[c-nsp] Logging your Firewalls
Peter Rathlev
peter at rathlev.dk
Sat Apr 9 06:17:05 EDT 2011
On Sat, 2011-04-09 at 03:18 +0000, Dobbins, Roland wrote:
> On Apr 9, 2011, at 1:16 AM, Peter Rathlev wrote:
> > We log everything at debugging level.
>
> That's a good way to drive your CPU through the roof and cause your
> firewall to fall over, heh.
With 6 years of experience using the FWSM for what we use it for
currently I beg to differ.
To be clear here: Are you saying only debugging level is wrong? Or also
informational level with all the build/teardowns? The latter is more
(way more) than 95% of our logging traffic. Are you saying one shouldn't
log even at informational level?
Keep in mind that debug level messages (level 7) won't appear unless you
enable debugging. When you do enable debugging, what do you think the
FWSM spends most CPU cycles doing: Sending the log message via UDP to a
syslog server, or sending the log message through an SSH session to my
terminal?
> It's also completely unnecessary, and creates reams of irrelevant,
> contextless data for any kind of analyzer to have to wade through.
I'd very much contest this point. Most of the logging comes in at
informational level, describing builds/teardowns. These are critical if
you perform any kind of NAT, as most enterprises (cf. OP) do. They're
also very relevant when tracing activity even without NAT. You can
compare them to Netflow data, except they're more precise and more
inefficient.
If you're only talking about debugging level, I'd disagree even more.
Saving debugging output is a good thing. Most problems aren't resolved
in a matter of minutes, and having historical data to analyze is
priceless.
--
Peter
More information about the cisco-nsp
mailing list