07-28-2010 10:03 AM - edited 03-04-2019 09:14 AM
I have a 2811 Router. I setup a syslog to capture attacks on ports 22, 23, and 3389. It is thousands of hits per day.
In the syslog I get
access-list logging rate-limited or missed 12 packets
I have been changing the config settings and still get missed packets. I am upgrading the 2811 to 768MB of RAM from 256MB.
logging message-counter syslog
logging queue-limit 700
logging queue-limit trap 700
logging buffered 1000000
logging rate-limit 700 except warnings
no logging console
no logging monitor
ip access-list logging interval 70
How much higher can I take these settings to capture all the data? Any way to clear the 2811 logs once the data is sent to syslog?
07-28-2010 11:02 AM
If it's critical to get every single syslog trap a firewall would be a better fit than a router. The router is designed to route and forward production traffic. Sending thousands of syslog traps negatively impacts the routers primary function. The firewall is designed to enforce security policy and forward every single security syslog trap.
That said the following may help with syslog but may crash your router:
logging rate-limit 10000 except warnings
logging queue-limit trap 100000000
ip access-list logging interval 0
Chris
07-28-2010 11:16 AM
The 2811 router has a single T1. I have been bumping the settings slowly up.
logging message-counter syslog
logging queue-limit 1000
logging queue-limit trap 1000
logging buffered 1000000
logging rate-limit 1000 except warnings
no logging console
no logging monitor
ip access-list logging interval 10 (10 ms)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide