Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: Appropriate PIX logging level
From: ArkanoiD <ark () eltex net>
Date: Fri, 5 May 2006 17:07:16 +0400


Hmm, i stress-tested datagram unix socket several years ago and found that it
definitely can lose messages. Can't remember exact BSD flavor, most likely
it was Open or Free.

And kernel logging is much less reliable even than that. I remember there
was a set of patches that added reliable audit log to BSD kernel, but 
the license was somehow restrictive.

On Fri, May 05, 2006 at 08:52:07AM -0400, Chuck Swiger wrote:
ArkanoiD wrote:
On Thu, May 04, 2006 at 10:24:31AM -0400, Chuck Swiger wrote:
ArkanoiD wrote:
Well, does that mean that syslog should be either not reliable (generic 
datagram), not portable enough (sdsc), buggy (nsyslogd) or suffering
performance problems (ng) ;-)?
You can get reliable logging with a stock BSD-flavor syslogd if you talk 
to it via a named pipe (ie, /var/run/log or equivalent).

No, BSD syslog is not reliable since it is datagram socket.

UDP is not reliable, but what part of "named pipe" didn't you understand?

Try feeding a million loglines through UDP over the network, and you'll 
lose a few, probably less than 1% unless your network isn't that 
reliable...but I haven't seen any lossage from logging locally via the 
named pipe at a volume of a million lines a day over a period of months.

And there still is no reliable kernel logging at all.

Most kernels implement a fixed-size circular message buffer, which is often 
fairly small.  This is reliable within the limits that old messages will 
quickly get over-written and that a fatal problem leading to a kernel panic 
may not get logged because the system is in the process of termination.

firewall-wizards mailing list
firewall-wizards () honor icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]