> Of course, I should be able to detect that there is something going on > due to the sharp increase in network traffic and - as far as the > firewalled sites are concerned - the number of firewall alerts. HOWEVER, > most of this data is reported by syslog. This being UDP is one of the > first things to be thrown away during congestion. I think the worm is > the first situation that in reality proves whether or not syslog is able > to provide a high enough message delivery rate to trigger alerts - or be > of no use at all. The biggest lesson is simply network structure: if you have all of your control and logging going over the same network (or a VLAN without some sort of prioritization or reserved bandwidth), you're screwed. One interesting syslog aspect involves the replacement protocols. Is there a syslog replacement out there which uses QoS so that routers can prioritize critical errors ahead of the flood of low-priority errors (e.g. per-probe notifications) and worm traffic? Most of the syslog replacements seem to focus on application-level prioritization, which doesn't help much if you envision a future where most hosts speak the syslog replacements natively - the most you could do in that case would be pushing aggregators further out towards the edge, which is expensive and unlikely to happen on most networks. Even regular syslog would be better in this case if you had a version which set the appropriate IP QoS bits before sending. Chris _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Sun Jan 26 2003 - 18:46:45 PST