How does Firewall Suite process log file records that are chronologically out of order?


This article applies to:

  • Firewall Suite 2.0b+
  • Firewall Suite 4.X

Question:

  • How does Firewall Suite process log file records that are chronologically out of order?
  • Does it matter if firewall log file records are out of chronological order?
  • Can log analysis settings impact performance?

Procedure:

Firewall Suite counts the number of records in the log file that are dropped because the records are chronologically out of order. When the number of dropped records becomes high it may cause concern. All out of order records will affect visitor session statistics and in some cases, alter session numbers, lengths, etc. The session processing parameter, MaxOutOfOrder, can impact memory usage.

To manually set the timeout value for Firewall Suite, use the following steps:

  1. Open \wtm_<cartridge>\<cartridge>.ini in a text editor.
  2. Under the [defaults] section, add the line: MaxOutOfOrder=<n>
    where n is a number of seconds, from 1 to 359
  3. Save the changes.

Note: By default, all log analysis cartridges will discard records more than thirty seconds out of order. MaxOutOfOrder sets the number of seconds the parsing engine does automatic, in-memory sorting. More seconds of in-memory sorting requires more memory.

Example
When multiple Check Point FW-1 modules log to the same Console, the records from any module could be delayed more than thirty seconds because:

  • Differences in system clock times among the hosts cause timestamp differences
  • Periodic buffer dumps can introduce discrepancies when multiple services write records to a single log file

This article was previously published as:
NETIQKB664

Last Modified 4/13/2006.
https://support.trustwave.com/kb/KnowledgebaseArticle10539.aspx