Firewall Wizards mailing list archives
RE: Appropriate PIX logging level
From: "Tina Bird" <tbird () precision-guesswork com>
Date: Fri, 7 Apr 2006 15:04:45 -0700
Hi guys,
as well as those of us who are *not* guys, i hope ;-)
At a minimum I think we should be logging and analyzing: date/time, interface(s), src/dst IP, src/dst port, proto, allow/deny, rule applied (, other?). Does that seem right? What about SYN/ACK and so on?
here's one point to consider. it sounds like you're focussing only on the logs of network traffic in the vicinity of your PIX. but keep in mind that if it's correctly configured to allow only the traffic required by your business requirements, then the traffic logs aren't particularly interesting, or at least aren't obviously the best place to start. i'm always more interested in capturing logs of administrative activity on my firewall (in particular, changes to the access control configuration); login attempts on the firewall; unexpected reboots etc. you might be interested in the firewall logging doc that i compiled and co-wrote, with heaps of assistance from chris brenton and a couple of other folks. brian ford .... oh brian ford ... where's my PIX contribution??? http://www.loganalysis.org/sections/parsing/application-specific/firewall-lo gging.html (beware the evil line wrap) cheers - tbird _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Appropriate PIX logging level Ravdal, Stig (Apr 07)
- Re: Appropriate PIX logging level Adrian Grigorof (Apr 09)
- RE: Appropriate PIX logging level Tina Bird (Apr 09)
- Re: Appropriate PIX logging level Tichomir Kotek (Apr 23)
- Re: Appropriate PIX logging level David Lang (Apr 26)