Re: Appropriate PIX logging level

[ArkanoiD <ark () eltex net>]

nuqneH,

Hmm, i stress-tested datagram unix socket several years ago and found that it
definitely can lose messages. Can't remember exact BSD flavor, most likely
it was Open or Free.

And kernel logging is much less reliable even than that. I remember there
was a set of patches that added reliable audit log to BSD kernel, but 
the license was somehow restrictive.

On Fri, May 05, 2006 at 08:52:07AM -0400, Chuck Swiger wrote:
> ArkanoiD wrote:
> > On Thu, May 04, 2006 at 10:24:31AM -0400, Chuck Swiger wrote:
> > > ArkanoiD wrote:
> > > > Well, does that mean that syslog should be either not reliable (generic 
> > > > datagram), not portable enough (sdsc), buggy (nsyslogd) or suffering
> > > > performance problems (ng) ;-)?
> > > You can get reliable logging with a stock BSD-flavor syslogd if you talk 
> > > to it via a named pipe (ie, /var/run/log or equivalent).
> >
> > No, BSD syslog is not reliable since it is datagram socket.
>
> UDP is not reliable, but what part of "named pipe" didn't you understand?
>
> Try feeding a million loglines through UDP over the network, and you'll 
> lose a few, probably less than 1% unless your network isn't that 
> reliable...but I haven't seen any lossage from logging locally via the 
> named pipe at a volume of a million lines a day over a period of months.
>
> > And there still is no reliable kernel logging at all.
>
> Most kernels implement a fixed-size circular message buffer, which is often 
> fairly small.  This is reliable within the limits that old messages will 
> quickly get over-written and that a fatal problem leading to a kernel panic 
> may not get logged because the system is in the process of termination.
>
> -- 
> -Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards