On Tue, 21 Oct 2003, Bill Mathews wrote: > Check Point logs the rule number (there are no rule names in CP) but since > the rule number changes every time you insert or delete a rule, so 6 > months to a year it won't be very helpful. The way I do it is to use > Check Point's API to document my rulebase in a text file and time/date > stamp it (also keep it in CVS). That way, when / if I need to review the > logs, I have documentation from what the rulebase looked like that day. CP > now has revision control built in so it's a little easier but I still like > the CVS for the text file. IPTables logs everything to syslog unless > otherwise instructed. > yeah, this is kind of what i figured -- in re having to come up with some sort of ad hoc system to pull stuff in. still, better than nothing at all, especially if you're in an environment where you're already using CVS for system config tracking as well as software version control. so here's my list of events on a firewall i'd like to keep track of: Host OS messages as applicable Configuration changes Adds/deletes/changes of admin accounts Administrative traffic from .unexpected. locations (like the Internet) Connection logs (start/stop/amt of data) on FW-1, config changes from the GUI are stored in a text file called $FWDIR/logs/cpmgmt.aud -- which i can clearly grab and push to syslog. config changes from the command line are written to syslog directly. new users with root privs are logged to syslog. user deletes and changes are harder to track. connection logs can be grabbed in a variety of ways and are easier to handle if i name them in obvious ways (and figure out a way to get the number-to-name mapping into the logs directly) (i don't know if it's possible to get fw-1 to log with rule names rather than numbers). questions to the list: 1) what kinds of noteworthy firewall events have i missed? 2) for the default logging config on <insert name of your fave firewall here), which of these events get logged? which don't? 3) is the logging config controlled anywhere other than in /etc/syslog.conf? 4) if stuff's not in syslog or equiv, where is it and how can i grab it? 5) can you contribute sample data, with details of non-standard logging configs, for any of these events? i'm doing a similar bit of doc for web servers and database servers, and routers, and maybe desktop machines, and ... if there's one thing that RPC hell's done for me this summer, it's been to make me >>far<< more motivated to work on anything else ;-) tbird _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Oct 22 2003 - 01:54:14 PDT