Security Basics mailing list archives
Re: Logs from Firewall NetScreen
From: krymson () gmail com
Date: Tue, 6 Sep 2011 21:04:10 GMT
I would say you want to enable as much as you can, and then start watching the logs as they come in. There are 2 broad scenarios for SIEM collection: 1) Log gathering and archiving In this, you want to look at any logs coming in and ask yourself, "Will I ever need to see these entries as part of an investigation or forensics question?" If not, discard them. Log management has done this task for quite some time and it's pretty clear. 2) Event alarming (SIEM) In this, you want to ask yourself, "When this log entry comes through my SIEM as an event, will it ever be something I need to look at to reveal an incident?" SIEM still generates way too many false positive events. Do you want to watch log entries that hit your DENY rules? Not usually, but sometimes, sure! A SIEM is poor in making many detailed distinctions like that. You can even argue that there's nothing you really want to see off your firewall other than failed administrative logins, reboots, successful administrative logins, and commands issued. ALarming on anything else will incur administrative overhead and your time. Everything else can just be archived per scenario #1 above. <- snip -> Hello, I'm wonder if someone knows what are the options of logs that should be activated in the syslogs of firewall netscreen, in my case, we have the next log settings: - Emergency -> Activated - Alert -> Activated - Critical -> Activated - Error -> Activated - Warning -> Deactivated - Notification -> Deactivated - Information -> Deactivated - Debugging -> Deactivated But i'do not know if they are the best practices, i would think to keep activated just Emergency, Alert, Critical and Notification but i'm not sure; or the other option is to activate all... The problem with the last is that there's too much information that my SIEM received and don't know if every event is important to monitor... I hope someone could help me... ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Logs from Firewall NetScreen nbniel (Sep 05)
- Re: Logs from Firewall NetScreen pkc mls (Sep 06)
- <Possible follow-ups>
- Re: Logs from Firewall NetScreen krymson (Sep 06)