On Sun, 19 Nov 2006, John Kaftan wrote:
> I really do not want to increase the log buffer. I just want it to
> overwrite the old stuff when it gets full.
NO. You seem to miss the point to the log buffer.
Identical or similar events are not reported everytime. The raw entries
are buffered and parsed so your log does not get hit with 1000 syslog
lines but just one if that syslog server is going bezerk.
The drawback is that one needs to buffer these events. In your case the
amount of events exceeds the size of the logbuffer. So you may miss the
events you were looking for.
So the general advice is to:
- limit log entries in the rulebase. (No point in counting allowed SMTP
traffic if you can track them in your SMTP server logs anyway.)
- increase the buffer if the previous change did not remedy the
situation.
Full logging is a limited tool in troubleshooting. I find fw monitor and
tcpdump better tools along with a good network drawing.
Hugo.
--
[EMAIL PROTECTED] http://hvdkooij.xs4all.nl/
This message is using 100% recycled electrons.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
