LogAnalysis
[logs] naming multiple output files with syslog-ng Dec 17 2007 02:20PM
Christian Folini (christian folini post ch) (2 replies)
RE: [logs] naming multiple output files with syslog-ng Dec 20 2007 03:55PM
Jan Monsch (jan monsch csnc ch) (1 replies)
RE: [logs] naming multiple output files with syslog-ng Dec 20 2007 04:25PM
Marcus J. Ranum (mjr ranum com) (3 replies)
Re: [logs] naming multiple output files with syslog-ng Dec 27 2007 01:14AM
Mordechai T. Abzug (morty frakir org) (1 replies)
Re: [logs] naming multiple output files with syslog-ng Jan 01 2008 01:05PM
Chris Brenton (cbrenton chrisbrenton org)
On Wed, 2007-12-26 at 20:14 -0500, Mordechai T. Abzug wrote:
>
> We used to have some Cisco 7500 routers which did a fair amount of
> logging of packet-level events (i.e. denies.)

Personally I find permits far more interesting than denies as it
represents packets that actually made it past the perimeter. Also,
access groups applied "out" rather than "in" incur less of a performance
hit. With this in mind I like to use them for my logging rules. The
exception of course is logging traffic that interacts with the router
itself.

> Over the years in this
> configuration, CPU utilization gradually increased. At one point, CPU
> hit 100%, and we started having high packet loss. One of the network
> guys tried turning off logging. CPU immediately dropped to about 3%,
> and performance steadied.

>From the poking I've done with IOS, logging appears to be an extreme
afterthought. Why oh why did someone think it was a good idea to report
all ICMP traffic as Echo Replies unless I create a specific logging rule
for every single ICMP type code?

Also, my experience with IOS has been that you get about one log entry
every 500 ms. You can miss a lot of interesting traffic in that time.

IOS is also notorious for lying to you. To see what I mean, try this:
1) Remove all ACL's from the router
2) Establish a TCP communication session (Telnet, SSH, etc.) to the
router
3) Install an inbound deny all and log rule
4) Type the command "show running" in your session
5) Get a cup of coffee
6) Check the session later and note the command made it though & all
long entries say the traffic was denied

So "logging problems" with IOS is a relative term. I think some of the
things we consider problems someone else considered "a feature". ;-)

HTH,
Chris
--
cbrenton (at) chrisbrenton (dot) org [email concealed]

Did you know:
It's possible to covertly communicate through FW-1 and Netscreen
firewalls with TCP ACK packets.

Visit http://www.sans.org/info/16981 to find out how you can learn more.

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
RE: [logs] naming multiple output files with syslog-ng Dec 20 2007 06:22PM
Paul Melson (pmelson gmail com) (1 replies)
Re: [logs] naming multiple output files with syslog-ng Dec 21 2007 06:55AM
Christian Folini (christian folini post ch) (2 replies)
Re: [logs] naming multiple output files with syslog-ng Dec 21 2007 04:16PM
Chris Wee (chris wee loglogic com) (1 replies)
Re: [logs] naming multiple output files with syslog-ng Dec 24 2007 10:49AM
Christian Folini (christian folini post ch)
RE: [logs] naming multiple output files with syslog-ng Dec 21 2007 10:19AM
Jan Monsch (jan monsch csnc ch) (1 replies)
RE: [logs] naming multiple output files with syslog-ng Dec 23 2007 08:06PM
Marcus J. Ranum (mjr ranum com)
Re: [logs] naming multiple output files with syslog-ng Dec 20 2007 05:23PM
Bill Burge (bill burge com)
Re: [logs] naming multiple output files with syslog-ng Dec 18 2007 06:22AM
Tom Le (dottom gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus