Firewall Wizards mailing list archives
Re: Appropriate PIX logging level
From: David Lang <dlang () digitalinsight com>
Date: Wed, 26 Apr 2006 12:38:23 -0700 (PDT)
On Wed, 26 Apr 2006, Marcus J. Ranum wrote:
David Lang wrote:I was actually just starting to look into this, I'm being blasted by the messages from the pix when it rejects a broadcast packet (I'm getting 43,000 log entries per day based on the firewalls rejecting each server that's in a HA configuration and useing broadcast udp packets for their heartbeat, that adds up to a LOT of log entries when there are several dozen such clusters)Well, that's .497 entries per second; you system can handle that load, I bet!!! :) Why not just put something in front of your logging routines that filters out the "junk" with a blacklist before letting it into the log? If you like massive overkill you could use syslog-ng and zap the stuff with a pattern, but this is more a job for a 10 line C program or a 5 line perl program.
I'm actually trying to keep filters out of the path (until the data hits the primary archive, after it's there, copies can (and will be) filtered like crazy)
I actually have been trying syslog-ng and am horribly disappointed with it's performance, the standard linux syslog (sysklogd) was handling >4000 logs/sec without loosing any noticable amount, syslog-ng on the same hardware is only logging ~80 logs/sec. yes I can switch to tcp for some of this, but that's covering over a performance problem, not really fixing it. I'm looking at other syslog options (including patching sysklog to maintain the origional server name when it relays a message). Once I get back on my feet with this I'll then push up the data rate and see how far I can push it.
David Lang -- There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies. -- C.A.R. Hoare _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Appropriate PIX logging level Marcus J. Ranum (May 02)
- Re: Appropriate PIX logging level David Lang (May 02)
- Re: Appropriate PIX logging level Marcus J. Ranum (May 02)
- Re: Appropriate PIX logging level David Lang (May 02)
- minirsyslogd (was Appropriate PIX logging level) Bennett Todd (May 04)
- Re: Appropriate PIX logging level ArkanoiD (May 04)
- Re: Appropriate PIX logging level Marcus J. Ranum (May 04)
- Re: Appropriate PIX logging level ArkanoiD (May 04)
- Re: Appropriate PIX logging level Marcus J. Ranum (May 04)
- Re: Appropriate PIX logging level Brian Loe (May 05)
- Re: Appropriate PIX logging level Marcus J. Ranum (May 02)
- Re: Appropriate PIX logging level Chuck Swiger (May 05)
- Re: Appropriate PIX logging level ArkanoiD (May 05)
- Re: Appropriate PIX logging level David Lang (May 02)