[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [hobbit] Flooding hobbit

To: hobbit (at) hswn.dk
Subject: Re: [hobbit] Flooding hobbit
From: "Etienne Grignon" <etienne.grignon (at) gmail.com>
Date: Thu, 24 Apr 2008 10:50:35 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=uIggYHn/EDgVtsNUz0RvUFukuvrRuXk0TXVn00oKML4=; b=TgPSRTtm1Eolo+FIVnhskU35xPfCX2UjY3A7YpH/7+I1zXcWKcBv1x2rSBuxruCKuJE8FSnzBUWBkDLrZbnIHU4tYm41NHHxSDbGmRDjswxu94znQu5LERQTsyBQIpfC04SvFKxHRYelF6LrTLFS3/Z4fjzc1+7kCuofGw9LnO8=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=nLyuqHvA06p2zKIR12KawCY7KU1AUqec/1LT1qelk1DHf68CLVXvtjCTrAxUJLlqhgE7j/XAYAzgOaSICcYg8gKyAfY6JW4Hxvgqc0da97tTxU/de3a/83Vf7WgxUZB8raVPKEFGyj/bjVOXn6w78agSxIlmkjZ1G9/+oWtM1Vg=
References: <1d23acab0804171237md0a952dnbc0262dd64650f2c (at) mail.gmail.com> <BAC1D28A5AB852439A6914CA7AB4E63F05B12BAE (at) permls05.wde.woodside.com.au>

Hello Vernon,

2008/4/18, Everett, Vernon <Vernon.Everett (at) woodside.com.au>:

> Hoping somebody has encountered this before.
> We have put BBWin on a few Windoze servers, but one of the, a DC, has a HUGE
> event log.
> So large, that hobbit is freaking out, and doing the "Data flooding from
> 1.2.3.4, closing connection" thing.
>
> I know this is hobbit protecting iteself from a DOS attack, but is there a
> way around this?
> Can I somehow tell hobbit not to do this for that IP address?
>
> Unfortunately, because of its function, we can't reduce the logging on the
> Windoze server, so we need to either
>     a) get hobbit to handle the problem (desirable solution)
>     b) get bbwin to truncate the event log (less desirable)
>

Do you use the central or local mode of BBWin ?

Depending the mode you use, you may add ignore rules in your BBWin.cfg
(local mode) or client-local.cfg (win32 section) on the hobbit server.

Example for local mode in BBWin.cfg :
<ignore logfile="Application" type ="Error" eventid="2001" />

Example for central mode in client-local.cfg :
[win32]
eventlog:application
ignore 2001




-- 
Etienne GRIGNON

Follow-Ups:
- RE: [hobbit] Flooding hobbit
  - From: Everett, Vernon

References:
- Best way to do interface graphs?
  - From: Stewart L
- Flooding hobbit
  - From: Everett, Vernon

Prev by Date: Re: [hobbit] Doc URL on client pages
Next by Date: RE: [hobbit] Doc URL on client pages
Previous by thread: Re: [hobbit] Flooding hobbit
Next by thread: RE: [hobbit] Flooding hobbit
Index(es):
- Date
- Thread