Re: Reading firewall logs

[ark () eltex ru]

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

I do.
My firewall is fwtk derivative, so all the logs are pretty human-readable.
What i have:

a tool that shows me log with fancy colors, custom filtering and separate
event window - allowing me to find important information real fast.
On-demand reports are also there.

an alert subsystem that informs me if something really worth of notice
happens and sends me message to GSM phone

a frequentcheck thing that runs from cron and reports unusual activity

daily, weekly and monthly summary reports.

The only damn thing that really annoys me and wastes my time is 
misconfigured icq clients all over the internet. Unfortunately i can't
just kill stupid beast forever.  

Alex Lim <mwlalex () magix com sg> said :

> Hi,
>
> I am hoping to hear some enlightening comments on reading firewall logs.
> I am curious if people are actually doing it or is there some kind of
> tools that we can buy off the shelf. I dun think it's productive or
> efficient to ask an employee to spend a few hours reading the logs just
> to look out for anomalies. 
>
> Anyone care to comment ? BTW I am referring to the Checkpoint FW-1 logs.
>
> TIA
> Alex Lim

                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBOQgS7aH/mIJW9LeBAQGL+wP+Otajf+UfAVtB+rXJNdwtmmKlNx72TiFH
xRIB1+3mFLgzaTKkfk9+WNHhgstk4IX5qEy3+Knv3bN1iqTfXNqErKhFpVOybG44
G7dZ68R+pTdXFGbUPXQBOSMjBD4wv3dNHO5Av8hI81zMNY3BuRudiMqZubBxxVBX
SpaLkaQqMYY=
=SpoW
-----END PGP SIGNATURE-----