> -----Original Message----- > From: James Mackinnon [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 20, 2005 11:48 AM > To: Will H. Backman; [email protected] > Subject: RE: PFLogging to Syslog > > yes, this is true.. Probably lose a bit as currently I am logging all in > and out on a fairly busy network all back to 1 logger. > > I will do some reading on this one as well, thanks > >
You should be careful with this kind of setup. If your log host goes down, your network will get trashed by ARP "who has" broadcast requests from any firewalls on the same network as the log host. Logging every packet in real time causes enough unicast overhead, and will drive your network utilization way up if every packet passing though the firewall suddenly starts causing ARP broadcasts.
