Community:Firewall logging recommendations
From Splunk Wiki
CAUTION: This article is work in progress
Depending on the use-case you are implementing, different logging needs to be enabled:
Ideally you want to turn full logging on to understand exactly what is happening in your environment. A logging myth around firewall logging is that logging permitted connections is not very useful. On the contrary. If you know what connections have been permitted, you can find: misconfigurations, use it for tracking down abuse, investigate security attacks where the firewall was configured to pass the traffic, etc.
|Who connected to my servers?||passes|
|Customer complains about not being able to access a Web site||passes going to the outside or blocks (if you want to see only what is blocked, but you cannot say for sure that there was no other problem|
|Who made a configuration change?||Rule updates / ACL updates|
|Who is knocking on my doors?||blocks|
|Do we see any known "bad" sources trying to get in?||blocks and a list of "bad" IP addresses|
- bandwidth: the more messages or eventtypes that are enabled on the firewall, the more data is being sent.
- storage: the more events are generated, the more is logged, the more storage is needed to capture the events.
- load on the box: the more events are enabled (and the more rules/ACLs are logging data), the more load is put on the firewall
- firewall capabilities (can it do that): Some types of messages cannot be generated on some firewalls. For example, password changes to a firewall are not always something you can log.