Nagios Support Forum

I have my infoblox DNS system sending logs to both Alientvault and NLS. NLS is missing many log entries that we can validate are being received by Alienvault. We changed the configuration and removed Alientvault to make sure it wasn't overloading the Infoblox, no luck. We did a TCPDump on the NLS node and validated the packets with the data we are expecting are not even in the TCPDump. I'm going to have my network team sniff the network and validate the packets are making it to NLS.

My team and I are very confident we've ruled out everything except a bizarre network issue or NLS somehow dropping the packets. Is there any process running on NLS that could drop the packets so that they wouldn't even be seen in a tcpdump?

Nothing I'm aware of would stop it from showing in the tcpdump unless you have some form of host intrusion prevention that gets loaded before the network stack/driver and is blocking it before it's able to get to tcpdump (I've seen that in some HIPS implementations), it should still show them in tcpdump even if blocked by the local firewall so it's likely network/security software related external to the Log Server system.

Are you seeing any drops/errors on the LS interfaces?
If there's an MTU mismatch somewhere in the path they may be getting dropped at the network layer because of that as well, something to keep in mind.