access-list logging rate-limited or missed 12 packets

Unanswered Question
Jul 28th, 2010

I have a 2811 Router.  I setup a syslog to capture attacks on ports 22, 23, and 3389.   It is thousands of hits per day.

In the syslog I get

access-list logging rate-limited or missed 12 packets

I have been changing the config settings and still get missed packets.  I am upgrading the 2811 to 768MB of RAM from 256MB.

logging message-counter syslog
logging queue-limit 700
logging queue-limit trap 700
logging buffered 1000000
logging rate-limit 700 except warnings
no logging console
no logging monitor

ip access-list logging interval 70

How much higher can I take these settings to capture all the data?  Any way to clear the 2811 logs once the data is sent to syslog?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
gatlin007 Wed, 07/28/2010 - 11:02

If it's critical to get every single syslog trap a firewall would be a better fit than a router.   The router is designed to route and forward production traffic.  Sending thousands of syslog traps negatively impacts the routers primary function.  The firewall is designed to enforce security policy and forward every single security syslog trap.


That said the following may help with syslog but may crash your router:


logging rate-limit 10000 except warnings

logging queue-limit trap 100000000

ip access-list logging interval 0



Chris


mike.mckenney@a... Wed, 07/28/2010 - 11:16

The 2811 router has a single T1.   I have been bumping the settings slowly up.

logging message-counter syslog
logging queue-limit 1000
logging queue-limit trap 1000
logging buffered 1000000
logging rate-limit 1000 except warnings
no logging console
no logging monitor
ip access-list logging interval 10 (10 ms)

Actions

Login or Register to take actions

This Discussion

Posted July 28, 2010 at 10:03 AM
Stats:
Replies:2 Avg. Rating:
Views:2321 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard