Firewall Wizards mailing list archives
Re: Appropriate PIX logging level
From: Tichomir Kotek <tichomir.kotek () lynx sk>
Date: Tue, 18 Apr 2006 09:51:30 +0200
Ravdal, Stig wrote:
Hi guys,
Hi
I'm having a discussion with some of our network engineers about the appropriate level of logging on a Cisco PIX firewall. The major complaint I get for increasing the logging level is because of lack of storage. Are there standard or best practice references that I can bring to the table?
main disk space killers are connection built(302013,302015) and connection teardown (302014,302016) events (built events record connection "orientation", teardown sometimes not, but provide bytecount and length infos for tcp connection teardown flags) these informations are sometimes not needed, BUT do read your security policy ;)
I'm expecting to get some variation in responses from this post. What may be helpful to me is to understand what information is being lost by going to the next lower level.
if you are not interesting in logging some of events, you can turn them off (no logging message <num>) or change severity (logging message <num> severity <level>)
At a minimum I think we should be logging and analyzing: date/time, interface(s), src/dst IP, src/dst port, proto, allow/deny, rule applied (, other?). Does that seem right? What about SYN/ACK and so on?
there is log messages guide for pix with every event description in it
Based on the information I believe we should be logging what does the logging level on a PIX have to be set to?
Personaly, I will log everything. tk _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Appropriate PIX logging level Ravdal, Stig (Apr 07)
- Re: Appropriate PIX logging level Adrian Grigorof (Apr 09)
- RE: Appropriate PIX logging level Tina Bird (Apr 09)
- Re: Appropriate PIX logging level Tichomir Kotek (Apr 23)
- Re: Appropriate PIX logging level David Lang (Apr 26)