[c-nsp] Cisco boxes and Syslog-ng

Rodney Dunn rodunn at cisco.com
Thu Sep 8 09:30:49 EDT 2005 

It's done to protect the box since those logs require
a punt to process level.

Cisco does NOT recommend you do it that way.

If you need to track packet drops at that level
you should use netflow and export to a collector
to match on DSTIF Null0.

Rodney

On Thu, Sep 08, 2005 at 06:14:12PM +0700, A.Rahman Isnaini R.suTan wrote:
> Ariel,
> 
> Ariel Biener wrote:
> > On Thursday 08 September 2005 06:50, A.Rahman Isnaini R.suTan wrote:
> > 
> >>I noted that Cisco couldn't log the traffic with thousands hits persecond.
> >>They shown on the ACL matches but not shown either on "show logging"  or
> >>in the log file of syslog-ng server.
> >>
> >>I believe there is a limitation or threshold hits that Cisco could log
> >>them.
> > 
> > 
> > I am not sure I understand your mail. You think there is a limitation on how
> > many msgs/sec a Cisco device can send or a limitation on how many
> > msgs/sec a syslog/syslog-ng server can receive ?  
> 
> 
> Let me make it more clear, sorry it's a bit out of original topic.
> In case of flooding, sometimes we applied ACL with log.
> Like :
> 
>     access-list 101 permit tcp any any range 0 65535 log (20250 matches)
> 
> It's just less then a second,again type showing the same access-list.
> 
>     access-list 101 permit tcp any any range 0 65535 log (32407 matches)
> 
> 
> It should have logged on the buffer log cisco or/and export to 
> syslog-ng? but we didn't even see it.
> For less then 10000 matches, yes by issuing show logging there is one 
> source to one destination with 4500 packets information at the end of log.
> 
> 
> There's such a limitation mount of matches packet that Cisco could log it.
> 
> - A. Rahman Isnaini RsT
> 
> 	
> 
> 
> 
> 
> 
> 
> > --Ariel
> >  --
> >  Ariel Biener
> >  e-mail: ariel at post.tau.ac.il
> >  PGP: http://www.tau.ac.il/~ariel/pgp.html
> > 
> > 
> 
> -- 
> 
> :: Rahman Isnaini R suTan
> :: Network Operation Engineer
> :: PT IndoInternet
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list