On 19 Dec 2001 at 3:13, [EMAIL PROTECTED] wrote: > It seems to me that running out of log space *should* not be a > normal condition, and might indicate a deliberate hostile attempt to > disable logging. Whether one wants to continue to permit connections > with logging disabled is a policy decision that might very well go > either way, although I'd expect those who'd prefer TCP to UDP for > syslog would tend to incline to the more defensive option.
In our case it was due to the machine used for syslog having not enough space. It also caused the PIX to stop when it crashed - if you use TCP for syslogging on the PIX make sure your syslog server is very robust! > In a perfect universe, the choice of whether to continue permitting > traffic when logging is known to have failed could be a separate > option, orthogonal to whether one choses to use a connection-based > protocol for logs (although the choice cannot meaningfully be made > with a connectionless protocol...). > But, short of such perfection, I think this is quite likely to be a > deliberate and defensible design decision by Cisco, rather than a > known bug, defect, or oversight. I understand why Cisco has included this feature - in some circumstances it is desirable to prevent access to your network if your are unable to record what is happening. My earlier reply was really to say that you should think carefully about using TCP for syslog on the PIX as there as some risks involved - for instance, if you're running an e-commerce site that relies on the web server being accessible 24/7 then you might not want connections to be stopped when the syslog server has a problem, you're willing to risk not recording logs in order to allow your customers to continue buying your products. Blindly using TCP syslogging without consideration could render your public services unreachable in the event of a problem with the syslog server which becomes a single point of failure in the system. Dan --- D.C. Crichton email: [EMAIL PROTECTED] Senior Systems Analyst tel: +44 (0)121 706 6000 Computer Manuals Ltd. fax: +44 (0)121 606 0477 Computer book info on the web: http://computer-manuals.co.uk/ Want to earn money? Join our affiliate network! http://computer-manuals.co.uk/affiliate/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
