On Thu, 5 May 2005, Taylor, Grant wrote: > > Why where a FIFO and a program which parses and transmit the data to > > another system any faster than syslog/syslog-ng/ulogd/etc? (Why reinvent > > the wheel?) > > It is my belief that Syslog and the mechanism that it uses to log is not > meant for extreme volume of login. As I understand it Syslog will log > each and every individual packet that passes through the IPTables LOG > target individually, thus causing a write through the kernel in to > SysLog space and possibly to disk for a VERY small amount of data. That depends on how syslog is configured - you can easily disable syncing at every log event. > Where as TCPDump or Snort will dump to memory for a specific amount of > time or amount of traffic captured and then write a large group of > packets as one write. I have looked trough the man page of tcpdump and could not find any indication of this feature. How should one run tcpdump in order to enable in-memory buffering? Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
