Firewall Wizards mailing list archives
Re: Reading firewall logs
From: jseymour () LinxNet com (Jim Seymour)
Date: Thu, 27 Apr 2000 08:25:53 -0400 (EDT)
Alex Lim <mwlalex () magix com sg> wrote:
Hi, I am hoping to hear some enlightening comments on reading firewall logs. I am curious if people are actually doing it or is there some kind of tools that we can buy off the shelf.
The problem with automated log analysis is that over-summarization can cause to be lost important details. So it must be done carefully. The approach I've developed after lo these many years is to write Perl scripts (mostly) to summarize those things that can safely be summarized, sort/order those things that can safely be sorted/ordered (e.g.: by date/time, source/destination address/port, etc.) and discard those things that I *know for a fact* can *safely* be discarded. The rest gets emitted in a (mostly) raw form. I write the regex tests for raw logfile lines to be *very* specific. And cause to be emitted as "what's this?" any line that is not known. I tune the script, as time goes on and new "unknowns" are discovered, to handle these things.
I dun think it's productive or efficient to ask an employee to spend a few hours reading the logs just to look out for anomalies.
IMO, this is potentially as bad as--maybe can be even worse than--a log analyzer/summarizer that "over does" the job. In logfiles with even hundreds of lines - not-to-mention *thousands* - reader fatigue is *bound* to result in something important--or perhaps an important pattern--being missed.
Anyone care to comment ? BTW I am referring to the Checkpoint FW-1 logs.
Can't help you with that. I use Gauntlet (with which I haven't done all that much in custom log analysis) and T.REX. Regards, Jim -- Jim Seymour | PGP Public Key available at: jseymour () LinxNet com | http://www.cam.ac.uk.pgp.net/pgpnet/wwwkeys.html http://home.msen.com/~jimsun | http://www.trustcenter.de/cgi-bin/SearchCert.cgi
Current thread:
- Reading firewall logs Alex Lim (Apr 26)
- Re: Reading firewall logs Bill Pennington (Apr 27)
- Re: Reading firewall logs Lance Spitzner (Apr 27)
- RE: Reading firewall logs Andrew Helm-Cowley (Apr 27)
- Re: Reading firewall logs Jim Seymour (Apr 27)
- Re: Reading firewall logs Dominik Miklaszewski (Apr 28)
- <Possible follow-ups>
- RE: Reading firewall logs Litney, Tom (Apr 27)
- Re: Reading firewall logs ark (Apr 27)
- Re: Reading firewall logs Bill_Royds (Apr 28)
- RE: Reading firewall logs -reply Mark . Teicher (Apr 28)