A customer replied, when he displayed logbuffer inUSG5500, he found that the number of logs was not correct. As shown in the following picture, the “Allowed max buffer size” is 1024, but the “current message” is only 515，the newer logs over wrote the older ones. The number of “Overwritten message” kept increasing.
(1) From the parameter in command ” display logbuffer”, we can that there are actually many log types:
From the product documentation of USG5500, we can see :
sec-log, av-log, and ips-log are attack defense logs and are stored in attack defense log buffer. Other logs are stored in the system log buffer.
Confirmed with R&D, I found that the “Allowed max buffer size” in the command “display logbuffer” includes attack defense logs and Other logs.
(2) Check the attack defense logs one by one, and I found that the “Allowed max buffer size” for attack defense logs is 512. And now there are 3 messages.
(3) Checked the command logs which are stored in the system log buffer, and I found that number of the logs reached the the “Allowed max buffer size”. That’s why the newer logs over wrote the older ones .
As a result, from the above analysis, even though the number in the command “display logbuffer” is a little confused, but it’s normal.
1) There is a bug in firewall.
2) There are many log types, and each type has its own max number. But the logbuffer command only shows the total number.
When using firewall, if you have doubt in the result of some commands, you can look at the product document to check the detail description. If you can’t find the answer, you can contact R&D.