Its not possible that I know of to get fw-1 to log with names, or even give a rule a name. I think you're covered with what you described, that's the data I alway log with. -- Bill Mathews Open Source Software Advocate billford@private The wise and noble Tina Bird spiteth forth upon the land, these thoughts: > > On Tue, 21 Oct 2003, Bill Mathews wrote: > >> Check Point logs the rule number (there are no rule names in CP) but >> since >> the rule number changes every time you insert or delete a rule, so 6 >> months to a year it won't be very helpful. The way I do it is to use >> Check Point's API to document my rulebase in a text file and time/date >> stamp it (also keep it in CVS). That way, when / if I need to review the >> logs, I have documentation from what the rulebase looked like that day. >> CP >> now has revision control built in so it's a little easier but I still >> like >> the CVS for the text file. IPTables logs everything to syslog unless >> otherwise instructed. >> > yeah, this is kind of what i figured -- in re having to come up with some > sort of ad hoc system to pull stuff in. still, better than nothing at > all, especially if you're in an environment where you're already using CVS > for system config tracking as well as software version control. > > so here's my list of events on a firewall i'd like to keep track of: > > Host OS messages as applicable > Configuration changes > Adds/deletes/changes of admin accounts > Administrative traffic from .unexpected. locations (like the Internet) > Connection logs (start/stop/amt of data) > > on FW-1, config changes from the GUI are stored in a text file called > $FWDIR/logs/cpmgmt.aud -- which i can clearly grab and push to syslog. > config changes from the command line are written to syslog directly. new > users with root privs are logged to syslog. user deletes and changes are > harder to track. connection logs can be grabbed in a variety of ways and > are easier to handle if i name them in obvious ways (and figure out a way > to get the number-to-name mapping into the logs directly) (i don't know if > it's possible to get fw-1 to log with rule names rather than numbers). > > questions to the list: > > 1) what kinds of noteworthy firewall events have i missed? > 2) for the default logging config on <insert name of your fave firewall > here), which of these events get logged? which don't? > 3) is the logging config controlled anywhere other than in > /etc/syslog.conf? > 4) if stuff's not in syslog or equiv, where is it and how can i grab it? > 5) can you contribute sample data, with details of non-standard logging > configs, for any of these events? > > i'm doing a similar bit of doc for web servers and database servers, and > routers, and maybe desktop machines, and ... > > if there's one thing that RPC hell's done for me this summer, it's been to > make me >>far<< more motivated to work on anything else ;-) > > tbird > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis > _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Oct 22 2003 - 13:46:54 PDT