NSM – Delayed Logs


Logs received on the NSM are delayed by 6 minutes. The log viewer hangs for close to 6 minutes and then displays all the logs within a group. Also today`s log directory does not get created within /DevSvr/logs. 


The NSM device server does a log tuple repair for each log received from the firewall device.
These tables are maintained in device server (DevSvr). However if these devices are not in sync, then the
tables go out of sync with the logs. Which means that each log that is received needs to query the database in the gui server (guiSvr).
If the logging rates is high then there is a good chance that the thread doing the database query might get stuck or
The NSM tuple repair is not designed to be able to handle such a high amount of queries to the DB.
It is advised that if you require tuple repair of logs then the devices should be in sync with the NSM.
If devices are not keep in sync its better to disable tuple repair. As the tuple repair failing to complete will add an extra load to the NSM servers.

To disable the tuple repair change the following flag in the devSvr.cfg to,

devSvrManager.bypass_policylookup_enabled 1 


Changing the above might though have a side affect of causing crashes in how the NSM Gui log window is displayed.
The full fix for this issue is found within NSM revisions 2008.2r2e10 and 2009.1.

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial