Re: [fw-wiz] syslog and network management



On Thu, 28 Feb 2008, ArkanoiD wrote:

Hmm, did you try tcp transport (if your router does support it)?
It might be better..

the sending devices did not support tcp transport, but there is not much
of an excuse for a program who's purpose is receiving logs to do so poorly
at it. if it's missing so many UDP packets that the OS is overflowing it's
buffers and dropping them than it's going to do bad things to the tcp
dataflow as well. the difference is that now you are able to rely on the
sender to act as a buffer as well. but that leaves your logs where you
don't want them, eating up resources on the sender while being vunerable
to disruption.

David Lang

On Tue, Feb 26, 2008 at 02:12:51PM -0800, david@xxxxxxx wrote:

We were logging 6 PIXen as well as many switches and routers (and a
much lesser level). We never "noticed" a great loss of messages... I
guess I can assume you did, and maybe I could learn from how you did!
:)

What daemon do you use?

we tried to use syslog-ng to receive activity from our border router and
write a copy locally (in large chunks) and relay the logs to another
syslog server inside.

we noticed a LOT of missing logs, when we changed to the default debian
syslogd we were able to handle an order of magnatude more logs without any
sign of missing logs (from around 100/sec to >1000/sec)

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] syslog and network management
    ... syslogd we were able to handle an order of magnatude more logs ... How was syslog-ng implemented? ... Which debian ... we noticed a LOT of missing logs, when we changed to the default ...
    (Firewall-Wizards)
  • Re: [fw-wiz] syslog and network management
    ... syslogd we were able to handle an order of magnatude more logs ... How was syslog-ng implemented? ... Which debian ... we noticed a LOT of missing logs, when we changed to the default ...
    (Firewall-Wizards)
  • Re: [fw-wiz] syslog and network management
    ... up the log files based on whatever. ... but I found that syslog-ng was far less effective at the more ... we noticed a LOT of missing logs, when we changed to the default debian ...
    (Firewall-Wizards)
  • Re: Logging
    ... Thank you I actually have syslog-ng installed and I am working on install Splunk, thanks for the feed back everyone. ... Subject: Logging ... splunk is just ok for viewing logs (not very nice to ...
    (Security-Basics)
  • Trying to colour syslog-ng logs to ttyv7 but wont work after a reboot
    ... I have a 5.4-STABLE server that I've reconfigured to use syslog-ng ... It collects logs from all our servers and sorts ... I set syslog-ng to log all remote logs to this destination, ... for some reason way beyond me, it *will not work* after a reboot. ...
    (freebsd-questions)