We have a dedicated App Connector configured to send LSS logs to a syslog-ng server, and the syslog-ng server feeds into Splunk. We noticed several months ago that we were missing a lot of logs in Splunk. After performing a packet capture on the App Connector we saw that the syslog-ng server was dropping a lot of traffic and responding back with a TCP Reset. Has anyone ever seen anything like this or have any ideas what the issue may be?
Yes – are you using a cert based authentication from LSS to Syslog NG – and is that NG a cluster or a single standalone device?
We use both NSS & NSS FW and LSS ---- log feeds to support logs from both ZIA and ZPA tenants —we use separate ports custom ports for each log service and certificate trust to support the continued use of encryption as it leaves the Zscaler platform --this helped immensely ---- keep in mind that log traffic from LSS and NSS can come in batches ---- as it processes ----- so SYSLOG NG can get overwhelmed ------ look to your network port configurations and interfaces in use as they can contribute to the problem you are seeing
Thank you for the info. We actually just found syslog-ng is rejecting connections from the app connector due to exceeding the connection limit:
Looks like the default value for max connections in syslog-ng is 10. Any input on what we should set it to?
Update: We kept raising the connection limit until the errors stopped, for us that was 200 connections. We appear to getting all the ZPA logs in Splunk now.
Thank you so much for marking the solution and for updating the community! Glad to hear that the problem has been solved.