RE: [fw-wiz] Syslog set up
From: Bob Wanamaker - Avant Systems, Inc. (rlw_at_avantsystems.com)
To: <firstname.lastname@example.org> Date: Wed, 23 Jul 2003 12:15:28 -0400
IMO, depends on what you're doing with the PIX and what you can digest. I
have one client configuration with a 515 at the hub, serving as firewall and
VPN terminus; about 30 506's connect branches to the hub location via
tunnels; a handful of users connect via VPN clients and RADIUS
authentication. All branch traffic is tunnelled, i.e., there is no access
permitted to outside address from the branch locations. An application
level WWW proxy server and an SMTP server on the internal hub network are
the only IPs permitted to establish conversations with the outside world,
and then only on the required ports.
All syslogging is done to the hub. 515 is set to level warning; 506's are
set to level warning. At this level, the logs are somewhat manageable; I
log to a SQL database, and have some simple queries to give me the view I
want. It tends to be a bit cumbersome at times, b/c any client [out of 500
or so] which attempts to connect to an outside IP gets logged - but that's
really a good thing, b/c I quickly see which workstations are potentially
compromised. Events are simultaneously logged to a text file for archive
purposes, and those file sizes are in the 10Mb range daily. I run through
my SQL queries at least 4 times a week.
I really think it becomes a function of what you can digest - if you're
going to log, you should read your logs, otherwise there's no point. Be
prepared to have some tools to make it through the logs. Reading the plain
text is pretty painful and never yields a good look at the data, at least
The only time this changes is when implementing a change, then I'll set to
level debug as needed.
Sent: Thursday, July 17, 2003 5:32 PM
Subject: [fw-wiz] Syslog set up
I am looking for a document or suggestions on setting up what events to log
on a Cisco PIX. I am not concerned about following our security policy yet
I just need a 'Best Practice" type of document to get started from.
Thanks for your input.
firewall-wizards mailing list