Re: [logs] firewall logging and rulesets

From: Tina Bird (
Date: Wed Oct 22 2003 - 19:05:43 PDT

  • Next message: Jason Haar: "Re: [logs] firewall logging and rulesets"

    On Wed, 22 Oct 2003, Brian Ford wrote:
    > One thing we (big Cisco we) did is to change the level of any log
    > message.  So with this you can push all the messages that you really care
    > about down to log level 0 (which historically we at Cisco do not use).  Do
    > you view this as valuable?  The reason I ask is that I sometimes get push
    > back about putting too much capability into the Firewall device.  I just
    > look at that as local aggregation which is a generally good thing most of
    > the time (unless you are doing forensics and need to see it all).
    i've not administered a PINX environment, but yes, i certainly think this
    is a great feature.  the point i'm making in the latest revision of my
    tutorial notes is that the most efficient way to start log monitoring is
    to be very explicit about the messages you want to see, and then be sure
    that you see them.  this philosophy encourages a sort of a
    "pre-processing" model, at least insofar as in some cases you'll have to
    do some extra work to catch events that aren't logged by default.
    brian, any chance you will be able to answer the questions about firewall
    logging that i posted uh, yesterday, for PIXen?
    > The other thing we did is to allow the suppression of messages based on the
    > ID.  So if you don't like the "Built Dynamic Translation" message you can
    > make it so your PIX never emits that message again.  And when I say never I
    > mean until you take that line out of the configuration.  But it does
    > suppress that message ID.  It doesn't care about any of the data in the
    > message (some have said it would have been interesting to try and make it
    > smart enough to tell the difference between inbound and outbound).  Again,
    > that's at the PIX in an individual devices configuration.
    and again, very useful.  anything a vendor or developer can do to allow me
    to tune my logging config is a very good thing.
    tho' it does raises the question -- what's the default logging
    configuration provide?  one of the helpful things microsoft's doc provides
    WRT logging is a mapping between configuration options in the audit policy
    and the exact message IDs that are enabled by a specific policy.  cisco's
    doc is pretty fab -- do you guys have anything like that?
    > In reading your message am I hearing that you would like to see (and use) a
    > Syslog viewer that can interpret what it is reading?  What if I could
    > interpret the message for you (if you tell me the PIX OS version) when you
    > click on it.
    keeping the message IDs constant across versions of the operating systems
    is a >>huge<< win, obviously.
    > Interesting (at least to me) that nobodies Syslog draft picked up on any of
    > this.
    that's because drafts deal with how to transport the data and not what
    kind of information you might want to collect, and how you might want to
    deal with variations between networking environments :-(
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Wed Oct 22 2003 - 19:08:15 PDT