On 19 Dec 2001, at 8:44, Daniel Crichton wrote: > On 18 Dec 2001 at 16:29, Brian Ford wrote: > > > And Kiwi supports PIX TCP Syslog too! > > I personally will never touch TCP syslog with the PIX - I once had > my syslog server run out of disk space and the PIX shut down. > Check the release notes for the PIX - they specifically say that a > problem with the syslog server over TCP will cause the PIX to stop > processing connections.
It seems to me that running out of log space *should* not be a normal condition, and might indicate a deliberate hostile attempt to disable logging. Whether one wants to continue to permit connections with logging disabled is a policy decision that might very well go either way, although I'd expect those who'd prefer TCP to UDP for syslog would tend to incline to the more defensive option. In a perfect universe, the choice of whether to continue permitting traffic when logging is known to have failed could be a separate option, orthogonal to whether one choses to use a connection-based protocol for logs (although the choice cannot meaningfully be made with a connectionless protocol...). But, short of such perfection, I think this is quite likely to be a deliberate and defensible design decision by Cisco, rather than a known bug, defect, or oversight. David Gillett _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
