[c-nsp] Cisco boxes and Syslog-ng
Kim Onnel
karim.adel at gmail.com
Thu Sep 8 10:25:25 EDT 2005
I was once told by our good friend Rodney:
> I was told by friend that 6500/7600 with Sup720's could be giving
> wrong counter numbers, because ACLs are done in ASICS and these
> numbers are displayed using the IOS(software processing) , where it
> would be pain for the device to keep sending the matches numbers to
> the software.
I don't kow all the details but some hardware ACL impementations don't
record per ACE (access-list entry) hits. I don't think the sup2 does
but I thought the sup720 does. I can't remember the answer for that 100%.
But regardless, you should use netflow to do traffic analysis not ACL's
with hit counters.
On 9/8/05, A.Rahman Isnaini R.suTan <risnaini at indo.net.id> wrote:
>
>
>
> I noted that Cisco couldn't log the traffic with thousands hits persecond.
> They shown on the ACL matches but not shown either on "show logging" or
> in the log file of syslog-ng server.
>
> I believe there is a limitation or threshold hits that Cisco could log
> them.
>
> Ariel Biener wrote:
>
> > Are we talking about high volume or low volume (in lines per second) ?
> > In general, assuming you define the same syslog severity and facility
> (log
> > level) on your various Cisco routers, then it will include an identifier
> of
> > who sent the syslog entry. Now, syslog (regular, see NG below) accepts
> > as out either files, or a pipe `|' to a script. Your script can then
> > manipulate the entries, and write each to it's own file based on
> whatever
> > you write in that script.
> >
>
> :: Rahman Isnaini R suTan
> :: Network Operation Engineer
> :: PT IndoInternet
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list