Monitor and Troubleshoot Advanced Logging

To collect statistics of the advanced logging events and to get health alerts, you must enable the Snort 3 Statistics module in your Firewall Threat Defense device's health policy (System () > Health > Policy). When enabled, you can monitor metrics such as the number of advanced logging events that are dropped, failed to send, or sent successfully.

To view these health metrics, navigate to System () > Health > Monitor and then add the metrics to a dashboard by selecting them from the Snort 3 Performance Statistics group.

Advanced Logging events failed to transmit to syslog servers

This alert appears when the syslog messages failed to transmit due to a connection issue with the syslog server or a configuration error.

• Check the status of your syslog server to ensure it is operational and accessible.

• Verify the syslog configuration within the Firewall Management Center for any errors.

Advanced logging events to syslog servers were dropped

This alert appears when syslog messages are dropped due to memory overflow in the Firewall Threat Defense device, suggesting that the device cannot process logs at the current rate.

Review your advanced logging configuration. Consider applying more granular filters in your access control rules to reduce the volume of logs generated, or selectively enable advanced logging for fewer protocols, to decrease device memory consumption. For more information, refer to Guidelines and Limitations for Advanced Logging.