Hi there,
I need to log TCP events (slow-start, fast retransmit, .........) in
order to know when TCP enters and leaves each event. Is it possible to
modify the syslog.conf in order to get these info? if not, does anyone
has any idea about how to do it?
Thanks for your help,
Alaa GHALEB
In article <1160402081.882420.83970@m73g2000cwd.googlegroups.com>,
>I need to log TCP events (slow-start, fast retransmit, .........) in
>order to know when TCP enters and leaves each event. Is it possible to
>modify the syslog.conf in order to get these info? if not, does anyone
>has any idea about how to do it?
modifying syslog.conf would only work if something were -already-
sending the events to syslogd but syslog.conf had been configured
to discard the log entries.
You haven't given us any clue as to what operating system you are
using, but it seems likely to me that at the moment nothing is
sending those events to syslogd . Possibly there is some hook
or system configuration parameter or value in a kernel control file
(that you could set and then rebuild the kernel to activate) that would
enable the logging; or possibly it would be a minor change to your
operating system source followed by a rebuild. To find out, you'd
probably best ask in a newsgroup more dedicated to your OS; it is
not a firewall or security question.
Personally I don't think sending to syslogd would work very well.
syslogd is a relatively slow logging mechanism, and since it is UDP
based, it probably wouldn't take a great deal of load on it before
some of the UDP packets got lost or dropped from the queue. How many
connections per second would the modified system likely be seeing?
Actually, I'm using Fedora Core 5 as an operating system.
And thanks for your advice,
Alaa
Walter Roberson a =E9crit :
> In article <1160402081.882420.83970@m73g2000cwd.googlegroups.com>,
>
>
> >I need to log TCP events (slow-start, fast retransmit, .........) in
> >order to know when TCP enters and leaves each event. Is it possible to
> >modify the syslog.conf in order to get these info? if not, does anyone
> >has any idea about how to do it?
>
> modifying syslog.conf would only work if something were -already-
> sending the events to syslogd but syslog.conf had been configured
> to discard the log entries.
>
> You haven't given us any clue as to what operating system you are
> using, but it seems likely to me that at the moment nothing is
> sending those events to syslogd . Possibly there is some hook
> or system configuration parameter or value in a kernel control file
> (that you could set and then rebuild the kernel to activate) that would
> enable the logging; or possibly it would be a minor change to your
> operating system source followed by a rebuild. To find out, you'd
> probably best ask in a newsgroup more dedicated to your OS; it is
> not a firewall or security question.
>
> Personally I don't think sending to syslogd would work very well.
> syslogd is a relatively slow logging mechanism, and since it is UDP
> based, it probably wouldn't take a great deal of load on it before
> some of the UDP packets got lost or dropped from the queue. How many
> connections per second would the modified system likely be seeing?
asubs@free.fr wrote:
> Actually, I'm using Fedora Core 5 as an operating system.
> And thanks for your advice,
>
> Alaa
>
>
> Walter Roberson a =E9crit :
>
> > In article <1160402081.882420.83970@m73g2000cwd.googlegroups.com>,
> >
> >
> > >I need to log TCP events (slow-start, fast retransmit, .........) in
> > >order to know when TCP enters and leaves each event. Is it possible to
> > >modify the syslog.conf in order to get these info? if not, does anyone
> > >has any idea about how to do it?
> >
> > modifying syslog.conf would only work if something were -already-
> > sending the events to syslogd but syslog.conf had been configured
> > to discard the log entries.
> >
> > You haven't given us any clue as to what operating system you are
> > using, but it seems likely to me that at the moment nothing is
> > sending those events to syslogd . Possibly there is some hook
> > or system configuration parameter or value in a kernel control file
> > (that you could set and then rebuild the kernel to activate) that would
> > enable the logging; or possibly it would be a minor change to your
> > operating system source followed by a rebuild. To find out, you'd
> > probably best ask in a newsgroup more dedicated to your OS; it is
> > not a firewall or security question.
> >
> > Personally I don't think sending to syslogd would work very well.
> > syslogd is a relatively slow logging mechanism, and since it is UDP
> > based, it probably wouldn't take a great deal of load on it before
> > some of the UDP packets got lost or dropped from the queue. How many
> > connections per second would the modified system likely be seeing?
Syslog-NG can use TCP connectivity (I use it to SSH tunnel logging
between systems) along with IPTABLES on the firewall to sort out
traffic into various logs. Several systems including a honey-pot system
are using a tcpdump dump and batch transmit data to send data to a
MYSQL DB (pre-filtered prior to transmit to reduce log size.)
As far as the specifics of the TCP packets criteria that would be in
either the IPTABLES definitions or if doing the TCPDUMP, I would send
that to a FIFO and have a perl script filter that out to a file as a
service. (our logging server does this with all the syslog data and
places it in MySQL.)