ADC sending syslog to previously existed syslog server
Article ID: CTX320038
Updated On:
Description
Removed the remote syslog server and polices configuration from ADC and added new syslog config.
However, ADC still sending syslog to old syslog server.
From executing deleted syslog command:
Primary> add audit syslogAction Qradar 10.100.12.111 -logLevel ALL -tcp ALL
ERROR: Auditlog service exists with this server information
Primary> add audit syslogPolicy Qradar_pol true Qradar
ERROR: Invalid action
Primary> bind audit syslogGlobal -policyName Qradar_pol -priority 2000000010
ERROR: No such policy exists
Primary>
Resolution
- Reboot the ADC to kill existing sessions and post reboot the old syslog data will be erased.
- If reboot is not a solution, we have to wait until all the AAA sessions expire.
Problem Cause
The sessions created when the older syslog server was configured will continue to send the logs to the old server. Once all those sessions expire/get-killed, the logs will stop. Hence the advice to modify the config during downtime when no sessions are created.This is a design constraint. Once all the old sessions expire/log-out/get-killed, the logs will stop. Also config change (deleting / modifying syslog) will be allowed since we cannot block it until all older sessions are killed. The error appears because the internal data structures are not cleaned up since the sessions are still active and using them.
Was this article helpful?
Yes
No
Powered by
