[logs] naming multiple output files with syslog-ng

[Chris Brenton]

On Wed, 2007-12-26 at 20:14 -0500, Mordechai T. Abzug wrote:
>
> We used to have some Cisco 7500 routers which did a fair amount of
> logging of packet-level events (i.e. denies.) 

Personally I find permits far more interesting than denies as it
represents packets that actually made it past the perimeter. Also,
access groups applied "out" rather than "in" incur less of a performance
hit. With this in mind I like to use them for my logging rules. The
exception of course is logging traffic that interacts with the router
itself. 

>  Over the years in this
> configuration, CPU utilization gradually increased.  At one point, CPU
> hit 100%, and we started having high packet loss.  One of the network
> guys tried turning off logging.  CPU immediately dropped to about 3%,
> and performance steadied. 

>From the poking I've done with IOS, logging appears to be an extreme
afterthought. Why oh why did someone think it was a good idea to report
all ICMP traffic as Echo Replies unless I create a specific logging rule
for every single ICMP type code? 

Also, my experience with IOS has been that you get about one log entry
every 500 ms. You can miss a lot of interesting traffic in that time.

IOS is also notorious for lying to you. To see what I mean, try this:
1) Remove all ACL's from the router
2) Establish a TCP communication session (Telnet, SSH, etc.) to the
router
3) Install an inbound deny all and log rule
4) Type the command "show running" in your session
5) Get a cup of coffee
6) Check the session later and note the command made it though & all
long entries say the traffic was denied

So "logging problems" with IOS is a relative term. I think some of the
things we consider problems someone else considered "a feature". ;-)

HTH,
Chris
-- 
cbrenton at chrisbrenton.org

Did you know:
It's possible to covertly communicate through FW-1 and Netscreen
firewalls with TCP ACK packets. 

Visit http://www.sans.org/info/16981 to find out how you can learn more.