OS: Server 2008 R2 - All servers
WS Version: Web Security 7.7.3
Server 1 (Main Site): Primary policy server/filtering server/Policy broker
Server 2 (Main Site): Log server/Triton WUI/
Server 3 (remote location): Secondary policy server/filtering
Server 4 (remote location): Secondary policy server/filtering
Server 3 and 4 are supposed to be sending log data to server 2 (They do not have local log servers). Everything has been working fine until recently, on server 3 and 4, the 'logging' container in /bin/config.xml somehow got automatically modified to show 'localhost' instead of the correct logging server IP (Server 2). Everything is correct in the WUI. I have switched to the secondary policy servers in Triton and the logging still points to the correct IP. If I save settings in the WUI and restart services on server 3 and 4 things will start working again and config.xml will be updated with the correct IP for logging. However, every couple days logging for those servers fails again and I look into the config.xml file again to see that the logging server has been set back to 'localhost' on servers 3 and 4. This has happened 2 to 3 times over the past two weeks.
No service restarts or failures are happening around the period that logging fails.
Has anyone experienced this issue or have some insight? Any advice would be appreciated. Please let me know if I need to clarify anything.