We are finding squid's logging options quite limited, and are wondering if
there are any patches, or other ways to deal with some of the issues we
encounter. For example, in the past few weeks, we've had numerous
cases where a single client can generate 600Mb+ of log entries in a day,
all caused by spyware hitting a small group of URLs many times per
second. Of course, they are all denied, since we require authentication
for all except a few cases, and the spyware doesn't pass credentials to
the proxy.
During times when our proxy is being assaulted by spyware, it spends a
great deal of CPU time logging these denials. I would like to explore the
possibility of one or more of the following:
-handing off the logging to a separate process such as multilog
-finding some way to place log limits where multiple lines from a single
host would otherwise fill the logs. ie: maximum 5 denials logged per
second per host, with a burst of 20.
-limiting max # of connections allocated to a single IP per minute, since
delay pools won't help when all the connections are denials (I don't
think).
Thanks for any suggestions.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Shawn Wright, I.T. Manager
Shawnigan Lake School
http://www.sls.bc.ca
swright@sls.bc.ca
Received on Tue Nov 23 2004 - 15:44:55 MST
This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:01 MST