[c-nsp] Cisco boxes and Syslog-ng

A.Rahman Isnaini R.suTan risnaini at indo.net.id
Thu Sep 8 07:14:12 EDT 2005


Ariel,

Ariel Biener wrote:
> On Thursday 08 September 2005 06:50, A.Rahman Isnaini R.suTan wrote:
> 
>>I noted that Cisco couldn't log the traffic with thousands hits persecond.
>>They shown on the ACL matches but not shown either on "show logging"  or
>>in the log file of syslog-ng server.
>>
>>I believe there is a limitation or threshold hits that Cisco could log
>>them.
> 
> 
> I am not sure I understand your mail. You think there is a limitation on how
> many msgs/sec a Cisco device can send or a limitation on how many
> msgs/sec a syslog/syslog-ng server can receive ?  


Let me make it more clear, sorry it's a bit out of original topic.
In case of flooding, sometimes we applied ACL with log.
Like :

    access-list 101 permit tcp any any range 0 65535 log (20250 matches)

It's just less then a second,again type showing the same access-list.

    access-list 101 permit tcp any any range 0 65535 log (32407 matches)


It should have logged on the buffer log cisco or/and export to 
syslog-ng? but we didn't even see it.
For less then 10000 matches, yes by issuing show logging there is one 
source to one destination with 4500 packets information at the end of log.


There's such a limitation mount of matches packet that Cisco could log it.

- A. Rahman Isnaini RsT

	






> --Ariel
>  --
>  Ariel Biener
>  e-mail: ariel at post.tau.ac.il
>  PGP: http://www.tau.ac.il/~ariel/pgp.html
> 
> 

-- 

:: Rahman Isnaini R suTan
:: Network Operation Engineer
:: PT IndoInternet




More information about the cisco-nsp mailing list