Re: [logs] How are people bringing DMZ syslog msgs into the central server?

• Previous message: Rainer Gerhards: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Next in thread: Mikael Olsson: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• Reply: Mikael Olsson: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 20, 2003 at 08:08:22PM +0100, Mikael Olsson wrote:
> Examples:
> - Two recent syslog-ng snafus:
>   http://www.securiteam.com/unixfocus/6H00E0K5PW.html
>   http://www.securiteam.com/unixfocus/6G00R1P0AM.html

Just as a side-note, one of those is two years old, the other causes
problems only if syslog-ng is configured in a special way.

> - Syslog as well as syslog-ng crashes when an output file exceeds the
>   2GB file size limit.  Sending 2GB of "harmless" events takes less than
>   five minutes over 100Mbps ethernet.  After this, the log receiver (and 
>   hence the alerting facility) is disabled, and will no longer react to 
>   "evil" events.  Oops.

syslog-ng supports files over 2GB, though filling the disk is an issue and
has always been.

alerting based on log file size is not too difficult though.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Jason Wake: "[logs] Regulatory logging requirements"
• Previous message: Rainer Gerhards: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Next in thread: Mikael Olsson: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• Reply: Mikael Olsson: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 05 2003 - 09:44:49 PST