On Mon, 28 Feb 2005 07:36:19 +0800, John <naverxp at yahoo dot com dot sg> wrote:
> Hm, thanks.
> Do you suggest CF then? Once a DDoS comes through for sometime, wouldn't
> the write-time run out? heh.
Either is probably equally suitable. You waste less space on a CF,
but they're of roughly equal cost when you factor in a CF to IDE
Write time run out? On syslog you mean? If your syslog box isn't
fast enough to write all the logs to disk, then you'll end up with
some dropped logs (it's UDP, so no guarantee it'll even get received
much less written to disk). Personally if I'm getting DDoS'ed, the
last of my concerns would be losing a handful of logged packets out of
a few million. I think you'll still have enough logs to get the idea.