access-list logging rate-limited or missed 12 packets

Unanswered Question

I have a 2811 Router.  I setup a syslog to capture attacks on ports 22, 23, and 3389.   It is thousands of hits per day.

In the syslog I get

access-list logging rate-limited or missed 12 packets

I have been changing the config settings and still get missed packets.  I am upgrading the 2811 to 768MB of RAM from 256MB.

logging message-counter syslog
logging queue-limit 700
logging queue-limit trap 700
logging buffered 1000000
logging rate-limit 700 except warnings
no logging console
no logging monitor

ip access-list logging interval 70

How much higher can I take these settings to capture all the data?  Any way to clear the 2811 logs once the data is sent to syslog?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gatlin007 Wed, 07/28/2010 - 11:02

If it's critical to get every single syslog trap a firewall would be a better fit than a router.   The router is designed to route and forward production traffic.  Sending thousands of syslog traps negatively impacts the routers primary function.  The firewall is designed to enforce security policy and forward every single security syslog trap.

That said the following may help with syslog but may crash your router:

logging rate-limit 10000 except warnings

logging queue-limit trap 100000000

ip access-list logging interval 0



This Discussion