Fowarding to syslog- best practice

L1 Bithead

Fowarding to syslog- best practice

Currently we forward nearly all of the firewall's logs to our syslog server, but the amount of irrelevant minutiae is over-whelming the syslog server.

 

Is there a best-practice for what information should be forwarded to syslog?  I don't want to miss anything important but I ready want to eliminate the un-important.

 

Thanks

Tags (2)
L7 Applicator

Re: Fowarding to syslog- best practice

Hello,

Honestly that is a 'it depends' answer as every one has a different set of requirements and thing sthey alert on. We also send everything to our SIEM but so that it can be correlated with other logs and events. While some traffic may look beging, it could actually be malicious.

 

I know its not a great answer, but we scalled out SIEM to handel everything at only 60% capacity.

 

Regards,

L7 Applicator

Re: Fowarding to syslog- best practice

@fmurray,

As @Otakar.Klier  mentioned this isn't something you could really make a best-practice on, as nobody has the same requirements. Personally, I like having all of the logs we can get into the SIEM and find it cheaper to just upgrade the device to function under the required load.

However, if your SIEM isn't able to handle that load you'll need to actually go through and determine the most important logs for your organization that you want to forward to your SIEM. That could mean that you only forward traffic for external access rules, or maybe access to your server infrastructure. That all depends on what your organizational needs are.  

L6 Presenter

Re: Fowarding to syslog- best practice

@fmurray , FYI.

 

I have just about everything going to syslog, including Global Protect.  this is our corp policy and to do with legal stuff.

 

we have logrotate  that zips files up and deletes them after a required ammount of time.

the information is quite overwhelming but with various scripts you can pull out the information you require.

 

very rarely use it for traffic reports but every month reports are run for GlobalProtect activity.

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!