[c-nsp] Cisco boxes and Syslog-ng

John Kristoff jtk at northwestern.edu
Thu Sep 8 15:21:41 EDT 2005


On Thu, 8 Sep 2005 09:30:49 -0400
Rodney Dunn <rodunn at cisco.com> wrote:

> It's done to protect the box since those logs require
> a punt to process level.
> 
> Cisco does NOT recommend you do it that way.
> 
> If you need to track packet drops at that level
> you should use netflow and export to a collector
> to match on DSTIF Null0.

Except, if I have my facts straight, even some modern hardware
apparently will not export flows sent that are dropped with ACLs or
failed uRPF checks.  Both the limits of punting on logs and the
inability to export dropped flows is a serious limitation in my
view.  Thus far I've felt that where logs are important enough
I'll take my chances.  ...and yes I know about OAL, but when you
enable that, the logs you then end up getting do not provide enough
information to be useful (e.g. not TCP/UDP port info is included).

John


More information about the cisco-nsp mailing list