[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: ipmon - /dev/ipl question
From:       Darren Reed <avalon () coombs ! anu ! edu ! au>
Date:       2000-08-25 14:29:38
[Download RAW message or body]

In some mail from "Hermes, Stefan (SCL)", sie said:
> 
> Q: What happens if logging rules are configured and ipmon does not run to
> read /dev/ipl ?
> 
> a. log messages are discarded at once
> b. log messages are discarded as soon as a buffer is full
[...]
> Most likely b. is the case, just want to be sure.
> 
> in case of b., how large is the buffer that holds the messages, 
> basicly, how many logged traffic may i have between death of ipmon 
> and restart of it without loosing any messages?

Depends on how fast the machine is, what rule is making the logs, etc.

If you're logging positive matches and don't want to let through any
unauditable connections, "log or-block".

Darren

[prev in list] [next in list] [prev in thread] [next in thread]