM

Re: "Dropping syslog entry because queue is full"

Hi Nashcoop,

Hope you are doing well.

Thanks for the update here.

If possible can you provide the service ticket number to take a look at it.

How many syslog servers are defined in rsyslog.conf file? Can you confirm if all are reachable from MWG and available?

Regards

Alok Sarda

0 Kudos
Reply
nashcoop
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 6
‎06-28-2018 10:40 AM

Re: "Dropping syslog entry because queue is full"

Only sending logs to two IP's in the rsyslog.conf file.  One UDP, one TCP.  They are the same two that nine other appliances are sending syslog info to and not experiencing this issue.

 

0 Kudos
Reply
aloksard
Employee
Employee
Report Inappropriate Content
Message 6 of 6
‎06-28-2018 10:51 AM

Re: "Dropping syslog entry because queue is full"

Thanks for the update here.

 

If possible can you do packet captures on MWG  for both the syslog server's during the time of issue and upload in the ticket for investigation.

 

Regards

Alok Sarda

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC