**********************
Applies to 9.x and earlier
**********************
Pre-requisistes
Pre 9.x DC Metrics messages can be found in the DataCollector.log and will be generated every 30 seconds.
Post 9.x Metrics stats are found in /var/log/firemon/dc/metrics.log
***********************
Data Collector Metrics messages are what tell you about the current syslog load on the Data Collector.
There are 5 sections reported, "SyslogUDPServer", "SyslogTCPServer", "SyslogServer", "TrafficMessageQueue", and "LeaMessageQueue".
The "SyslogUDPServer" is the UDP receiver. It takes in UDP packets and attempts to interpret them as syslog messages. The metrics reflect what has arrived on the UDP port.
The "SyslogTCPServer" is the TCP receiver. It takes in TCP streams and examines them for syslog messages. Metrics for this object are not displayed unless TCP is enabled, so in most cases you won't see any metrics for SyslogTCPServer.
The "SyslogServer" processes syslog messages, regardless of whether they arrived over TCP or UDP. For example, syslog messages arriving via UDP are received by the SyslogUDPServer, and are then handed to the SyslogServer for processing. Do not expect metrics for the SyslogUDPServer and SyslogServer to line up, for the following reasons: 1) not all messages received by the UDP server are syslog messages; and 2) every object takes its own metrics snapshots at the times that are most efficient for that object, so metrics from different objects do not represent the same instant in time.
The "TrafficMessageQueue" is a queue of traffic messages which are ready for usage processing. These messages may have come from syslog, or from LEA, or from hitcount retrievals. Do not expect metrics from the SyslogServer to line up with metrics for the TrafficMessageQueue, for the following reasons: 1) not every syslog message is a traffic message; 2) traffic messages may come from other sources; and 3) different objects take metrics snapshots at different times.
The "LeaMessageQueue" is the Check Point message receiver. It reports all messages sent via the LEA connection.
How to use this information
To determine an idea of the traffic load on a DC, look at the SyslogUDPServer metrics. This metric will include all UDP data received by the DC, including non-syslog packets, malformed syslog packets, and packets from devices that the DC does not recognize.
To determine how many syslog messages the DC is processing, not including non-syslog or malformed packets, but including devices that the DC does not recognize, look at the metrics for SyslogServer. Part of the job of the SyslogServer is to identify which device a syslog message came from, so the "received" metrics for the SyslogServer will include messages from unrecognized devices.
To determine how many usage messages the DC is processing, from all sources (syslog, LEA, hitcount), not including change messages, and not including any messages from unrecognized sources, you can look at the metrics for TrafficMessageQueue.
Comments
0 comments
Article is closed for comments.