Saving disk space on GMS by using App Control Advanced Log Redundancy to reduce syslog volume
03/26/2020 1055 11874
If you find disk space is continually filling on your GMS server, the volume of syslogs is usually the culprit. If you have a windows (software) deployment, navigating to the install drive's GMSVPsyslogsarchivedSyslogs folder can show you how much raw syslog data is retained on your server.
However, it may be that the majority of the syslogs being received are redundant, and unnecessary for the data being conveyed. It may be possible to reduce the volume of syslogs being sent to your system. This means that not only will your GMS server collect and store less syslogs in the future, but also less traffic will need to be sent from the affected firewalls to the GMS server... all while still sending the same amount of traffic.
Many current firmware versions include a default "log redundancy" value of "0" for each of the 27 categories in the "App control advanced" section. Unlike most other items in the SonicOS firmware, however, this value OVERRIDES the global log redundancy value for both logs and syslogs configured in your "Log Settings" section.
The practical effect of this is that every time an app control signature is detected, a unique syslog will be sent to your GMS server.
This is extremely redundant. You may have thousands of packets on a single data stream on which a particular app control signature is detected, and therefore thousands of syslogs will be generated.
For comparison, no other detection engine in SonicOS firmware does this by default. If the SonicWall were to detect 3000 syn flood packets on a particular socket, it would simply send a single syslog to GMS stating "There have been 3000 attempted syn flood packets from this IP address on this socket in the last 60 seconds".
The exact same data can be conveyed with much less traffic by enabling a log redundancy value of 60 seconds on each of the 27 app control advanced categories. (This can be done from GMS if using 5.9 or 6.2 firmware, else it can be done directly on the firewalls).
- Navigate to firewall > app control advanced and set the "viewed by" (the third drop-down menu) to "Category". If the "Application" and "signature" drop-down menus are not already set to view "All" items, make this modification as well).
- Click "edit" to configure any category
- Modify the default "Log redundancy" value from "0" to "60" seconds.
- Click "OK" to save the changes. Repeat steps 2-4 for the rest of the 27 categories.
- If not using GMS from a group or global view, make this modification on the rest of the firewalls reporting to GMS.
This will not erase syslogs already processed by GMS, but it will ensure that moving forward, less syslogs are sent to GMS to convey the same amount of traffic.
Note: If this value is already set on a particular category, no change is required, unless a particular application or signature within that category has been manually modified to not use the category log redundancy setting, in which case that application or signature will also need to be modified.
More recent versions of 6.2 firmware have a "Global Log Redundancy Filter Interval" value on the app control advanced main page. If available on your firmware version, setting this one value will modify any firewalls with app control advanced log redundancy set to the default value of "use global settings" will automatically be modified. all 27 categories will not require modification. At this time of writing, engineering has not stated that this will become available for firmware prior to 6.2