Why are there network errors when the ESA communicates with the syslog server?

Introduction

This document describes why the Email Security Appliance (ESA) is unable to send data to a syslog server.

Why are there network errors when the ESA communicates with the syslog server?

The ESA has been configured to push log subscriptions to a syslog server. The files might or might not be successfully pushed to the syslog server. In any case, there can be network errors in the mail log file similar to this:

Log Error: Subscription Mail_Log: Network error while sending log data
 to syslog server

A packet capture between the ESA and the syslog server shows connection drops initiated by the syslog server, which in this example is 10.44.167.30.

If you follow the TCP stream in the packet capture you will see this:

<22>Jun 25 08:50:03 example.com: Info: Begin Logfile
<22>Jun 25 08:50:03 example.com: Info: Version: 8.0.1-023 SN: A4BADB4712A9-511AA1E
<22>Jun 25 08:50:03 example.com: Info: Time offset from UTC: 7200 seconds
<22>Jun 25 08:50:03 example.com: Info: A System/Critical alert was sent to
 alerts@ironport.com with subject "Critical <System> mail.example.com: Log Error:
 Subscription Mail_Log: Network error while sending l...".

The errors indicate that there is either a firewall or Intrusion Prevention System (IPS) that blocks access to the syslog server at the IP Address. If all devices in-between have been examined and confirmed in order to allow the traffic, then this could also mean that the syslog server is too busy and refused the connections. When the ESA is configured to send a log file to a syslog server, then by default it will use the UDP syslog port 514 unless configured to use TCP. Once the appliance is configured, the only thing that causes the connection to be listed as refused is if it receives packets that close the connection when it is opened.