[c-nsp] Logging your Firewalls

Peter Rathlev peter at rathlev.dk
Fri Apr 8 14:16:41 EDT 2011


On Fri, 2011-04-08 at 10:01 -0700, Scott Voll wrote:
> For enterprise users, how many log ALL firewall traffic?  Both permits
> and denys?

We log everything at debugging level. Using rsyslog we put "Built",
"Teardown" and "Deny" in one file, URL logging in another, and
everything else in a third.

Permits are IMO the most important, both regarding trouble shooting and
auditing.

> What are you using to log the information?

CentOS 5 with the stock rsyslog. The configuration file is not that
complex, but not just standard syslog either. Mail me if you'd like a
copy.

The files are rotated with a home rolled script when the reach a
specific size. The script names the files according to start and end
time, e.g.:

  firewall-debug.log.20110408-173001-20110408-190001.gz

> How far back are you keeping the data?  What is best practice?

My guess is that many places have laws regarding log retention. Even
though enterprises might be exempted from those rules it's not harm
following them.

For us it's "no more than necessary for operational reasons" which
transalates to less than a few weeks. AFAIK we're not requiered to keep
them at all, but they're quite handy from an operational point of view.

-- 
Peter




More information about the cisco-nsp mailing list