Security Basics mailing list archives
RE: Firewall Logging question?
From: "Dan Lynch" <DLynch () placer ca gov>
Date: Tue, 20 May 2008 10:39:10 -0700
Of course, it depends. :-) I log "accept", for example, for administrative actions, such as a remote desktop connection to a server. I don't log "accept" for normal programmatic connections like between a web server and a SQL server. Those are too numerous to be informative and only serve to take up log space and add noise. I sometimes turn on logging for brief periods to troubleshoot or validate a connection or a rule. For me, the general rule is to log a connection if the entry will add more information than noise. Hope this helps. - Dan Dan Lynch, CISSP Information Technology Analyst County of Placer (530) 889-4222
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Albert R. Campa Sent: Monday, May 19, 2008 2:27 PM To: security-basics Subject: Firewall Logging question? Hi, I am wondering what your opinion is on Firewall logging for "Accept/Permit/Allow" rules? Is it really necessary? Are just the "deny" logs critical? Say disk space is not in abundance. Should you not log "accept/permit/allow" firewall rules, or log everything and have your retention reduced? What are advantages to logging "accept/permit/allow" rules in a firewall? Thank in advance. Albert
Current thread:
- Firewall Logging question? Albert R. Campa (May 20)
- RE: Firewall Logging question? Dan Lynch (May 20)
- Re: Firewall Logging question? Gleb Paharenko (May 20)
- RE: Firewall Logging question? Rivest, Philippe (May 20)
- Re: Firewall Logging question? Jason (May 20)
- <Possible follow-ups>
- Re: Firewall Logging question? Kenton Smith (May 20)