I'm running a Cisco ACS appliance which is logging to a remote syslog -- this version on Win 2003 virtual server. The ACS appliance sends log syslog entries which IT splits up into shorter messages. So a failed login could result in a dozen or so syslog messages. The record layout lists the total number of syslog records, plus a counter -- so for any given failure you can see the syslog entires -- entry 1 of 13, entry 2 of 13, etc.
So I know how many records should be there. But frequently a message doesn't show up in the syslog. I'll get 2 of 13 through 13 of 13 without logging the 1st record.
My server stats don't show anything suspicious:
+ Messages received - Total: 310180
+ Messages received - Last 24 hours: 310180
+ Messages received - Since Midnight: 309858
+ Messages received - Last hour: 43996
+ Message queue overflow - Last hour: 0
+ Messages received - This hour: 13634
+ Message queue overflow - This hour: 0
+ Messages per hour - Average: 21182
+ Messages forwarded: 0
+ Messages logged to disk: 309848
+ Errors - Logging to disk: 0
+ Errors - Invalid priority tag: 0
+ Errors - No priority tag: 0
+ Errors - Oversize message: 0
I'm trying to determine if this is an artifact of the Cisco ACS appliance not sending what it claims to be sending, the Kiwi Syslog server not being able to log the entry or a capacity issue.
Any suggestions.? On any given day I'll have dozens of "missing" records in the syslog file. Naturally, I can't really tell how many records are being dropped and whether the paid version would alleviate that issue.