Re: Keeping Firewall Logs

[Mark Ng <aliasklap () markng co uk>]

On Tuesday 15 April 2003 12:21 am, Naman Latif wrote:
> Hi,
> We have a PIX firewall, which logs all the "Permits" and "Denys". We are
> developing a policy regarding "how long these log files should be kept"
> .
> Does anyone has any tips regarding this ? And how have they implemented
> in their network ?

I've had an amount of success with a standard syslog server running on 
hardened *BSD hosts (any *nix will do, and I believe that you can get syslog 
servers for NT too).  My general rule is to keep files up to three months - 
this can cause significant load on disk space though depending on how busy 
your firewalls are - this is easy to implement with cron scripts looking for 
files older than a certain amount of time and removing them.

Regards,


Mark Ng
Director,
Information Intelligence Ltd.

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------