RE: [fwAnalog] fwanalog.all.log too big

From: Micha Silver (Micha~AT~arava.co.il)
Date: Wed Oct 22 2003 - 21:24:05 CEST


> -----Original Message-----
> From: balazs~AT~tud.at [mailto:balazs~AT~tud.at]
> Sent: Wednesday, October 22, 2003 8:03 PM
> To: fwanalog~AT~tud.at
> Subject: Re: [fwAnalog] fwanalog.all.log too big

Hello Balasz:

>
>
> Hello,
> The algorithm is the following:
> 1. the logfiles that match the filename patterns in the
> config file and
> are newer than inputfiles_mtime are grepped for matching lines and
> converted into fwanalog.current.log.
> 2. The last line of fwanalog.all.log is searched in
> fwanalog.current.log
> and everything after it is appended to fwanalog.all.log.

Now it's much clearer to me.
So fwanalog.all.log grows without bounds.

>
> By changing inputfiles_mtime, you only optimize the first part of the
> processing which doesn't take as long as the Analog
> processing does. So it
> won't help very much.

Yes, I saw that. The fwananlog part finishes in 10-15 min, and then Analog churns away for over 2 hrs.

>
> Perhaps if you have such problems with the logfile size, you
> could take
> out the obvious worm attacks (SQL Slammer, MS Blaster etc.) and
> concentrate just on the "interesting" blocked packets.

I'll look into this. Many thanks for your help.

--Micha

>
> Regards
> --
> ______________________________________________________________
> ___________
> Balázs Bárány balazs~AT~tud.at http://tud.at
> ICQ 10747763
>
> A good engineer will make considerable effort to avoid
> additional effort.
>
> _______________________________________________
> fwAnalog mailing list
> fwAnalog~AT~tud.at
> http://tud.at/cgi-bin/mailman/listinfo/fwanalog
>



This archive was generated by hypermail 2.1.5 : Fri Nov 07 2003 - 20:02:03 CET