Re: Iptables logs on High bandwidth traffic network

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 4 May 2005, Taylor, Grant wrote:

> > How about using a fifo (man mkfifo and man syslog) and let syslog pipe
> > to that fifo. Some program can then read from the fifo, parse data, and
> > maybe use a database for storing the parsed, now more limited, data.
> > Might be a good ide to have the database on another system :-
>
> Using a FIFO to a program that parses and transmits the data to another
> system to network might be a possibility.  Keep in mind that any
> processing that you do on the packets has to be able to be done at least
> as fast if not faster than the rate the packets come in.  If you ever
> end up getting behind on the processing things will snowball on you VERY
> quickly and more than likely end up in a very nasty mess.  This is why I
> think it would be better to use something like TCPDump or Snort to sniff
> the network and then post process the dumps.

Why where a FIFO and a program which parses and transmit the data to
another system any faster than syslog/syslog-ng/ulogd/etc? (Why reinvent
the wheel?)

If you sniff the network for logging, where do you actually want to sniff?
Before the firewall? You'll have to cope with the same traffic as the
firewall itself and won't see the dropped traffic on the other side.
Behind the firewall? You won't see again the dropped traffic coming from
outside. (Please note, I do not advise against an IDS inside which sniffs
the traffic.)

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux