access-list logging rate-limited or missed 12 packets

mike.mckenney · ‎07-28-2010

I have a 2811 Router. I setup a syslog to capture attacks on ports 22, 23, and 3389. It is thousands of hits per day.

In the syslog I get

I have been changing the config settings and still get missed packets. I am upgrading the 2811 to 768MB of RAM from 256MB.

logging message-counter syslog
logging queue-limit 700
logging queue-limit trap 700
logging buffered 1000000
logging rate-limit 700 except warnings
no logging console
no logging monitor

ip access-list logging interval 70

How much higher can I take these settings to capture all the data? Any way to clear the 2811 logs once the data is sent to syslog?

gatlin007 · ‎07-28-2010

If it's critical to get every single syslog trap a firewall would be a better fit than a router. The router is designed to route and forward production traffic. Sending thousands of syslog traps negatively impacts the routers primary function. The firewall is designed to enforce security policy and forward every single security syslog trap.

That said the following may help with syslog but may crash your router:

logging rate-limit 10000 except warnings

logging queue-limit trap 100000000

ip access-list logging interval 0

Chris

mike.mckenney · ‎07-28-2010

The 2811 router has a single T1. I have been bumping the settings slowly up.

logging message-counter syslog
logging queue-limit 1000
logging queue-limit trap 1000
logging buffered 1000000
logging rate-limit 1000 except warnings
no logging console
no logging monitor
ip access-list logging interval 10 (10 ms)