RE: Firewall Logging question?

["Dan Lynch" <DLynch () placer ca gov>]

Of course, it depends. :-)

I log "accept", for example, for administrative actions, such as a
remote desktop connection to a server. I don't log "accept" for normal
programmatic connections like between a web server and a SQL server.
Those are too numerous to be informative and only serve to take up log
space and add noise. I sometimes turn on logging for brief periods to
troubleshoot or validate a connection or a rule.

For me, the general rule is to log a connection if the entry will add
more information than noise.

Hope this helps.

- Dan

Dan Lynch, CISSP
Information Technology Analyst
County of Placer

(530) 889-4222 

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Albert R. Campa
> Sent: Monday, May 19, 2008 2:27 PM
> To: security-basics
> Subject: Firewall Logging question?
>
> Hi,
>
> I am wondering what your opinion is on Firewall logging for 
> "Accept/Permit/Allow" rules?
>
> Is it really necessary? Are just the "deny" logs critical?
> Say disk space is not in abundance.
>
> Should you not log "accept/permit/allow" firewall rules, or 
> log everything and have your retention reduced?
>
> What are advantages to logging "accept/permit/allow" rules in 
> a firewall?
>
> Thank in advance.
>
> Albert