[c-nsp] Logging your Firewalls
Alexander Clouter
alex at digriz.org.uk
Sat Apr 9 07:46:05 EDT 2011
Peter Rathlev <peter at rathlev.dk> wrote:
>
>> For enterprise users, how many log ALL firewall traffic? Both permits
>> and denys?
>
> We log everything at debugging level. Using rsyslog we put "Built",
> "Teardown" and "Deny" in one file, URL logging in another, and
> everything else in a third.
>
We pretty much log everything, but do trim (with syslog-ng) DNS
recursive lookups from our internal resolvers as in my opinion, it is a
pointless (and verbose) affair:
----
match(" for inside:1\.2\.[34]\.8/.* to outside:.*/53 " value(MSG) type(posix))
----
As said else where, 'permit's are important, without them, it is
impossible to deal with abuse reports. Deny's tell you what traffic did
*not* exit your network whilst the permit's do.
Cheers
--
Alexander Clouter
.sigmonster says: Type louder, please.
More information about the cisco-nsp
mailing list