Re: [logs] firewall logging and rulesets

From: Tina Bird (
Date: Tue Oct 21 2003 - 22:26:17 PDT

  • Next message: Terence Runge: "Re: [logs] firewall logging and rulesets"

    On Tue, 21 Oct 2003, Bill Mathews wrote:
    > Check Point logs the rule number (there are no rule names in CP) but since
    > the rule number changes every time you insert or delete a rule, so 6
    > months to a year it won't be very helpful.  The way I do it is to use
    > Check Point's API to document my rulebase in a text file and time/date
    > stamp it (also keep it in CVS). That way, when / if I need to review the
    > logs, I have documentation from what the rulebase looked like that day. CP
    > now has revision control built in so it's a little easier but I still like
    > the CVS for the text file. IPTables logs everything to syslog unless
    > otherwise instructed.
    yeah, this is kind of what i figured -- in re having to come up with some
    sort of ad hoc system to pull stuff in.  still, better than nothing at
    all, especially if you're in an environment where you're already using CVS
    for system config tracking as well as software version control.
    so here's my list of events on a firewall i'd like to keep track of:
    Host OS messages as applicable
    Configuration changes
    Adds/deletes/changes of admin accounts
    Administrative traffic from .unexpected. locations (like the Internet)
    Connection logs (start/stop/amt of data)
    on FW-1, config changes from the GUI are stored in a text file called
    $FWDIR/logs/cpmgmt.aud -- which i can clearly grab and push to syslog.
    config changes from the command line are written to syslog directly.  new
    users with root privs are logged to syslog.  user deletes and changes are
    harder to track.  connection logs can be grabbed in a variety of ways and
    are easier to handle if i name them in obvious ways (and figure out a way
    to get the number-to-name mapping into the logs directly) (i don't know if
    it's possible to get fw-1 to log with rule names rather than numbers).
    questions to the list:
    1) what kinds of noteworthy firewall events have i missed?
    2) for the default logging config on <insert name of your fave firewall
    here), which of these events get logged?  which don't?
    3) is the logging config controlled anywhere other than in
    4) if stuff's not in syslog or equiv, where is it and how can i grab it?
    5) can you contribute sample data, with details of non-standard logging
    configs, for any of these events?
    i'm doing a similar bit of doc for web servers and database servers, and
    routers, and maybe desktop machines, and ...
    if there's one thing that RPC hell's done for me this summer, it's been to
    make me >>far<< more motivated to work on anything else ;-)
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Wed Oct 22 2003 - 01:54:14 PDT