Hi mom et al,
I wanna get some info on syslog practices and reporting from you cats.
1) Does anyone use syslog from your firewalls? 2) If so, what are you doing with the data? 3) Are you generating reports or using the raw data? 4) If reports are created, what are you using? 5) If you aren't creating reports, how is the data useful to you and why maintain it? 6) Do you and/or your customers care about what is traversing the firewall? 7) This space for rent.-Flippy the Knut
Ya know, I was really hoping I'd get a vague response, and look, you fulfilled my dreams.
Any serious firewalling requires logging and log analysis.
Look at the data, analyze them.
Both.
The tools vary depending on log format, type of firewall, customer/project etc.
To look for sprecial events.
Depends on the customer.
Wolfgang
The answers are as good as you could possibly expect from questions as vague as those you asked.
For 5), I could add that it's useful to document intrusion attempts, if it ever becomes enough of a nuisance to warrant taking actions, or as an aid for creating special rules for apps where the documentation is wrong, incomplete or misleading.
For 4), the tools used most definitely depend on what you want reported, and why. Since that can vary from time to time, I prefer not to waste resources on running automated reports, but pull out the pertinent data on the fly, using standard Unix tools (sed/grep/awk/perl). Automated reports are only useful if someone actually reads them, compares them, understands them,
*and* can act upon them. This hardly ever happens in RL. Well, sometimes reports can make mid-level mismanagement happy, as it creates extra paperwork to make them appear busy and productive.Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.