[c-nsp] Cisco boxes and Syslog-ng

Scott Altman staltman at gmail.com
Thu Sep 8 09:59:42 EDT 2005


I think we are confusing issues, with the ACL logging command, it
doesn't log every hit in syslog, so it's not a limitation of syslog
processing, etc, it's by design of the ACL log function.  And as
Rodney noted, the syslog process isn't high-priority and some things
get missed.

As I recall, it (ACL log) will create a syslog message for each new
traffic stream (src<->dst) per 5 minute interval, so if your traffic
is only between two hosts or NAT'd networks, you won't see much in the
syslog, but you will see your ACL match counter increment; in your
case, significantly.

Per Rodney's comment, using syslog is not the way to do traffic
monitoring, it's a high-level, not quite granular method.  Use NetFlow
or if you need detail, stick a box with Ethereal on it between the two
networks.

- Scott

On 9/8/05, A.Rahman Isnaini R.suTan <risnaini at indo.net.id> wrote:
> Ariel,
> 
> Ariel Biener wrote:
> > On Thursday 08 September 2005 06:50, A.Rahman Isnaini R.suTan wrote:
> >
> >>I noted that Cisco couldn't log the traffic with thousands hits persecond.
> >>They shown on the ACL matches but not shown either on "show logging"  or
> >>in the log file of syslog-ng server.



More information about the cisco-nsp mailing list