Community:Firewall logging recommendations

From Splunk Wiki

Jump to: navigation, search

CAUTION: This article is work in progress

Depending on the use-case you are implementing, different logging needs to be enabled:

Ideally you want to turn full logging on to understand exactly what is happening in your environment. A logging myth around firewall logging is that logging permitted connections is not very useful. On the contrary. If you know what connections have been permitted, you can find: misconfigurations, use it for tracking down abuse, investigate security attacks where the firewall was configured to pass the traffic, etc.

Use-case Messages Known Issues
Who connected to my servers? passes
Customer complains about not being able to access a Web site passes going to the outside or blocks (if you want to see only what is blocked, but you cannot say for sure that there was no other problem
Who made a configuration change? Rule updates / ACL updates
Who is knocking on my doors? blocks
Do we see any known "bad" sources trying to get in? blocks and a list of "bad" IP addresses

Known issues

  1. bandwidth: the more messages or eventtypes that are enabled on the firewall, the more data is being sent.
  2. storage: the more events are generated, the more is logged, the more storage is needed to capture the events.
  3. load on the box: the more events are enabled (and the more rules/ACLs are logging data), the more load is put on the firewall
  4. firewall capabilities (can it do that): Some types of messages cannot be generated on some firewalls. For example, password changes to a firewall are not always something you can log.
Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk