Re: [fw-wiz] Appropriate PIX logging level

On Wed, 26 Apr 2006, Marcus J. Ranum wrote:

David Lang wrote:
I was actually just starting to look into this, I'm being blasted by the messages from the pix when it rejects a broadcast packet (I'm getting 43,000 log entries per day based on the firewalls rejecting each server that's in a HA configuration and useing broadcast udp packets for their heartbeat, that adds up to a LOT of log entries when there are several dozen such clusters)

Well, that's .497 entries per second; you system can handle that load, I bet!!! :)
Why not just put something in front of your logging routines that filters out the
"junk" with a blacklist before letting it into the log? If you like massive overkill
you could use syslog-ng and zap the stuff with a pattern, but this is more a
job for a 10 line C program or a 5 line perl program.

I'm actually trying to keep filters out of the path (until the data hits the primary archive, after it's there, copies can (and will be) filtered like crazy)

I actually have been trying syslog-ng and am horribly disappointed with it's performance, the standard linux syslog (sysklogd) was handling >4000 logs/sec without loosing any noticable amount, syslog-ng on the same hardware is only logging ~80 logs/sec. yes I can switch to tcp for some of this, but that's covering over a performance problem, not really fixing it. I'm looking at other syslog options (including patching sysklog to maintain the origional server name when it relays a message). Once I get back on my feet with this I'll then push up the data rate and see how far I can push it.

David Lang

There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.
-- C.A.R. Hoare

firewall-wizards mailing list

Relevant Pages