Issue Description
Problem phenomena:3 E1000E firewall,use elog manage firewall dialog and syslog,when installing,can check dialog of firewall. Then staff check syslog of firewall elog,found 2 of 3 firewall syslog(E1000E-1 and E1KVPN)can not found out,but can check dialog
Handling Process
1 soon after elog startup,user set firewall syslog filter policy in elog,filtrate syslog of E1000E-1,background run record as follows. (As most early elog background record is 8.23,so list since 8.23)
2011-08-23 20:41:00,000 INFO 0x00000734 LogCollector - [ESFilterMgr::printFilteLogNum] Number filte eudemon syslog every minute: 12
2011-08-24 00:00:00,000 INFO 0x00000734 LogCollector - [ESFilterMgr::printFilteLogNum] Number filte eudemon syslog every minute: 12
2011-08-28 12:10:00,000 INFO 0x00000734 LogCollector - [ESFilterMgr::printFilteLogNum] Number filte eudemon syslog every minute: 12
2011-08-29 00:00:00,000 INFO 0x00000734 LogCollector - [ESFilterMgr::printFilteLogNum] Number filte eudemon syslog every minute: 12
2011-08-31 09:56:00,000 INFO 0x00000734 LogCollector - [ESFilterMgr::printFilteLogNum] Number filte eudemon syslog every minute: 16
2011-08-31 18:58:00,000 INFO 0x00000734 LogCollector - [ESFilterMgr::printFilteLogNum] Number filte eudemon syslog every minute: 10
2011-08-31 18:59:00,000 INFO 0x00000734 LogCollector - [ESFilterMgr::printFilteLogNum] Number filte eudemon syslog every minute: 0
2011-08-31 19:00:00,000 INFO 0x00000734 LogCollector - [ESFilterMgr::printFilteLogNum] Number filte eudemon syslog every minute: 0
Above run record,means at last minute,in syslog of elog received,how many log been filtered,one minute record once。We can see,from 8.23 to 2011-08-31 18:58:00 12 syslog been filtered every minute,after that,never has a syslog been filtered,because at 2011-08-31 18:58,we delete E1000E-1 off elog,elog can not receive its syslog. at the same time,will delete corresponding filter policy of this equipment,so,add it again,will not filter its syslog,and can check its syslog
2 about filter policy
Elog filter policy has 2, overall filter policy and partial filter policy
overall filter policy:admin log on,configuration in effect for all of equipments
Partial filter policy:operator log on,need to set given equipment,just in effect for chose equipment
Root Cause
1 check firewall configuration of sys-log,normal
2 check firewall interzone policy configuration,normal
3 check firewall communication to elog,normal
4 check elog configuration,in filter policy configuration has faults
Suggestions
Cancel all of overall filter policy and partial filter policy,then will not filtrate dialog