Reduce CPU usage reviewing logs configuration
03/26/2020 1277 12447
When the SonicWall shows high usage of CPU in System | Status, you may want to review the logging configuration since it is known to impact on the CPU usage.
Using logging level as DEBUG or INFORM will create an overloading on the CPU usage since that the firewall has to log every single event: this way the firewall will log thousands of events every minute.
Furthermore the Log Redundancy Interval should be a non-zero value: doing this, the firewall will not log the same events if it happens again during the Redundancy Interval.
Review App Rules, App Control Advanced, Security Services and Logs Configuration:
- Go to Firewall | App Rules -- Set Global Log Redundancy Filter to 60
- Go to Firewall | App Control Advanced -- Set Global Redundancy Filter Interval to 60
- Go to Security Services | IPS --Set parameters as screenshot below:
- Go to Log | Settings change the logging level from DEBUG to Inform or Notice, then click the "Configuration" button.
- Set "Display Events in Log Monitor" to 60
After that, you may import a predefined or default logging template: How to Import Logging Templates
Then you may also want to check that all the categories and sub-categories are under the correct logging level in order to be displayed based on the priority you specify for the event.
N.B. Below, you can find the behavior of the logging template:
- If you specify that "TCP Packets dropped" event is a "Notice", this event will be displayed in GUI because your logging level is NOTICE
- If you specify that "Out of Order Packets Dropped" is a Debug event, it will never be displayed in GUI because the priority is lower than your logging level (debug is lower than notice).
- If you want that an event is displayed as an "Alert", you need to specify "Alert" or "Emergency" from the drop-down menu next to the event so that every time that event is logged, it will be displayed as an Alert.