Is Remote Syslog Server stopping for anyone else? (USG Flex 200 H)

kilomiles

Hi everyone.

I seem to be experiencing an issue and wanted to ask if anyone was experiencing the same thing or has ever run into this. I am using the USG Flex 200H device and am trying to reroute its logs to a logging server via Syslog. For some reason, the flow of logs to the remote server will stop randomly after 2-24 hours. I've found that simply disabling and re-enabling the "Active" switch will restart the flow of traffic, but having to manually do this every day defeats the purpose of remote logging.

Has anyone run into this issue? I've ruled out the possibility of it being an issue with the logging server I am using, because I also tried testing this out using netcat on a brand new VM.

Zyxel_Kay

Hi @kilomiles

To assist you better, could you please provide us with the following details?

1. What is the current firmware version of your USG Flex 200H device?
2. How is your Syslog server deployed in your network? Could you share a detailed overview of your network topology?
3. When did this issue first occur? Did it start immediately after setting up Syslog, or was it functioning correctly before?

kilomiles

Thank you for your reply, Kay.

1. I am currently running the device on V1.20(ABWV.2). I've been trying to check if there is a version update from the devices web portal, but it just sits and spins indefinitely from what it seems like.
   
   I just looked on the Zyxel website and it seems I am one feature update behind from the current version of 1.20(ABWV.2)C0
   
2. The network topology is pretty simple. The logging server, Graylog to be more specific, is sitting on the same subnet as the USG. Traffic goes straight from the USG to the hypervisor that is hosting the Ubuntu VM. I'm running Graylog in a single node setup.
3. This issue has been happening for roughly 2-3 weeks now. I don't recall it happening the first couple of weeks after setting up the USG device. It's been running for a little over a month now. I set up Syslog when going through the initial setup of the USG. If I had to pin it down to time or action that correlates with this, it would be when I changed the settings to enable the "Remote Server 2" option as well. I made this change around the 2-3 weeks ago.
   
   What's strange about this issue is that disabling the Remote Server 2 will also temporarily fix the flow of logs to the Syslog server I have configured under Remote Server 1. Like I said though, it's only temporarily.
   
   I'm not sure if this piece of information will help, but I have noticed something else while trying to troubleshoot this. Usually, the Syslog server will have anywhere between 5-40 logs it receives per 2 second interval. When the sending of logs to Syslog stops, and I go turn it off and then on again to fix it, the Syslog server receives a big spike in traffic for that first 2 second interval. I've seen it range from 100-250 logs in that moment.

Yesterday, after doing my little turn it off and turn on again fix, the Syslog flow stopped after 2 hours.

syslog stopping after two hours.png

I am going to try and update the device to the latest firmware tonight outside of business hours to see if that fixes the issue.

Zyxel_Kay

Hi @kilomiles

To further investigate your issue, we kindly ask that you keep the symptoms/environment and allow us to remotely access your device. I’ve sent the remote access configuration details to you via private msg. Please check your community inbox.