From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: Iptables logs on High bandwidth traffic network
Date: Wed, 04 May 2005 10:59:12 -0500 [thread overview]
Message-ID: <4278F150.4000806@riverviewtech.net> (raw)
In-Reply-To: <4278C3DE.7010403@au-kbc.org>
> Hi all,
> I am planning to implement iptables log feature on a server
> machine(Dual xeon processor,Intel e100 cards,80GB SCSI and 2GB RAM)
> which is running in bridge mode (On RH 7.3).The average traffic on this
> machine is vary from 40-60Mbps.Hence I require some suggestion for some
> my questions like,
>
> 1) On this High traffic the kernel will be stable/crash ?
> 2) What would be the CPU Load and the server is able to do this job
> without any pain ?
> 3) Up to how much traffic the iptables/kernel can able to handle without
> any issue and what should I do additionally if I need the
> iptable-log should handle this much traffic?
There have been people in the past with marginal luck (at best) who tried to have the kernel log packets via the LOG target. The problem that I think they have run in to in the pas is that the LOG target is (as far as I know and no one has refuted (If I am wrong please do so)) not meant for high volume LOGing of packets. If you are wanting to log all traffic that passes through the box you would probably want to look at using TCPDump to sniff the network and parse it's out files or look in to something like Snort in one of it's many modes. The reason that LOG is not meant for high volume logging is that it relies on SysLog to log it's data which in and of it's self is not meant for high volume longing. SysLog will quite often become disk bound if you try to log such high volumes to it and thus the system will sort of flounder and snow ball in on it's self. Further you will not see t
he log events that this is happening b/c they themselves will not get logged b/c SysLog i
s backed up. You may have more luck looking at ULOG but as I have not messed with it I can't say one way or the other.
(This is all speculation on my part and I have little to no hands on experience doing this. However I have talked with many people who have been in this situation and they back up what I'm saying. So your mileage may vary.)
Grant. . . .
next prev parent reply other threads:[~2005-05-04 15:59 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-04 12:45 Iptables logs on High bandwidth traffic network bharathi
2005-05-04 15:59 ` Taylor, Grant [this message]
2005-05-04 22:40 ` Mogens Valentin
2005-05-04 23:13 ` Taylor, Grant
2005-05-05 6:59 ` Jozsef Kadlecsik
2005-05-05 7:24 ` Taylor, Grant
2005-05-05 8:15 ` Jozsef Kadlecsik
2005-05-05 11:24 ` Mogens Valentin
2005-05-05 11:59 ` Jozsef Kadlecsik
2005-05-05 9:37 ` Mogens Valentin
2005-05-05 10:07 ` Jozsef Kadlecsik
2005-05-04 16:39 ` Jason Opperisano
2005-05-04 17:18 ` Steven M Campbell
2005-05-04 20:37 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4278F150.4000806@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.