Re: [logs] firewall logging and rulesets

From: Bill Mathews (billford@private)
Date: Wed Oct 22 2003 - 13:41:35 PDT

  • Next message: Chris Brenton: "Re: [logs] firewall logging and rulesets"

    Its not possible that I know of to get fw-1 to log with names, or even
    give a rule a name. I think you're covered with what you described, that's
    the data I alway log with.
    Bill Mathews
    Open Source Software Advocate
    The wise and noble Tina Bird spiteth forth upon the land, these thoughts:
    > On Tue, 21 Oct 2003, Bill Mathews wrote:
    >> Check Point logs the rule number (there are no rule names in CP) but
    >> since
    >> the rule number changes every time you insert or delete a rule, so 6
    >> months to a year it won't be very helpful.  The way I do it is to use
    >> Check Point's API to document my rulebase in a text file and time/date
    >> stamp it (also keep it in CVS). That way, when / if I need to review the
    >> logs, I have documentation from what the rulebase looked like that day.
    >> CP
    >> now has revision control built in so it's a little easier but I still
    >> like
    >> the CVS for the text file. IPTables logs everything to syslog unless
    >> otherwise instructed.
    > yeah, this is kind of what i figured -- in re having to come up with some
    > sort of ad hoc system to pull stuff in.  still, better than nothing at
    > all, especially if you're in an environment where you're already using CVS
    > for system config tracking as well as software version control.
    > so here's my list of events on a firewall i'd like to keep track of:
    > Host OS messages as applicable
    > Configuration changes
    > Adds/deletes/changes of admin accounts
    > Administrative traffic from .unexpected. locations (like the Internet)
    > Connection logs (start/stop/amt of data)
    > on FW-1, config changes from the GUI are stored in a text file called
    > $FWDIR/logs/cpmgmt.aud -- which i can clearly grab and push to syslog.
    > config changes from the command line are written to syslog directly.  new
    > users with root privs are logged to syslog.  user deletes and changes are
    > harder to track.  connection logs can be grabbed in a variety of ways and
    > are easier to handle if i name them in obvious ways (and figure out a way
    > to get the number-to-name mapping into the logs directly) (i don't know if
    > it's possible to get fw-1 to log with rule names rather than numbers).
    > questions to the list:
    > 1) what kinds of noteworthy firewall events have i missed?
    > 2) for the default logging config on <insert name of your fave firewall
    > here), which of these events get logged?  which don't?
    > 3) is the logging config controlled anywhere other than in
    > /etc/syslog.conf?
    > 4) if stuff's not in syslog or equiv, where is it and how can i grab it?
    > 5) can you contribute sample data, with details of non-standard logging
    > configs, for any of these events?
    > i'm doing a similar bit of doc for web servers and database servers, and
    > routers, and maybe desktop machines, and ...
    > if there's one thing that RPC hell's done for me this summer, it's been to
    > make me >>far<< more motivated to work on anything else ;-)
    > tbird
    > _______________________________________________
    > LogAnalysis mailing list
    > LogAnalysis@private
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Wed Oct 22 2003 - 13:46:54 PDT