Fowarding to syslog- best practice

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Fowarding to syslog- best practice

L1 Bithead

Currently we forward nearly all of the firewall's logs to our syslog server, but the amount of irrelevant minutiae is over-whelming the syslog server.

 

Is there a best-practice for what information should be forwarded to syslog?  I don't want to miss anything important but I ready want to eliminate the un-important.

 

Thanks

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

Honestly that is a 'it depends' answer as every one has a different set of requirements and thing sthey alert on. We also send everything to our SIEM but so that it can be correlated with other logs and events. While some traffic may look beging, it could actually be malicious.

 

I know its not a great answer, but we scalled out SIEM to handel everything at only 60% capacity.

 

Regards,

Cyber Elite
Cyber Elite

@fmurray,

As @OtakarKlier  mentioned this isn't something you could really make a best-practice on, as nobody has the same requirements. Personally, I like having all of the logs we can get into the SIEM and find it cheaper to just upgrade the device to function under the required load.

However, if your SIEM isn't able to handle that load you'll need to actually go through and determine the most important logs for your organization that you want to forward to your SIEM. That could mean that you only forward traffic for external access rules, or maybe access to your server infrastructure. That all depends on what your organizational needs are.  

L7 Applicator

@fmurray , FYI.

 

I have just about everything going to syslog, including Global Protect.  this is our corp policy and to do with legal stuff.

 

we have logrotate  that zips files up and deletes them after a required ammount of time.

the information is quite overwhelming but with various scripts you can pull out the information you require.

 

very rarely use it for traffic reports but every month reports are run for GlobalProtect activity.

 

 

 

  • 2365 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!