Firewall Wizards mailing list archives
Re: Appropriate PIX logging level
From: "Adrian Grigorof" <adi () grigorof com>
Date: Fri, 7 Apr 2006 17:17:10 -0400
To get information about the traffic (the "allow" mentioned in your email) you need at least level 6 (informational). Oddly enough, you can get the URLs accessed (but no other traffic info) with level 5 (Notification). If you are only interested in denials you can keep the logging to level 4 (Warning). If storage is an issue, you can simply zip the logs (some log analyzers - see www.firegen.com - can do that or you can script it). The information in Pix logs is highly compressible - a 100 MB log can be compressed to a 7-8 MB file or even less, depending on what syslog server you are using. Regards, Adrian Grigorof Altair Technologies www.altairtech.ca www.eventid.net ----- Original Message ----- From: "Ravdal, Stig" <SRavdal () Quiznos com> To: <firewall-wizards () honor icsalabs com> Sent: Friday, April 07, 2006 11:31 Subject: [fw-wiz] Appropriate PIX logging level Hi guys, I'm having a discussion with some of our network engineers about the appropriate level of logging on a Cisco PIX firewall. The major complaint I get for increasing the logging level is because of lack of storage. Are there standard or best practice references that I can bring to the table? I'm expecting to get some variation in responses from this post. What may be helpful to me is to understand what information is being lost by going to the next lower level. At a minimum I think we should be logging and analyzing: date/time, interface(s), src/dst IP, src/dst port, proto, allow/deny, rule applied (, other?). Does that seem right? What about SYN/ACK and so on? Based on the information I believe we should be logging what does the logging level on a PIX have to be set to? Thanks, Stig Ravdal _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Appropriate PIX logging level Ravdal, Stig (Apr 07)
- Re: Appropriate PIX logging level Adrian Grigorof (Apr 09)
- RE: Appropriate PIX logging level Tina Bird (Apr 09)
- Re: Appropriate PIX logging level Tichomir Kotek (Apr 23)
- Re: Appropriate PIX logging level David Lang (Apr 26)