Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Appropriate PIX logging level

From: Chuck Swiger <chuck () codefab com>
Date: Thu, 04 May 2006 10:24:31 -0400
ArkanoiD wrote:
Well, does that mean that syslog should be either not reliable (generic datagram), not portable enough (sdsc), buggy (nsyslogd) or suffering 
performance problems (ng) ;-)?
You can get reliable logging with a stock BSD-flavor syslogd if you talk to it via a named pipe (ie, /var/run/log or equivalent).
In many cases, you want to compress & summarize repeated output, or perform your initial analysis-identification-filtration steps first and forward on a summary and the interesting stuff on the devices generated the logging before you smother some dedicated central "logger" host in a huge volume of low-value syslog network traffic.
If you've got less than 10MB of data per day (~ 100K events or logfile lines), you probably don't need to worry about that or keeping several years worth of data around.
On the other hand, when a single busy host can generate 100MB to 1GB of loggable data per day just running a medium-busy website, understanding what your volume is, what your ability to process it meaningfully over longer intervals is and is contrained by (disk space, log analysis processing time, others), becomes more important. 

--
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: