RE: Reading firewall logs

["Litney, Tom" <TLitney () caiso com>]

Hi Alex,

  Is this a troll?  You're asking a list of security people the value of
reviewing firewall logs (or any system logs for that matter)?  Of course it
is very important and yes there are products on the market that may help you
do this (e.g. WEBTRENDS).  I happen to like good old fashion shell scripts
with the liberal use of grep -v.  The idea being throw away everything that
you don't need to see and don't care about leaving the stuff a human
security eye needs to check.  Of course you can use PERL or your language De
Jour.  It shouldn't take a few hours to review firewall logs after this type
of processing.  It only takes me about 15 minutes max per firewall
(sometimes the follow up on incidents can take a bit longer :-) ).  

   Tom

-----Original Message-----
From: Alex Lim [mailto:mwlalex () magix com sg]
Sent: Tuesday, April 25, 2000 8:22 PM
To: fwz
Subject: [fw-wiz] Reading firewall logs


Hi,

I am hoping to hear some enlightening comments on reading firewall logs.
I am curious if people are actually doing it or is there some kind of
tools that we can buy off the shelf. I dun think it's productive or
efficient to ask an employee to spend a few hours reading the logs just
to look out for anomalies. 

Anyone care to comment ? BTW I am referring to the Checkpoint FW-1 logs.

TIA
Alex Lim