[logs] firewall logging and rulesets

From: Tina Bird (tbird@precision-guesswork.com)
Date: Tue Oct 21 2003 - 17:10:39 PDT

  • Next message: Tina Bird: "Re: [logs] firewall logging and rulesets"

    in my somewhat limited experience with firewall network connection logs,
    it seems that firewalls log the result of a particular connection request
    (usually ALLOW or DENY) pretty faithfully.  they may or may not log the
    rule which caused them to take the recorded action -- that's the default
    config on some firewalls, and can be forced on some others.
    but that's really not terribly helpful, because they usually report on the
    specific rule using its position in the ruleset, or maybe using a name if
    such a thing exists in its management.  if you don't have some kind of
    independent record of what the ruleset >was< at the time that network
    connection was logged, you have no way of making sense out of the action.
    i can imagine doing something kind of ugly like pushing a new copy of the
    ruleset into the system logs every time it changes, but i figured i should
    ask -- has anyone found a more elegant way of dealing with this problem?
    in the long run, does it matter much?  that is, if i decide i need to make
    sense of a set of connections in six months or a year, do i really need to
    know what rule caused the action?
    thanks for any info -- tbird
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Wed Oct 22 2003 - 01:04:19 PDT